cisco

Understanding VLAN Membership

Daniel Kuchenski

2 min read

The topic of how VLANs work and untagging/tagging ports has come up, so I am attempting to write a simplified post based off some of the questions I have received:

VLANs are typically assigned to a single subnet.  This is done to limit the broadcast domain and to implement access control.  For example, my network could look like this:

VLAN 10: 10.0.10.0/24
VLAN 20: 10.0.20.0/24
VLAN 30: 10.0.30.0/24

If you want to connect a PC to VLAN 30, then you would assign an IP address in the 10.0.30.0/24 network to the PC, and connect to a switchport that is Untagged on VLAN 30 (If you are using Cisco switches, this would be Switchport Access VLAN 30) .  The PC would send untagged frames since it is not VLAN aware, and the switch would accept those untagged frames into VLAN 30.

If my PC wanted to access a device on another Subnet/VLAN, then the switch would need to route that packet to the other network.  Some switches do this by default, others need to have "IP Routing" enabled. Most enterprise networks use the core/distribution switch to route between networks, so I would assign an IP Address to the VLAN interface of the switch:

Interface VLAN 10 IP Address 10.0.10.1
Interface VLAN 20 IP Address 10.0.20.1
Interface VLAN 30 IP Address 10.0.30.1

This VLAN interface would be the default gateway for the devices in their respective network, and allow the networks to communicate with each other.  If you need to limit access between networks, then you can apply an Access Control List to the VLAN interface.

If your end device is VLAN aware, and needs to communicate on multiple networks using the same physical interface, then VLAN tagging (or in the Cisco world, Trunking) comes into place.  For example, if you have a VMware host with virtual machines that are on VLAN10, and other virtual machines that are on VLAN20, then VLAN tagging would need to be setup on the switch AND the VMware host.  On the switchport, we could set VLAN 10 untagged, and VLAN 20 tagged (For Cisco, this is switchport mode trunk/native vlan 10).  On the VMware host, we would create a vSwitch for VLAN 10, with no VLAN tagging enabled (because all untagged frames will be accepted on VLAN 10 by the switch).  Then we would create another vSwitch for VLAN 20, tagging VLAN 20.  Both vSwitches would use the same physical NICs. Any virtual machines in this VLAN 20 vSwitch will communicate like normal, but when the vSwitch sends the packets out of the host and to the switchport, it will tag the packets with VLAN 20 so they will communicate on the correct network.