VLANs are an effective and efficient form of network segmentation. In this video, you’ll learn about VLANs, trunking, and configuring voice and data VLANs.
Many network administrators like to segment the network into different broadcast domains. This is sometimes done to allow additional security features or we may need to provide separation just to keep the network organized.
One way you could do this is to have completely separate switches. We would have one switch with one broadcast domain, and you can see there are devices connected to this red network. And we have a completely separate switch on a blue broadcast domain, and we have devices connecting into that switch. Because these are physically separated switches there’s no way for anyone on the red network to communicate to the blue network and vice versa.
One challenge that we have with separating things out into these separate local area networks is that there are certainly a lot of wasted interfaces on the front of these switches. Since we have only a few devices, we have a number of interfaces that we’ve paid for, that we are powering, and that we’re managing but nothing is ever going to connect to those interfaces. It would make a lot more sense if we could combine these switches together, but still maintain the separation between the two networks.
Fortunately, there’s a way to accomplish this using Virtual Local Area Networks, or VLANs. VLANs still provide segmentation within the switch. We have some interfaces that are configured for the red VLAN, and we have other interfaces that are configured for the blue VLAN. This still maintains separation of the broadcast domains. The red devices can’t communicate to the blue devices, and vice versa, but the separation is now done logically inside of the switch rather than physically across multiple switches.
If you were to look at a physical switch configuration, here’s one where three separate VLANs are configured– a VLAN 1, a VLAN 2, and a VLAN 3. There are devices connected to each one of these VLANs, and the devices on a single VLAN can’t communicate to any of the other VLANs on the switch.
In most organizations, of course, there will be more than a single switch that is connecting the users together. In fact, there may be tens or hundreds of switches. And we may need to connect devices that are on one VLAN on one switch to the same VLAN on a separate physical switch. In this example we have two switches. This ethernet switch on the top has a VLAN 100 and 200. And the switch on the bottom also has a VLAN 100 and VLAN 200.
It would be great if we could connect VLAN 100 on one switch to VLAN 100 on the other, and VLAN 200 on one switch to VLAN 200 on the other. One way to accomplish this would be to simply extend an ethernet cable from VLAN 100 on one switch to a VLAN 100 interface on the other switch. We could then connect another cable from a VLAN 200 interface on one switch to a VLAN 200 interface on the other switch.
Of course, this obviously won’t scale very well. What if there were 20 VLANs on each of these switches? We would need 20 separate ethernet cables going between these two switches. Although that functionally could be used, it certainly adds a lot of additional overhead and uses a lot of interfaces on each switch.
Instead of extending separate ethernet links for each individual VLAN, we can extend a single connection and communicate all VLANs across that single connection. We refer to this as VLAN trunking. You might also see this referred to as the IEEE 802.1Q standard for ethernet trunking or dot1Q.
When we have a dot1Q trunk, we can send multiple VLANs across that trunk and then break them out into the appropriate VLAN on the other side. So someone on VLAN 100 on the top switch can communicate to someone with VLAN 100 on the bottom switch by sending information into the dot1Q trunk. That would then be put onto the trunk to the other switch, broken out of the trunk, and then placed onto the original VLAN 100 network. We’re still logically segmenting these VLANs, we’re just sending them over a single link when we’re communicating between switches.
The process of adding and removing this frame to an 802.1Q trunk is relatively straightforward. We have our normal ethernet frame that we’re sending across. When that hits the trunk, we’re going to add an additional field into this ethernet frame called a VLAN header. This VLAN header will contain information about which VLAN is associated with this data.
So if we add a VLAN 100 frame into the trunk, VLAN 100 will be embedded within this VLAN header. And we can have many VLANs extending across this dot1Q trunk. This VLAN ID is 12 bits long and allows us to have 4,094 VLANs inside of that trunk connection.
Some switches will separate these VLANs into what’s called a normal range and an extended range, where the normal range are VLANs between 1 and 1,005 and the extended range is between 1,006 and 4,094. You’ll notice that the first and last VLANs are reserved. So VLAN 0 and VLAN 4,095 are reserved values that you would not normally configure as a separate VLAN.
Before this 802.1Q standard existed, there was another method to trunk information between switches called Inter-Switch Link, or ISL. You may see a reference to ISL when looking through a switch configuration, but practically everyone uses the IEEE standard of 802.1Q because that standard is understood and recognized by switches from multiple manufacturers.
Now that we know the process for adding that VLAN information, let’s see how it would work in a practical form. Let’s take a device on VLAN 200 and have that device communicate with another device on VLAN 200 that’s on a separate ethernet switch.
This device on VLAN 200 will start by sending this information over the network. Since this has to go to a device on a separate switch, it will be directed towards the 802.1Q trunked interface. That interface will add a VLAN header inside of that ethernet frame that designates that it began on VLAN 200. And it sends that information to the other 802.1Q interface on the other switch. That switch examines the VLAN header, sees that it originated on VLAN 200, removes the VLAN header, and then places that frame onto the VLAN 200 network.
On two physical switches, the configuration is relatively straightforward. This is the original switch we started with that has a VLAN 1, VLAN 2, and VLAN 3. And you can see there are devices connected to each of those VLANs. We’ve added a separate switch B that also has VLAN 1, VLAN 2, and VLAN 3, but we’ve added a trunk link between both of those. And on that trunk, we’re sending information that includes data from VLAN 1, VLAN 2, and VLAN 3.
We’ve been able to extend this idea of trunking to better manage the devices that are currently on our desks. Specifically, the voice over IP phone and the computer that we might have on our desk. Traditionally, we would run one ethernet cable from the computer that’s on our desk to a switch that exists in a closet nearby.
We would then have a completely separate cable run for the analog telephone that’s on our desk that usually connects to a PBX, or Private Branch Exchange switch that’s inside of our organization. This means we have two separate cables going to every single desk. And each one of those cables is using a different type of technology.
Of course, these days we’re using voice over IP phones which use data connections– the same data connections that we would use for our computer. So we would have all devices on our desk connecting ultimately to the ethernet switch that’s in the closet. To simplify this, we now only need one single network cable for both the computer on our desk and the phone.
Physically, this is the way it would connect. We would have the computer on our desk. We would plug a computer into our phone. There would be a separate ethernet connection that would run from our phone to the switch that’s located inside of a closet nearby. This means we would only need one cable or one run between our desk and the switch that’s in the closet.
If you’ve ever used a voice over IP phone that’s on a computer and tried to use the both at the same time, you may notice that this is not an optimal configuration. Our computers can send a lot of data down these network connections, and it’s very easy to overwhelm the time-sensitive communication used for voice over IP.
One way to resolve this is you would have the computer operate on one VLAN, and we would have our phone communicating on a completely separate VLAN. Since we have a single network link from our desk to the switch, we would use 802.1Q trunking to accomplish this.
This is a specialized configuration that’s available in many switches that recognizes that people will be using a phone and a computer at the same time from their desk, and it designates each switch interface as having both a data VLAN and a voice VLAN. And since you can configure them separately, you can provide additional priority for your voice configuration so that none of your data communication will ever disrupt your phone calls.
Functionally, this is the way it would work. Our computer would be on one VLAN– let’s say, VLAN 100– and our phone would be on a separate phone VLAN, and we’ll call that VLAN 200. When we send information from our computer, it’s sent across the ethernet link as a normal access ethernet frame without any type of VLAN trunking.
But if we’re ever communicating from our phone, we’ll tag all of the communication between our phone and the switch with an 802.1Q header that designates that it came from VLAN 200. That allows us to set priorities in the switch and assure that the quality of service is maintained for all of our voice communication.