How Virtual Local Area Networks (VLANs) Work - dummies

How Virtual Local Area Networks (VLANs) Work

By Edward Tetz

The magic of how virtual local area networks (VLANs) work is found in the Ethernet headers. When a switch receives an Ethernet frame, the frame will either already have a VLAN tag or the switch will insert a VLAN tag into the Ethernet header. If the frame was received from another switch, that switch will have already inserted the VLAN tag; while frames come from network devices, such as computers, the frame will not have a VLAN tag.

If you are using the switch defaults for VLANs, the VLAN tag that will be placed on the frame is VLAN1. When placing a VLAN tag (also known as an IEEE 802.1Q tag) on the Ethernet frame, the four bytes of data, which make up the VLAN tag, are inserted before the Type field, as shown in the following figure. This 4-byte header includes several pieces of information:

  • A 2-byte Tag Protocol Identifier (TPID), which will be set to a value of 0x8100 to denote that this frame carries 802.1Q or 802.1p tag information.

  • A 2-byte Tag Control Information (TCI), which is made of the following:

    • A 3-bit user Priority Code Point (PCP) that sets a priority value between 0 and 7, which can be used for Quality of Service (QoS) priority traffic delivery.

    • A 1-bit Canonical Format Indicator (CFI) that is a compatibility bit between Ethernet and other network structures, such as Token Ring. For Ethernet networks, this value will also be set to zero.

    • A 12-bit VLAN Identifier (VID) that identifies the VLAN the frame belongs to.


Haggling with gargantuan packet sizes

An unfortunate error can happen when tagging VLANs on a frame. The maximum size of an IEEE 802.3 Ethernet frame is 1518 bytes. If the payload or data portion contains its full 1500 bytes of data and the additional 4-byte header into the frame, the frame would be 1,522 bytes in size.

To deal with this situation, IEEE released a new standard for Ethernet in 1998 (IEEE 802.3ac) that increased the maximum size of an Ethernet frame to 1,522 bytes. If you have older switches that do not support the larger IEEE 802.3ac frame size, your switches might drop these unsupported frames with notification or might report them as baby giants, or overly sized frames.

Prior to the IEEE 802.1Q standard defining VLAN tagging, some vendors took matters into their own hands with proprietary solutions. Cisco’s answer to the problem was Inter-Switch Link (ISL), which now runs on switchports configured for Trunk mode.

In addition to switches, Cisco has supported ISL with router connections since Cisco IOS Release 11.1. ISL implements support for VLAN information in a completely different manner than IEEE 802.1Q; instead of inserting a header into the Ethernet frame it encapsulates the entire existing Ethernet frame into an ISL frame with a new header used to transport the Ethernet frame between switches.

The ISL frame adds an extra 30 bytes to the size of the Ethernet frame with a 26-byte ISL header containing the VLAN ID and a 4-byte checksum at the end of the frame. This overhead exists only if the frame goes out over an ISL link.

When the ISL frame leaves the switch, the switch examines the port type of the exiting port. If the port is not part of an ISL link, the ISL encapsulation is stripped from the frame, and the standard 802.1Q tag is inserted into the Ethernet frame.

VLAN frames

Now you know how to move VLAN traffic from one switch to another by using IEEE 802.1Q tags or ISL frames across ISL links, but how does VLAN information get onto the frames in the first place? There are both manual and automatic methods for doing this, but the most common method is the manual method of configuring a port-based VLAN.

With a port-based VLAN, your switch examines data that comes in on a port, and if the data is not already tagged with a VLAN, the switch then places a VLAN tag on the data.

When implementing VLANs on your network, you use trunk ports for your inter-switch links, but for your client access ports, you use Access mode instead of Trunk mode.

When you unbox your new switch, all ports are in Access mode by default; that means that they expect to have computing devices connected to them, and they will automatically insert IEEE 802.1Q tags into any Ethernet frames that do not already have tags. Typically, ports in Access mode expect to see untagged traffic because computers and other devices do not know how to pre-tag Ethernet frames.

If you have implemented IP telephony, IP phones are capable of tagging their own traffic through an integrated two-port switch.


A switch does not expect to see traffic with VLAN tags on ports in Access mode because most devices on those ports do not tag their own traffic; traffic on Trunk mode ports automatically allow traffic tagged for any VLANs to be sent to connected switches. Because Trunk mode ports send traffic tagged for any VLAN, they expect to see traffic arriving from connected switches tagged for any VLAN.

Passing traffic from VLAN to VLAN

VLANs allow you to isolate users from each other by placing them in different VLANs, but now how do you pass traffic from one VLAN to another VLAN? Doing so involves the use of a Layer 3 device to route the traffic from one VLAN to another; yes, that would be router. Therefore, if your router does not support VLANs or VLAN tagging, this process will require an interface configured on each VLAN, which can be an expensive proposition.

The best solution is to purchase a router that supports VLANs, which means you can connect a single interface on your router to a Trunk mode port on your switch, which allows the router to internally route between virtual VLAN interfaces.

The other option you have available to you is to purchase a Layer 3 switch, which is a switch with routing functions built into it. That is, they are capable of providing all the inter-VLAN routing functionality, without leaving the switching device.

A managed Layer 2 switch will see tagged or untagged data, and the switch may be configured to allow traffic on specified VLANs to be forwarded or blocked. If there is untagged traffic, this switch can place a VLAN tag into the existing header or encapsulate the frame if sending it over an ISL link. Finally, trunk ports will pass traffic for all VLANs by default, unless told otherwise.

Several default VLANs are created on your switch that cannot be removed. These include VLANs 1 and 1002–1005. The latter VLANs are used for Token Ring and FDDI networks; VLAN 1 is the default VLAN and is used for Ethernet.

Although supporting 4096 Per VLAN Spanning Tree (PVST) would be nice, one for each VLAN, there is an IOS limit of 64 instances of spanning tree instances. So if you are using PVST, as you do in the next chapter, only the first 64 VLANs will have spanning tree enabled, and it will be disabled for the remaining VLANs.