VLAN on a layer 2 device?

[bwanaaa]

I thought the purpose of a VLAN was to allow separate subnets on a router. In other words, if my router is set to 192.168.1.1, and my client pcs are 192.168.1.2-254, 255.255.255.0 they are all on one subnet. If I want two separate subnets, I need to create two VLANs and that is a function of the router. I would have one subnet at 192.168.2.x and another at 192.168.1.x

But I have this HP Procurve 1810 switch that has VLANS. It allows me to create VLANS but nowhere in the settings am I allowed to specify IP addresses. If no IP addresses are being specified, how is this a VLAN?

The documentation says something about restricting multicast packets to subnets. but that confuses me even more. If all the devices are in the same IP range, how can they be on different VLANs?

 

[nickbits]

The switch I have does VLANs by port. Eg. Port 1-5 are isolated from ports 6-10.

 

[imagoon]

VLAN is a layer 2 tech and like nickbits mentioned, it is per port or something more complex like 802.1q tagging etc.

IPs have nothing do with VLANs as they are the layer above them. IE IP(s) rides on top of the VLANs.

If your hardware supports it, you would normally configure a 802.1q trunk from the router to switch. Then assign the ports to the VLANs so that the devices attached get in the correct one.

As for Question #3 about the IPs, nothing stops you from interconnecting VLANs but that is normally pointless since VLANs are meant to isolate so bridging them makes them less useful if not pointless.

 

[alkemyst]

VLANS are L2 but if you want them to talk to each other, you will need a L3 device.

 

[bwanaaa]

thank you all for your replies. but i am missing the point. perhaps a simple example would help. Why would anyone ever use a VLAN? It does not improve security nor does it increase the addressable ip space (like NAT does)

one wonders then what purpose do VLANS serve? yes i get that VLANs are an aggregation of some of the physical ports of a switch into a subset. Subsets on different switches can be merged(tagged) into the same VLAN. But so What?

if i have many devices on a large switched network, then each device is identified by the switch using its MAC address. A direct connection between any two devices can thus easily be made. What benefit does it do any device to say it belongs to a 'special club' (VLAN) since the switch has to look at the MAC address anyway?

 

[nickbits]

It keeps traffic isolated for performance reasons.

 

[bwanaaa]

If I have two VLANs defined on my 24 port switch that is connected to my consumer level router with a single cat 5e cable, components on VLAN A will still be able to talk to components on VLAN B. In fact won't the segmentation of the switch into two VLANS make things worse - for example-
Without VLANs: any device has its MAC address assigned to a port on the switch. The switch therefore knows where every packet goes because every device is listed in the cache.

With VLANs: If a packet comes in through a port on VLAN A, the switch checks to see if the destination MAC of the packet is in VLAN A. If not, the switch has to send a broadcast packet to all ports.

So, with VLANs, broadcast packets get sent out whereas without vlans, broadcast packets are not needed.

 

[imagoon]

If I have two VLANs defined on my 24 port switch that is connected to my consumer level router with a single cat 5e cable, components on VLAN A will still be able to talk to components on VLAN B. In fact won't the segmentation of the switch into two VLANS make things worse - for example-
Without VLANs: any device has its MAC address assigned to a port on the switch. The switch therefore knows where every packet goes because every device is listed in the cache.

With VLANs: If a packet comes in through a port on VLAN A, the switch checks to see if the destination MAC of the packet is in VLAN A. If not, the switch has to send a broadcast packet to all ports.

So, with VLANs, broadcast packets get sent out whereas without vlans, broadcast packets are not needed.

That isn't correct. VLAN = Virtual Local Area Network. Take your switch. Make 2. That is what VLANs do. They are used for isolation, packet control, security among other things.

#1 If I have two VLANs defined on my 24 port switch that is connected to my consumer level router with a single cat 5e cable, components on VLAN A will still be able to talk to components on VLAN B

No. They won't.

With VLANs: If a packet comes in through a port on VLAN A, the switch checks to see if the destination MAC of the packet is in VLAN A. If not, the switch has to send a broadcast packet to all ports.

Again, no:

In your switch example, the switch knows the MACs on the port assuming they are talking. Any packet with an unknown MAC will be broadcasted out all ports *in the VLAN the packet came in on.* Even if the destination MAC is on the switch but on another VLAN, it will not be able to communicate as the devices are no longer on the same layer 2 segment.

