Understanding VLANs (Virtual Local Area Networks)

VLANs, or Virtual Local Area Networks, provide a way to logically group Ethernet switch ports together, effectively creating independent Ethernet networks. Think of it as carving a single physical switch into multiple virtual ones.

In essence, a VLAN is a group of switch ports configured to act as a separate, isolated Ethernet switch. This isolation is achieved by manipulating the frame forwarding software within the Ethernet switch and adding a special field to standard Ethernet frames. Manufacturers that support VLANs on their Ethernet switches typically provide management software, allowing network engineers and users to configure which ports belong to which VLAN.

Figure 1: VLAN network example.

As illustrated above, an eight-port Ethernet switch can be divided into two VLANs – VLAN-100 and VLAN-200. Ports 1 through 4 are assigned to VLAN 100, while ports 5 through 8 belong to VLAN 200. With this setup, data can be transmitted between Station A and Station B (within VLAN-100), but not between Station A and Stations C or D (which are in VLAN-200).

Because these VLANs function as distinct networks, a broadcast or multicast sent within VLAN-100 will not be transmitted on any ports belonging to VLAN-200. It’s as if you’ve split the eight-port switch into two separate four-port switches.

The 802.1Q VLAN Standard

The 802.1Q standard formally defines a VLAN as one or more switch ports functioning as a separate and independent Ethernet system on a switch. Ethernet traffic within a specific VLAN (e.g., VLAN-100) is sent and received only on the switch ports configured as members of that particular VLAN.

To identify the VLAN to which a frame belongs, a 4-byte “Q-tag” is inserted into the Ethernet frame, positioned between the source address and the type/length field. When a Q-tag is present, the minimum data field size is reduced to 42 bytes to maintain a minimum ethernet frame size of 64 bytes.

Figure 2: VLAN Ethernet Frame structure.

Switches can be interconnected using Ethernet segments that act as trunk connections, carrying Ethernet frames with VLAN tags. This enables Ethernet frames belonging to, say, VLAN-100 to traverse multiple switches and be sent or received on any switch ports assigned to VLAN-100. The IEEE 802.1Q standard provides a vendor-neutral VLAN tag mechanism for uniquely identifying the VLAN a frame belongs to.

Implications of the VLAN Tag

The addition of the 4-byte VLAN tag increases the maximum Ethernet frame size from 1518 bytes (excluding the preamble) to 1522 bytes.

Crucially, VLAN tags are only added by devices programmed to send and receive VLAN-tagged frames. This ensures that “classic” Ethernet operation remains unaffected.

The first two bytes of the Q-tag contain an Ethernet type identifier with the value 0x8100. If a standard Ethernet station (one not programmed for VLANs) receives a tagged frame, it interprets this as an unknown protocol type and discards the frame. The details regarding VLANs and the structure of VLAN tags are thoroughly described in the 802.1Q standard.