Virtual local area networks, or VLANs, can be used to segment traffic within a network in combination with subnetting. VLANs keep traffic from different networks separated when traversing shared links and devices within a topology. This process, also known as VLAN tagging, is invaluable to limiting broadcast network traffic and securing network segments. VLAN tagging is an integral part of networks of all sizes and is supported on MX security appliances, MR access points, and MS series switches. This can be done for both data, and management traffic independently.
Best practices are to use a single subnet per VLAN ID
Common Terms
VLAN - Virtual local area network; logical identifier for isolating a network
- A port enabled for VLAN tagging
- A port that does not tag and only accepts a single VLAN
Encapsulation - The process of modifying frames of data to include additional information
802.1Q - The most common encapsulation method for VLAN tagging. This is the method used by Meraki devices.
Native VLAN - The VLAN associated with all untagged traffic on a trunk
Subnet - A logical network which may be derived from a larger network ID
Best Practices
VLAN-enabled ports are generally categorized in one of two ways, tagged or untagged. These may also be referred to as "trunk" or "access" respectively. The purpose of a tagged or "trunked" port is to pass traffic for multiple VLAN's, whereas an untagged or "access" port accepts traffic for only a single VLAN. Generally speaking, trunk ports will link switches, and access ports will link to end devices.
Trunk ports require more steps to successfully negotiate as a trunk.
Both ends of the link must have the following in common:
- Encapsulation
- Allowed VLANs
- Native VLAN
While a link may successfully establish as up with mismatched allowed or native VLANs, it is best practice to have both sides of the link configured identically. Mismatched native VLANs or allowed VLANs can have unforeseen consequences. Recall that the native VLAN is the VLAN associated with untagged traffic. Mismatched native VLANs on opposite sides of a trunk can inadvertently create "VLAN hopping." This is often a method of intentional attack used to sneak into a network and is an open security risk. Consider the following example and diagram.
A client is plugged in to a VLAN 1 access port and desires an address from the DHCP server on the VLAN 1 subnet (192.168.1.0/24). There is a native VLAN mismatch on the trunk link between the two switches, which will prevent the client from receiving the appropriate address. Coming from an access VLAN 1 port, when the DHCP request gets to the trunk on the switch, it will be untagged traffic, as the native VLAN is 1. When the traffic gets to the other switch on the other side of the trunk, the native VLAN is 10. The untagged traffic from the switch on the right will be treated as VLAN 10 on the switch on the left. The DHCP server will reply to the DHCP request for VLAN 10 (192.168.10.0/24) and send the address back to the client. Once again, as VLAN 10 is untagged on the left switch, it will be treated as VLAN 1 on the right switch because of the native VLAN mismatch, and the client will ultimately obtain an address in the wrong subnet.
This, along with all other trunk configuration, must be identical for the entire path through the network that traffic will follow. For example, if there are three switches between a client and a gateway on VLAN 100, it must be trunked through all the switches' connecting links (shown below).
While VLANs are effective for separating network segments and limiting broadcast traffic, it is often a requirement for subnets separated by VLANs to be able to communicate. This can be accomplished only through a layer 3-enabled device that can route between the VLANs. Even if both VLANs exist on a device, their traffic will be segregated unless mediated by a layer 3 routing device.
Port-based VLANs group VLAN members by port. A port forwards traffic for a VLAN only after it is assigned to the VLAN.
You can configure the link type of a port as access, trunk, or hybrid. The link types use the following VLAN tag handling methods:
Access port—Belongs to only one VLAN and sends traffic untagged. Access ports are usually used to connect a terminal device unable to identify VLAN-tagged packets, or are used when separating different VLAN members is unnecessary. As shown in , Device A is connected to common PCs that cannot recognize VLAN-tagged packets, and you must configure Device A's ports that connect to the PCs as access ports.
Trunk port—Carries multiple VLANs to receive and send traffic for them. Except traffic from the port VLAN ID (PVID), traffic sent through a trunk port will be VLAN-tagged. Usually, ports that connect network devices are configured as trunk ports. As shown in , Device A and Device B need to transmit packets of VLAN 2 and VLAN 3, and you must configure the ports interconnecting Device A and Device B as trunk ports and assign them to VLAN 2 and VLAN 3.
Hybrid port—A hybrid port allows traffic of some VLANs to pass through untagged and traffic of some other VLANs to pass through tagged. Usually, hybrid ports are configured to connect devices whose support for VLAN-tagged packets you are uncertain about. As shown in , Device C connects to a small-sized LAN in which some PCs belong to VLAN 2 and other PCs belong to VLAN 3, and Device B is uncertain about whether Device C supports VLAN-tagged packets. On Device B, configure the port connecting to Device C as a hybrid port to allow packets from VLAN 2 and VLAN 3 to pass through untagged.
Figure 5: Network diagram
By default, VLAN 1 is the port VLAN ID (PVID) for all ports. You can configure the PVID for a port as required.
When you configure the PVID on a port, follow these restrictions and guidelines:
An access port can join only one VLAN. The VLAN to which the access port belongs is the PVID of the port.
A trunk or hybrid port can join multiple VLANs, and you can configure a PVID for the port.
You can use a nonexistent VLAN as the PVID for a hybrid or trunk port, but not for an access port. After you use the undo vlan command to remove the VLAN where an access port resides, the PVID of the port changes to VLAN 1. The removal of the VLAN specified as the PVID of a trunk or hybrid port, however, does not affect the PVID setting on the port.
Do not set the voice VLAN as the PVID of a port in automatic voice VLAN assignment mode. For information about voice VLAN, see "."
Hewlett Packard Enterprise recommends that you set the same PVID for local and remote ports.
Make sure that a port permits the traffic from its PVID to pass through. Otherwise, when the port receives frames tagged with the PVID or untagged frames, the port drops these frames.
Actions
Access
Trunk
Hybrid
Incoming untagged frame
Tags the frame with the PVID tag.
Determines whether the PVID is permitted on the port, as follows:
If yes, tags the frame with the PVID tag.
If not, drops the frame.
Incoming tagged frame
Receives the frame if its VLAN ID is the same as the PVID.
Drops the frame if its VLAN ID is different from the PVID.
Receives the frame if its VLAN is permitted on the port.
Drops the frame if its VLAN is not permitted on the port.
Outgoing frames
Removes the VLAN tag and sends the frame.
Removes the tag and sends the frame if the frame carries the PVID tag and the port belongs to the PVID.
Sends the frame without removing the tag if its VLAN is carried on the port but is different from the PVID.
Sends the frame if its VLAN is permitted on the port. The frame is sent with the VLAN tag removed or intact depending on your configuration with the port hybrid vlan command. This is true of the PVID.