Someone was asking VLAN questions, so I decided to re-post this.
I've also updated it to reflect our successful VoIP deployment.
PROTOCOL CONCEPTS
We have regular "untagged" Ethernet frames. ("Frame" is the
data-link (layer 2) term for what some protocols calls a "packet" or
"datagram".) These are the same Ethernet frames from before VLANs
were invented.
Then we have "tagged" frames. These take a regular Ethernet frame
and add a marker -- the "tag". The tag itself contains the VLAN
number (along with a priority code). Thus, a tagged frame is
associated with a particular VLAN number.
Inside the frame, the tag is basically just a reserved Ethernet
frame type, followed by the tag information, followed by the rest of
the original frame (complete with its original frame type). So to
network nodes which are *not* VLAN aware, a tagged frame looks just
like a regular Ethernet frame, but with an "unknown" frame type.
For computers, a VLAN-aware network stack will usually turn each
VLAN into a separate network interface, as if each VLAN was a
different network card with a different cable. The "stock" network
stack included with Win 2000/XP does *not* include VLAN capability, so
they can only handle untagged frames. Tagged frames will generally be
silently ignored. Third-party software (often included with high-end
network cards) can add VLAN capability. I'm not sure about
2003/Vista/2008.
Switches which are not VLAN-aware, along with any repeaters, will
treat tagged frames exactly like they do any other frame.
SWITCH CONCEPTS
Switches which are VLAN-aware generally let you control which ports
are associated with which VLAN(s). The terminology, commands, etc.,
will vary with manufacturer. I'm most familiar with the HP ProCruve
managed witches, so I'll speak mostly to that. The concepts should
carry over to other manufacturers. Hopefully others can chime in with
specifics.
With HP, you can tell the switch that each VLAN is tagged, untagged,
or not available for each port. Internally, frames are *always*
associated a VLAN number. The configuration just tells the switch
which VLANs go with which ports, and which VLAN number to use for
untagged frames.
When the switch receives an untagged frame, it needs to know what
VLAN to associate it with. If the port has an untagged VLAN
associated it, the fame will go to that VLAN. If there is no untagged
VLAN associated with the port, the frame is dropped. This is why a
port can have (at most) one untagged VLAN associated with it -- how
could the switch know which one to use otherwise?
When the switch receives a tagged frame, it simply checks to see if
that VLAN is associated with the port. If so, it accepts it; if not,
it drops it. This is basically just an access control mechanism.
When the switch has a frame to *transmit*, it only considers ports
which are associated with the frame's VLAN. If a port is configured
as tagged for the frame's VLAN, it transmits the frame with the VLAN
tag. If a port is configured as untagged for the VLAN, the frame is
transmitted on that port without a VLAN tag.
APPLICATIONS
Okay, enough conceptual stuff, how do we use it?
At %DAYJOB%, we've got VLANs as follows:
1 – Reserved
2 – Main company private network
3 – Guest network
4 – ISP uplink
5 – IP telephony
I am using separate VLANs for security, manageability, and
robustness. I don't want guests to be able to probe/sniff/screw-up
the corporate network. I don't want the cable modem link (which is
full of garbage traffic from other subscribers) on the main
LAN. I want the phones to have higher priority over
regular data, and to have their own DHCP server, so if the "data
side" of the house goes down, we still have phones.
We don't use VLAN 1 because that's the default on most things, and
to avoid confusion we avoid it.
VLAN 2 is where most traffic is. Most ports are configured as
untagged for VLAN 2. The computers, printers, etc., plugged into
those ports aren't even aware they are on a VLAN. All the employee
workstations are like this, as are most servers. The syntax to
configure this is easy. For example, if I want port 1 to be untagged
for VLAN 2 like this:
vlan 2 untagged 1
VLAN 3 is for guests (visitors). For obvious reasons, we don't let
them plug in to our main network. They get a separate IP subnet, a
separate DHCP server, and bypass much of our network filtering. This
is also where our wireless access points connect (employees use
VPN-over-wireless). Again, all untagged, and connected nodes are not
aware of the VLAN.
VLAN 4 exists because we've got a cable Internet feed we use for
employee web browsing. Circumstances meant the cable modem had to go
in a different building from the main server/network room. (We have
another feed for important stuff; that terminates in the server room.)
So the cable modem plugs into a particular switch port, which uses
VLAN 4 to carry it to our firewall in a different building. Again,
untagged, unaware.
VLAN 5 is for premises voice-over-IP. The phones include a built-in
switch for "daisy chain", and are VLAN-aware. Switch ports connected
to phones are tagged for VLAN 5 and untagged for VLAN 2, so you can
plug a PC (not VLAN aware) into the phone. Traffic is kept separate,
and voice traffic is given priority. The central equipment has an
Ethernet port which we connect to one of our switches, with that
switch port untagged for VLAN 5. So the central equipment just thinks
it is talking to a regular LAN.
For example, support port 20 was the central phone equipment, and
port 7 had a VoIP phone. We would do:
vlan 2 untagged 7
vlan 5 tagged 7
vlan 5 untagged 20
For links between switches, each VLAN is configured as *tagged* for
those ports, with *no* untagged VLAN. Those ports are only used to
carry traffic between VLAN-aware switches. (Cisco would call this a
"trunk port", IIRC.) The HP syntax for (e.g.) port 24 as a switch
link would be:
vlan 2 tagged 24
vlan 3 tagged 24
vlan 4 tagged 24
vlan 5 tagged 24
Finally, our firewall, which *is* VLAN-aware, is configured as
tagged for all VLANs on its port, with no untagged VLAN. Virtual
network interfaces are configured in the firewall OS, and all the IP
configuration and filtering rules are done with those virtual
interfaces, not the physical interface. This also means our firewall
only has one network cable plugged into it. Configures the same as a
switch link, really.
Hope this helps someone!
~ Finally, powerful endpoint security that ISN'T a resource hog! ~
~ <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/> ~