So, with VLANs, broadcast packets get sent out whereas without vlans, broadcast packets are not needed.

Actually protocol does not change. Any MAC address that is unknown, (cache on most network devices is 4 seconds) will be broadcasted on to all ports [on that vlan is vlans are in play] until the mac is [re]learned on a port and then the packet stream is unicasted. It is entirely possible to send a single direction stream of packets to a switch that will then flood them to all applicable ports forever if the device being contacted never responds and the switch never learns the MAC : Port. If you need more information, reference the CCNA books.

 

[her209]

In the simplest terms, what you are doing when you assign a VLAN to ports on a switch is you're logically breaking the switch into smaller switches. For example, if you have a twelve-port switch and you assign half of the ports to VLAN2 and the other half to VLAN3, you have effectively created two six-port switches that are physically disconnected.

If you connect five PCs to one of the six-port switches and another five to the other six-port switch, only the PCs that are connected to the same six-port switch can communicate with the other PCs connected to the same six-port switch via Layer 2 protocols. The PCs cannot communicate with the other PCs connected to the other six-port switch.

Now lets say we assign all the PCs connected to the first six-port switch with unique IP addresses in the range of 192.168.1.2 through 192.168.1.254 with subnet mask 255.255.255.0. Next, on the PCs connected to the second six-port switch, assign unique IP addresses in the range of 192.168.2.2 through 192.168.2.254 with subnet 255.255.255.0. Again, PCs that are connected to their respective switches can communicate with the other PCs using IP (Layer 3) but they cannot communicate with the PCs connected to the other six-port switch.

Now lets say you take one of the PCs connected to the first six-port switch and physically move the connection to the other six-port switch. Can it communicate via IP to the other PCs that have IP addresses beginning in 192.168.2? No. Why? Because the PC with IP address beginning with 192.168.1 will send the packets to the default gateway because 192.168.2.2-254 is not in the same subnet. Note that broadcast frames and broadcast packets will be flooded to all other switchports on the same six-port switch.

In order for the 192.168.1.2-254 to communicate with 192.168.2.2-254 and vice versa, you need to have a router or L3-switch with interfaces with the default gateways of both subnets in order for PCs to be able to communicate across subnets.

 

[imagoon]

Now lets say we assign all the PCs connected to the first six-port switch with unique IP addresses in the range of 192.168.1.2 through 192.168.1.254 with subnet mask 255.255.255.0. Next, on the PCs connected to the second six-port switch, assign unique IP addresses in the range of 192.168.2.2 through 192.168.2.254 with subnet 255.255.255.0. Again, PCs that are connected to their respective switches can communicate with the other PCs using IP (Layer 3) but they cannot communicate with the PCs connected to the other six-port switch.

All I would add here in case it isn't clear is that a layer 3 device would be required to do the above. IE a router (a real one not a "router'" like the ones used for homes that are actually NAT devices.) It would then be up to the router to route the layer 3 packets between the 2 L2 domains.

 

[bwanaaa]

Now lets say we assign all the PCs connected to the first six-port switch with unique IP addresses in the range of 192.168.1.2 through 192.168.1.254 with subnet mask 255.255.255.0. Next, on the PCs connected to the second six-port switch, assign unique IP addresses in the range of 192.168.2.2 through 192.168.2.254 with subnet 255.255.255.0. Again, PCs that are connected to their respective switches can communicate with the other PCs using IP (Layer 3) but they cannot communicate with the PCs connected to the other six-port switch.

All I would add here in case it isn't clear is that a layer 3 device would be required to do the above. IE a router (a real one not a "router'" like the ones used for homes that are actually NAT devices.) It would then be up to the router to route the layer 3 packets between the 2 L2 domains.

thank you all for your contributions. But this is where i am fuzzy. Exactly this example. two switches connected with a cat 5e cable. PC1 on switchA. PC2 on switch B. In a normal scenario, they are all on the same subnet. VLANs have nothing to do with IP addresses as I understand it. If you say that VLANs make 2 logical switches out of one physical hardware device, I can sort of understand that-the MAC to port mapping within a VLAN is restricted to those ports on that VLAN. But as everyone knows, you can have a bunch of switches in a LAN and all devices connected to those switches can see each other if they are on the same subnet (e.g. 192.168.1.x with a net mask of 255.255.255.0). At some point the VLAN will happen across a packet that asks for a MAC address not in its VLAN-and when that happens, does it not have to do something *extra*? That *extra* as I understand it, is to send out a broadcast packet to the whole subnet.

