VLAN, aka 802.11q VLAN or Virtual Local Area, it's a very basic feature on IP network. There are some articles, videos about it on the Internet, but most of them, it's either too simple, or too difficult. Today, I am going to share what is VLAN, how it works and how to use it.

 

Why we need VLAN.

Assuming you have a home Wi-Fi router, like a TP-LINK Archer router, you connect you smart phone, PS station, laptop or other gadgets to its Wi-Fi or Ethernet ports. Then we can say, these devices are in the same LAN (although accurately speaking, the devices connected to the Wi-Fi should be called in WLAN, this makes no fundamental difference).

This is OK because the home network is generally small, there is no so much traffic. But once more and more devices connect to your network, the Network is getting bigger and bigger. And what make it worse is that many services are based on not unicast traffic, but multicast/broadcast traffic, like ARP, Apple Bonjour, etc.. These traffic will be send to everyone on the whole network, it will congest the network and your network performance will get worse. To solve this problem, VLAN is introduced. The VLAN can divide a big network into smaller networks. The traffic among different VLANs cannot be transferred to each other.

 

How Does VLAN Work

Devices in the same LAN can talk to each other. What can I do if I want to divide the the big LAN into serveral smaller LANs? The straightforward idea is that I will ask every device to bring a tag, devices in the same LAN bring the same tag, and only devices with the same tag can talk with each other. In network, we call this tag as VLAN tag. And because we divide the network vitually, not physically, we call it Virtual LAN or VLAN.

VLAN tag defined in IEEE 802.11q

 

We now know how to divide the network, but how can we add the tag to the packets? End devices like phone or laptop generally don't know how to add VLAN tag. It's also not designed to do so. But we can let the switch ports to take this work. I say switch port, but it doesn't mean it must be a switch, it can be the ports of a Gateway or Access Point etc. But for simlicity, I will take the Etherent switch as the example.

 

So this is how the switch is designed to deal with VLAN:

1. all the pacekts inside the switch are transferred with VLAN tag. So traffic can distinguish each other.

2. For packet arrives at the switch port, we decide the tag or untag operation for the packet when it's Egress (go out of switch port) or Ingress (get in of the switch port)

point 2  is the difficult part for most of the starters to understand VLAN. To understand, you need to understand two related concepts, first is PVID, the other is Port Type.

 

Let's start with PVID. PVID means Port VLAN ID. This is the default VLAN for this port. That means when an untagged packet enters the port, the switch will add the tag with this PVID ; when packet get out of the port, if it's with tag of the PVID, the port will strip its tag.

Two useful horse sense:

1. All the switches' detafult PVID is VLAN 1

2. Cisco or some other vendor call PVID as Native VLAN.

 

For Port Type, different vendors have different definitions, but it's just different approaches to achieve the same purpose. For example, Cisco use Access/Trunk port, TP-LINK use General port.

 

Let's first look at Acccess/Trunk port:

Access Port: when you plan to set a port as Access Port, generally it means you plan to connect some end client like laptop to this port for the end client to access the network. Access port allows only 1 VLAN, packet egress the Access port will strip the VLAN tag. For example, if you set the switch port as Access, and allows VLAN 10, the port's PVID will be changed to 10 automatically. Then the device connect to this port will be put into VLAN 10. By default, all the switch ports are Access type, and allow VLAN 1

Trunk Port: Unlink Access port, Trunk port allows multiple VLANs at the same time. For Ingress packet, if it's tagged and allowed, port keep the VLAN tag; if it's untagged, port will tag it according to the port's PVID; for Egress packet, if it's tagged and allowed, port will keep the tag, except the Native VLAN/PVID; If it's Native VLAN/PVID, the port will strip the tag. Since Trunk port allows multiple VLANs, it's generally used for switch linking ports.

 

General Port: aka Hybrid port, it also allows multiple VLANs, but you can configure specific VLAN as tagged or untagged flexibly. You may already noticed, with this flexibility, I don't need access port or Trunk port, I can just use the General port, and config VLAN tagged or untagged as what I need. This is how TP-LINK and many other vendors do nowadays indeed. Here I give an example, how General port can be equal to Access/Trunk port.

access port allow VLAN 10	general port allow VLAN 10 untagged, and set the PVID=10
trunk port allow VLAN 10, VLAN 20	general port allow VLAN 10, VLAN 20 tagged.

 

Now you should already understand the basic concept of VLAN, and start to do some simple VLAN configurations. For how to configure 802.11q VLAN on Omada Controller, you can refer to their FAQ:

https://www.tp-link.com/us/support/faq/3091/

 

There are some other technologies based on 802.11q VLAN, like MAC VLAN, OUI VLAN, VoIP VLAN, Protocol VLAN, Private VLAN, VLAN VPN/QinQ, VLAN transfer, 802.11 assigned Dynamic VLAN, VxVLAN, etc. Once you have mastered the fundamental knowledge of VLAN, other concpet will not be very difficult for you to understand.