Understanding VLAN Membership

The topic of how VLANs work and untagging/tagging ports has come up, so I am attempting to write a simplified post based off some of the questions I have received:

1. VLANs are typically assigned to a single subnet.  This is done to limit the broadcast domain and for security.  For example, my network could look like this:

VLAN 10: 10.0.10.0/24
VLAN 20: 10.0.20.0/24
VLAN 30: 10.0.30.0/24

If you want to connect a PC to VLAN 30, then you would assign an IP address in the 10.0.30.0/24 network to the PC, and connect to a switchport that is Untagged on VLAN 30 (If you are using Cisco switches, this would be Switchport Access VLAN 30) .  The PC would send untagged frames since it is not VLAN aware, and the switch would accept those untagged frames into VLAN 30.

2.  If my PC wanted to access a device on another VLAN, then the switch would need to route that packet to the other network.  Some switches do this by default, others need to have “IP Routing” enabled.  I would normally use my core/distribution switch to route between networks, so I would assign an IP Address to the VLAN interface of the switch:

VLAN 10 IP Address 10.0.10.1
VLAN 20 IP Address 10.0.20.1
VLAN 30 IP Address 10.0.30.1

This VLAN interface would be the default gateway for the devices in their respective network, and allow the networks to communicate with each other.  If you need to limit access between networks, then you can apply an Access Control List to the VLAN interface.

3.  If your end device is VLAN aware, and needs to sit on multiple networks using the same physical interface, then VLAN tagging (or in the Cisco world, Trunking) comes into place.  For example, if you have a VMware host with virtual machines that are on VLAN10, and other virtual machines that are on VLAN20, then VLAN tagging would need to be setup on the VM host AND the switch.  On the switchport, we would set VLAN 10 untagged, and VLAN 20 tagged (For Cisco, this is switchport mode trunk/native vlan 10).  On the VMware host, we would create a vSwitch for VLAN 10, with no VLAN tagging enabled (because all untagged frames will be accepted on VLAN 10 by the switch).  Then we would create another vSwitch for VLAN 20, tagging VLAN 20.  Both vSwitches would use the same physical NICs. Any virtual machines in this VLAN 20 vSwitch will communicate like normal, but when the vSwitch sends the packets out of the host and to the switchport, it will tag the packets with VLAN 20 so they will communicate on the correct network.

Advertisements

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s