I do not see why your thorough explanations are invoking the concept of 'different subnets' to explain VLAN behavior when VLANs are ignorant of IP addresses.

 

[RadiclDreamer]

It is separating the traffic from other vlans, you will need a "layer 3" switch or a separate router in order to communicate between these vlans.

 

[dawza]

By no means am I a networking professional, so apologies in advance if I improperly utilize terminology.

I have a Procurve 1800 (predecessor to the 1810) with three VLANs configured, running to my pfsense box that handles inter-VLAN communication. Our place is wired for ethernet in each room, with the network core in a closet.

Assume the following:

VLAN 10 = primary LAN
VLAN 20 = guest LAN
VLAN 30 = VOIP and WAP management

On the Procurve, the first port is a trunk that goes to a single port on my pfsense box that is configured with three virtual interfaces, one for each VLAN. This port is also configured to access the WAN, which is on a separate physical port on the pfsense box that is connected to the ethernet interface on our ONT (FiOS).

On the pfsense box, I set up firewall rules to control traffic between VLANs, on said virtual interfaces linked to a single physical interface. Most of our devices are on VLAN 10, for personal/internal use. But, I have a SIP phone and adapter that are on VLAN 30. I want to be able to manage devices on VLAN 30 from any internal computer, all of which are on VLAN 10. The pfsense box firewall rules I set allow me to do this.

VLAN 20 is not a VLAN where I need to manage any devices-- it is solely for guest users, and I assign guest SSIDs from my two WAPs to this VLAN. Therefore, I created firewall rules to prevent devices on VLAN 20 from accessing any other VLAN-- they only have access to the internet (WAN).

My pfsense box handles DHCP via a service that runs on the virtual LAN interfaces, such that devices on VLAN 10 are handed IP address that look like xxx.xxx.x10.xxx, VLAN 20 = xxx.xxx.x20.xxx, and VLAN 30 = xxx.xxx.x30.xxx. Or, I can assign a static IP outside of the DHCP range I configured.

In this manner, not only can I manage VLAN 30 devices from any device on our primary internal network (VLAN 10), I can also hook up a new WAP (that supports VLANS) to a VLAN 30 tagged port on the Procurve, log into it from a computer on VLAN 10, and configure two SSIDs (for example), one on VLAN 10 for internal use, and another on VLAN 20 for guest use.

After doing this, and setting independent passwords, any device that has credentials to log into the SSID assigned to VLAN 10 can access all internal resources on VLAN 10 (printers, servers, etc). And, any device that has credentials to log into the SSID assigned to VLAN 20 can only access the WAN (internet).

Without the pfsense box managing dynamic addressing and controlling (enabling and blocking) access to devices across VLANs, I have no idea how the network would be essentially plug-and-play after the initial setup (setup includes extensive documentation and labeling so I know what is what in the core network rack).

 

[imagoon]

thank you all for your contributions. But this is where i am fuzzy. Exactly this example. two switches connected with a cat 5e cable. PC1 on switchA. PC2 on switch B. In a normal scenario, they are all on the same subnet. VLANs have nothing to do with IP addresses as I understand it. If you say that VLANs make 2 logical switches out of one physical hardware device, I can sort of understand that-the MAC to port mapping within a VLAN is restricted to those ports on that VLAN. But as everyone knows, you can have a bunch of switches in a LAN and all devices connected to those switches can see each other if they are on the same subnet (e.g. 192.168.1.x with a net mask of 255.255.255.0). At some point the VLAN will happen across a packet that asks for a MAC address not in its VLAN-and when that happens, does it not have to do something *extra*? That *extra* as I understand it, is to send out a broadcast packet to the whole subnet.

You are correct but confusing terms or incorrect not sure which. The packet flood goes out all ports in that VLAN, assuming that the sending device can ever learn the MAC. "Subnet" is an L3 term / part of IP.

If everything is on the same L3 (network / subnet) but on different VLANs (seperate L2) then what I think you are asking me is what happens if:

192.168.1.1/24 on VLAN 10 wants to talk to 192.168.1.2/24 VLAN 20:

What happens varies on your wiring and configurations but this is "industry standard:"

IP wants to open a session, It looks at the network and subnet and determines it should be network local. ARP is used to do the IP : MAC look up. It will fail. An ARP broadcast goes out to 192.168.1.255 "Who has IP 192.168.1.2?" -> silence since no device on that L2 has it. That failure goes back up the chain and you get "Ping timed out / no route to host / whatever"

The device on 192.168.1.2 is in VLAN 20 and never hears any of this traffic.

