VLAN 101

Basic understanding of VLANs and how they work.

Basic Concepts

PIF

Defines the physical port of a piece of equipment.

PVID
PVLAN

Defines the default VLAN for traffic leaving a specified interface. Also referred to as Native Network, Parent VLAN. Untagged traffic will be tagged with this ID leaving the port.

VIF

Defines a virtual port of a piece of equipment; Commonly swapped with VLAN or VID.

PVIF

Defines a parent virtual port of a piece of equipment; Commonly swapped with PVLAN or PVID.

VID

Defines a virtual port of a piece of equipment; must be associated with a PIF. Commonly used interchangeably with VLAN, VIF.

VLAN

A virtual network, creating logical separations within a switch. This allows for multiple broadcast domains on the switch.

VLAN Attributes:

  • L2 (layer 2).

  • Independent Broadcast Domain.

  • Configured with 802.1Q.

  • VLANIDs: 0-4095.

  • VLANID: 1 is generally used as a management VLAN with no VLAN tags.

VLANID

Integer number between 0-4095 identifying a specific VLAN.

ALL

Concept used to denote ALL VLANS and untagged traffic. Typically used in defining trunks. If ALL is not used, then untagged traffic must be explicitly allowed.

Tagged

Network packet that has already been tagged with the 802.1Q header, identifying that packet as being on a specific VLAN.

Untagged

Network packet that does not have the 802.1Q header. This is standard network traffic. Also commonly referred to as the Native VLAN.

Management VLAN

VLAN used for general management and adminstration; not typically for everyday data traffic. In common practice, the management VLAN is usually Untagged traffic to allow for unconfigured devices the ability to be connected to when added to the network. Some devices (like Ubiquiti) treat the Management VLAN, Untagged traffic, and Native VLAN as VLANID 1.

Native VLAN

Synonym for Untagged. Standard network traffic to allow for unconfigured devices the ability to be connected to when added to the network. Some devices (like Ubiquiti) treat the Management VLAN, Untagged traffic, and Native VLAN as VLANID 1.

Trunk

Used for upstream or downstream links between switches and routers. Accepts and forwards traffic on multiple VLANS, usually including Untagged traffic.

Basic VLAN Switch Concepts

VLANs allow you to ‘breakup’ a switch to effectively act as multiple switches by isolating the broadcast domain of traffic.

In this example, port 1 will see all traffic from all VLANS. ports 2 and 3 will only see traffic on VLAN 2, 4-6 sees only VLAN 3, 7-8 sees only VLAN4:

../../../_images/aafig-a059b25631ad27aa2e44d7f8c375c0a6f8935b6d.svg

The equivalent physical configuration looks something like:

../../../_images/aafig-8984c535b5756a0481cf6a54c2a99ba9aabf3196.svg

Basic VLAN Port Concepts

Conceptualize VLANS as a way to filter traffic from either side of a port. It may also help to think of VLANs as ‘cables’ between switching devices.

Clarifying Terms:

  • PIF will be used for all cases of PIF, PVIF, PVID, Native Network and Parent VLAN.

  • VIF will be used for all cases of VIF, VID, VLAN.

  • Management VLAN is defined as Untagged network (e.g. PIF 1, VLAN 1).

  • VLANS are NOT SUBNETS. A VLAN may transmit multiple subnets of traffic as long as those packets are tagged appropriately and are physically enforced at the hardware/server level. Subnets are defined farther up in the networking stack, typically in software. Generally you’ll see one subnet per VLAN.

Standard device on a port

Devices which do not support VLANs will send data Untagged onto the network. This untagged traffic will be tagged with the PIF ID exiting the port.

Egress Traffic

Untagged traffic from a device will be untagged exiting the port if ALL networks are allowed:

../../../_images/aafig-7db97b082e0359790c9b35a3d7153bc2b93a2726.svg

Untagged traffic from a device will be tagged with the PIF VLAN if it is explicitly defined:

../../../_images/aafig-897fbd1e93352cbb13ed322313a98263721c797e.svg

Tagged and Untagged traffic will be filtered at the port based on PIF and VIF:

../../../_images/aafig-70b89a5defaa56c5045d5deff8f7e70c71faea45.svg

Ingress Traffic

Untagged traffic will be allow through the port to the device if ALL networks are allowed:

../../../_images/aafig-8e80f23d533fa3bea1f2b5d2faa39e4c3c1b7a71.svg

Traffic must be tagged with the PIF VLAN for it to reach the device:

../../../_images/aafig-a20e33bc86a2d2c846cc0326063228ecd0af61fb.svg

Tagged and Untagged traffic will be filtered at the port based on PIF and VIF.

../../../_images/aafig-21ec099e7edf7b2af2ebf914ecfda827932f95ef.svg

Unifi APs

Unifi APs transmit both tagged and untagged data at the same time.

  • Tagged: AP data. If configured, AP data is explicitly tagged with a VLAN before leaving the device.

  • Untagged: AP Management Interface. By default the management interface is exposed with untagged traffic (Management VLAN, VLAN 1); to make adoption easier. In newer versions you can configure the management VLAN to a custom VLAN.

  • The LAN network defined in Networks on the Unifi controller describes the properties of the Management VLAN. This is the network that Untagged traffic will be sent on.

Implementation Concepts

Fundamental concepts about VLANS need to be clarified before proceeding. VLANS allow the separation of networks on the phyiscal switch level (L2/L3); which can be thought of as applying switch-level filters to prevent specific traffic from ever hitting network ports.

Important things to note:

  • Untagged traffic is traffic without any VLAN tags. Within VLAN aware devices this is tagged as 1 or VLAN1. ALL also includes this traffic.

  • Ports will have a default or PVIF. This is the default VLAN traffic will be tagged with, if no tags are present. If you connect a bunch of computers to a switch, and plug that switch into this port, they will all behave as though they are on the default or PVIF network.

  • Ports will typically have an additional set of VLANS that are allowed. Traffic using these VLANS needs to be pre-tagged with VLAN IDs to be allowed through. Untagged traffic will be tagged with the default VLAN.

  • Trunks aggregate traffic together, used to push traffic upstream to another device. Trunk configurations should be the same set of VLANS on both ends in most cases. Trunks connecting directly to the router should generally contain all VLANS, while Trunks downstream should only specify VLANS that are actually used or needed on those devices. It my be helpful to look at the leaf nodes first and work your way back to prevent VLANS inadvertently being dropped on the way to the router.

  • Set a spare port on switches for Management VLAN access so you can locally manage devices if something goes wrong.

  • You need to understand your current network and layout a plan for how the traffic should work on VLANS. Generally VLANs segregate traffic based on type; e.g. wifi, iot, servers, desktops, etc.

References

  1. Intro to Virtual LANs and VLANs

  2. Tagged VLAN1 Wireless Traffic

  3. VLANs with UniFi Products

  4. Guide to VLAN and Trunks