VLAN

• logical division of the switch into several non-interconnected networks
• a device for such division into networks with 2 or more switches without requiring additional cables.
• asymmetric VLANs. In this case, the port (not trunk, frames without the 802.1Q tag are moving along the cable) are connected to one internal switch VLAN in incoming frames (it is called PVID), and to more than one internal switch VLAN in outgoing frames. In this case, there may be no connection on outgoing frames to the PVID VLAN.
• through the previous paragraph, a higher-level abstraction is implemented - Promiscous / Community / Isolated ports. In this case, a logical embedding of several secondary VLANs into one primary is used.
• The Promiscous port (the port on the primary VLAN) can communicate with any Promiscous / Community / Isolated port on both the primary and any secondary VLAN embedded in it.
• Community port (port on the secondary VLAN) can communicate with any Promiscous port, as well as with any Community port within its secondary VLAN.
• An isolated port (also a port on the secondary VLAN, but it is a special isolated VLAN, which can be only one in this primary VLAN) can communicate only with Promiscous ports, and cannot even communicate with other Isolated ports (the functionality “all clients see the server and not see each other ”, often used in“ guest ”Wi-Fi networks).
• two-level embedding of VLAN tags in a frame, as well as translation of tag values ​​“on the fly”. This technology is called QinQ, and is not supported on all devices with VLAN support.

There are the following solutions for this:

• by port ( English port-based , 802.1Q ): one VLAN is manually assigned to the switch port. If several VLANs must correspond to one port (for example, if a VLAN connection passes through several network switches ), then this port must be a member of the trunk . Only one VLAN can receive all frames that are not assigned to any VLAN (in the terminology of 3Com , Planet , D-Link , Zyxel , HP - untagged , in the terminology of Cisco, Juniper - native VLAN ). The network switch will add the tags for this VLAN to all received frames that do not have any tags. Port-based VLANs have some limitations.
• MAC address (MAC-based): VLANe membership is based on the MAC address of the workstation . In this case, the network switch has a table of MAC addresses of all devices along with the VLANs to which they belong.
• Protocol-based: Level 3-4 data in the header of a packet encapsulated in a frame is used to determine VLANe membership. For example, IP machines can be transferred to the first VLAN, and AppleTalk machines to the second. The main disadvantage of this method is that it violates the independence of the layers, therefore, for example, the transition from IPv4 to IPv6 will lead to disruption of the network.
• authentication method: devices can be automatically moved to VLANs based on user or device authentication data using the 802.1X protocol.

On Cisco devices, VTP Trunking Protocol provides VLAN domains for easy administration. VTP also purges traffic by directing VLAN traffic to only those switches that have target VLAN ports (VTP pruning function). Cisco switches mainly use the 802.1Q Trunk protocol instead of the legacy proprietary ISL ( English Inter-Switch Link ) to ensure compatibility of information.

By default, each switch port has a management VLAN1 or management VLAN. The management network cannot be removed, however additional VLANs can be created and ports can be additionally assigned to these alternative VLANs.

Native VLAN is a parameter of each port that determines the VLAN number that all untagged packets receive.

Cisco uses the following port terminology:

• access port - a port belonging to one VLAN and transmitting untagged traffic. According to the cisco specification, an access port can belong to only one VLAN, by default it is the first (untagged) VLAN. Any frame that passes through the access port is marked with a number belonging to this VLAN.
• trunk port - port transmitting tagged traffic of one or several VLANs. This port, on the contrary, does not change the tag, but only skips frames with tags that are allowed on this port.

In order to transmit traffic of several VLANs through a port, the port is put into trunk mode.

Interface Modes (the default mode depends on the model of the switch):

• auto - The port is in automatic mode and will be put into the trunk state only if the port on the other end is in on or desirable mode. That is, if the ports at both ends are in “auto” mode, then trunk will not be used.
• desirable - The port is in the “ready to switch to trunk state” mode; periodically sends DTP frames to the port on the other end, asking the remote port to switch to trunk state (trunk state will be set if the port on the other end is in on, desirable, or auto mode).
• trunk - The port is always in the trunk state, even if the port on the other end does not support this mode.
• nonegotiate - The port is ready to go into trunk mode, but it does not transmit DTP frames to the port on the other end. This mode is used to prevent conflicts with other non-cisco equipment. In this case, the switch on the other end must be manually configured to use trunk.

By default, all VLANs are allowed in the trunk. In order for data to be transmitted through the corresponding VLAN in the trunk, at a minimum, the VLAN must be active. An active VLAN becomes when it is created on the switch and it has at least one port in the up / up state. ^[one]

VLAN support on Windows is provided as part of Hyper-V (the virtual machines themselves are not required to be created) or as part of NIC Teaming (also called LBFO) technology, which is similar to the Linux interface bonding.

VLAN Support in Hyper-V:

• requires the use of PowerShell commands, there is no GUI for management
• necessarily uses pseudo-Ethernet adapters with its own "fake" MAC addresses, different VLANs can be output only to different MAC addresses.

• Facilitates the movement, adding devices and changing their connections to each other.
• A large degree of administrative control is achieved due to the presence of a device that performs routing between VLANs at the 3rd level.
• Bandwidth consumption is reduced compared to the situation of a single broadcast domain.
• The non-productive use of the CPU is reduced by reducing the forwarding of broadcast messages.
• Broadcast storm prevention and loop prevention.

Shortest Path Bridging (IEEE 802.1aq) offers much greater scalability - up to 16 million compared to the 4096 limit for VLAN ^[2] .

• IEEE 802.1
• VXLAN technology, a network virtualization technology designed to address scalability issues in large cloud computing systems

• Andrew Tanenbaum , 2003, Computer Networks, Pearson Education International, New Jersey.

• RFC3069 VLAN Aggregation for Efficient IP Address Allocation
• IEEE's 802.1Q standard 1998 version ( 2003 version ) ( 2005 version )
• Cisco's Overview of Routing between Virtual LANs
• Cisco's Bridging Between IEEE 802.1Q VLANs white paper
• University of California's VLAN Information
• Virtual reality or what is vlan