 

[azazel1024]

thank you all for your contributions. But this is where i am fuzzy. Exactly this example. two switches connected with a cat 5e cable. PC1 on switchA. PC2 on switch B. In a normal scenario, they are all on the same subnet. VLANs have nothing to do with IP addresses as I understand it. If you say that VLANs make 2 logical switches out of one physical hardware device, I can sort of understand that-the MAC to port mapping within a VLAN is restricted to those ports on that VLAN. But as everyone knows, you can have a bunch of switches in a LAN and all devices connected to those switches can see each other if they are on the same subnet (e.g. 192.168.1.x with a net mask of 255.255.255.0). At some point the VLAN will happen across a packet that asks for a MAC address not in its VLAN-and when that happens, does it not have to do something *extra*? That *extra* as I understand it, is to send out a broadcast packet to the whole subnet.

I do not see why your thorough explanations are invoking the concept of 'different subnets' to explain VLAN behavior when VLANs are ignorant of IP addresses.

No. because the devices on VLAN1 cannot see the devices on VLAN2 (unless you bridge the VLANs or two devices are members of both VLAN1 and VLAN2 and they are trying to talk to each other).

Sure, you can send out a request to a device IP address that is on VLAN2 from VLAN1, it'll hit the switch, switch doesn't know about the MAC on VLAN2 from VLAN1, so it'll send out a broadcast to all VLAN1 devices, since that is where it came in on and get no response.

That is no different than if you tried to talk to an IP address on your local subnet that doesn't exist. Difference here is that VLAN2 devices won't be molested by those broadcast packets, as they are on a different virtual network and the switch will only send broadcast packets to members of the same VLAN (again, unless bridged).

You can also do things like set QoS with VLANs. Most switches that support VLANs can also do some very basic QoS, but it gets enhances a LOT more by doing it based on VLANs. So, you can, for example, set all of your VOIP devices to VLAN1 and set VLAN1 as the highest QoS priority and set all of the other devices on VLAN2 and set that VLAN as a lower priority.

If the switch isn't crap, it'll reduce jitter for the higher priorty VLAN, especially in cases of high network utilization.

Or I can see a scenario in my family, I have 3 young kids. As they are older, I just might not want them accessing some network resources (like backup server/storage). I could do that by account access restrictions, but I can make it more secure (I knew me as a kid) by assigning various ports or devices to their own VLANs and just not having the backup server on the same VLAN as my kid's devices, but have the primary server on the same VLAN as their devices and on the same VLAN as the backup server, so the backup server can pull periodic backups, but my kids can't access it from their stuff.

Want to get more paranoid, go in and created ACLs on the switch so that they can't decide to plug their laptop in to a port that DOES have access to the backup server.

And on and on.

Many reasons for VLANs, even in a home network sometimes.

 

[bwanaaa]

... but I can make it more secure (I knew me as a kid) by assigning various ports or devices to their own VLANs and just not having the backup server on the same VLAN as my kid's devices, but have the primary server on the same VLAN as their devices and on the same VLAN as the backup server, so the backup server can pull periodic backups, but my kids can't access it from their stuff.

.....

How can your primary server be a member of two VLANs? I thought VLANs were defined by MAC address<->port. So your primary server would need two NICs to be a member of two VLANs??

And I coming to realize that VLANs are like two switches that are NOT connected. But if they are each connected to a router, then a rule there could connect them.

Thanks again for your help. And for anyone lurking this thread, here is a helpful how-to article:
http://www.smallnetbuilder.com/lanw...segment-a-small-lan-using-tagged-vlans-part-2

 

[azazel1024]

Nope. Most switches allow you to make a port a member of as many VLANs as you want. Of if your NIC supports VLAN tagging, you can tag it with multiple VLANs, or what is even better, you can tag certain traffic with just certain VLANs.

For example, running VMs, you can make one VM a member of VLAN1 and one VM a member of VLAN2. Or you can make SMB traffic a member of VLAN1, but HTTP and HTTPS traffic a member of VLAN2 and then telnet traffic a member of VLAN3, etc.