Continuing the series of blogs posts on the most representative technologies to consider when selecting switches, this time we look at VLAN technology. VLANs arose from the need to isolate different stations operating on the same physical local network. 

In addition, VLANs isolate different broadcast domains and help stations to avoid support excessive broadcast traffic, saving bandwidth and increasing security. Understanding precisely how VLANs are handled and what role they play when used in switches would require much more space than a blog post. However, an explanation of how switch ports are defined according to their behavior and how VLAN assignment methods work can give a rough idea of the role switches play when implementing VLANs. 

Types of ports based on VLANs in switches

When a switch port is configured as a Layer 2 link, its behavior must be configured with respect to VLANs. The goal is to establish what type of frames will be supported by the port, which VLANs will be allowed on the same port, and when will the frames sent over the port carry the VLAN tag. 

Access ports – This port type is associated with a single VLAN that is considered the native VLAN. Frames received by the port that are not tagged are considered to belong to the native VLAN. Only frames belonging to that VLAN can be forwarded by the port. When a frame is sent, it is sent untagged. 

Trunk ports – This port type has a native VLAN, but also allows all other VLANs. When frames belonging to the native VLAN are sent through the port, they are sent untagged. All other frames belonging to the other VLANs are sent tagged. Obviously, the two trunk ports belonging to the same link must have the same native VLAN configured. 

Uplink ports – This type of port has a native VLAN and allows all other VLANs. Frames sent through an Uplink port are always tagged. 

Other – Certain functions (such as MAC VLAN or QinQ) require other types of ports (i.e., hybrid ports) that we will discuss later. 

Frame processing rules – When an untagged frame arrives at a port, it is considered to belong to the native VLAN of that port. If a tagged frame arrives, only those belonging to a supported VLAN will be accepted. 

A layer 2 switch can only forward frames to ports that are compatible with the frame’s VLAN. In the case of layer 3 switches, frame forwarding decisions will be made based on layer 3 routing rules. 

VLAN assignment methods in switches

MAC VLAN

Assigns a VLAN to a port based on the MAC address of the device connecting to it. This fosters mobility, since a given user can connect his device in different places at different times. Generally, MAC-based VLAN assignment is used in combination with the 802.1x port access standard. 

The MAC VLAN method is only compatible with untagged VLAN frames and so-called Hybrid Ports are used. As soon as the port receives a frame from the connected device, it compares the source MAC with the MAC-VLAN matching rules. If a match is found, the VLAN is assigned to the frame and the relevant VLAN progress rules are followed. 

Subnet VLAN

In this case, the VLAN is assigned based on the source IP address of the packet contained in the frame. This method is often used in deployments where each user is assigned a fixed IP address, but the user has the possibility to connect to different locations in the office each time. In this way, the same VLAN can always be secured and the resources that the user can access can be controlled. 

Protocol VLAN

The VLAN is assigned according to the protocol indicated in the Ethernet frame. It is used to separate traffic per type. 

Super VLAN

This technique creates different broadcast domains, each corresponding to a different sub-VLAN, while maintaining a single IP subnet. 

It is typically used in large segments, where (for some reason) the terminals of, say, different departments need to be kept separate at level 2. However, this method does not entail the waste of IP addresses and lack of flexibility associated with a division based on different IP subnets. Communication between stations belonging to the same sub-VLAN is done at level 2, while communication between stations corresponding to different sub-VLANs is done at level 3 (by means of proxy-ARP protocol and using the switch where the Super-VLAN is defined). 

Conclusions regarding VLANs in switches

The techniques and protocols that focus on combining professional switches with VLANs allow local area networks to be perfectly organized by isolating different domains, introducing growth opportunities, making the physical relocation of users easier, saving on IP addresses, etc. 

This is key for network engineers, who have to deal with the planning and deployment of LANs and the necessary investments in equipment. 

The Windbit switch portfolio supports state-of-the-art VLAN technologies that are more than a match for the most sophisticated models on the market.