VLANs
Basic understanding of VLANs and how they work.
VLANS are Not Subnets
A VLAN may transmit multiple subnets of traffic as long as those packets are tagged appropriately and are physically enforced at the hardware/server level. Subnets are defined farther up in the networking stack, typically in software.
Generally you'll see one subnet per VLAN.
Implementation Concepts
Fundamental concepts about VLANS need to be clarified before proceeding. VLANS allow the separation of networks on the physical switch level (L2/L3); which can be thought of as applying switch-level filters to prevent specific traffic from ever hitting network ports.
Important things to note:
- Untagged traffic is traffic without any VLAN tags. Within VLAN aware devices this is tagged as 1 or VLAN1. ALL also includes this traffic.
- Ports will have a default or PVIF. This is the default VLAN traffic will be tagged with, if no tags are present. If you connect a bunch of computers to a switch, and plug that switch into this port, they will all behave as though they are on the default or PVIF network.
- Ports will typically have an additional set of VLANS that are allowed. Traffic using these VLANS needs to be pre-tagged with VLAN IDs to be allowed through. Untagged traffic will be tagged with the default VLAN.
- Trunks aggregate traffic together, used to push traffic upstream to another device. Trunk configurations should be the same set of VLANS on both ends in most cases. Trunks connecting directly to the router should generally contain all VLANS, while Trunks downstream should only specify VLANS that are actually used or needed on those devices. It my be helpful to look at the leaf nodes first and work your way back to prevent VLANS inadvertently being dropped on the way to the router.
- Set a spare port on switches for Management VLAN access so you can locally manage devices if something goes wrong.
- Design and understand your network layout and plan for how the traffic should work on VLANS. Generally VLANs segregate traffic based on type; e.g. wifi, iot, servers, desktops, etc.
Switch Concepts
VLANs allow you to breakup a switch to effectively act as multiple switches by isolating the broadcast domain of traffic.
In this example
- Port 1 will see all traffic from all VLANS.
- Ports 2 and 3 will only see traffic on VLAN 2.
- Ports 4-6 sees only VLAN 3.
- Ports 7-8 sees only VLAN4.
VLAN A │ 2 2 │ 3 3 3 │ 4 4
╭-────┼─────────┼─────────────┼─────────╮
│ ╭-╮ │ ╭-╮ ╭-╮ │ ╭-╮ ╭-╮ ╭-╮ │ ╭-╮ ╭-╮ │
Port │ │1│ │ │2│ │3│ │ │4│ │5│ │6│ │ │7│ │8│ │
│ ╰-╯ │ ╰-╯ ╰-╯ │ ╰-╯ ╰-╯ ╰-╯ │ ╰-╯ ╰-╯ │
╰─────┼─────────┼─────────────┼─────────╯
Traffic A,2,│ 2 │ 3 │ 4
3,4 │ │ │The equivalent physical configuration looks something like:
Switch 2 3 4
╭────────────-╮
│ ╭─╮ ╭─╮ ╭─╮ │
╭──────┤ │1│ │2│ │3│ ├──────╮
│ │ ╰─╯ ╰─╯ ╰─╯ │ │
│ ╰──────┬──────╯ │
2 │ 2 3 │3 3 4 │ 4
╭──-┴────╮ ╭──────┴──────╮ ╭────┴────╮
│╭─╮ ╭─╮ │ │ ╭─╮ ╭─╮ ╭─╮ │ │ ╭─╮ ╭─╮ │
││1│ │2│ │ │ │1│ │2│ │3│ │ │ │1│ │2│ │
│╰─╯ ╰─╯ │ │ ╰─╯ ╰─╯ ╰─╯ │ │ ╰─╯ ╰─╯ │
╰────────╯ ╰────────────-╯ ╰────────-╯Basic VLAN Port Concepts
Conceptualize VLANS as a way to filter traffic from either side of a port. It may also help to think of VLANs as 'cables' between switching devices.
Clarifying Terms
- PIF will be used for all cases of PIF, PVIF, PVID, Native VLAN and Parent VLAN.
- VIF will be used for all cases of VIF, VID, VLAN.
- Management VLAN is defined as Untagged network (e.g. PIF 1, VLAN 1).
Standard device on a port
Devices which do not support VLANs will send data Untagged onto the network. This untagged traffic will be tagged with the PIF ID exiting the port.
Egress Traffic
Untagged traffic with a trunk
Untagged traffic from a device will be untagged exiting the port if ALL networks are allowed:
Device Port
╭──────╮ ╭─────────╮
│ │ untagged │ PIF ALL │ untagged
│ ├──────────>│ VIF 20 ├──────────>
╰──────╯ ╰─────────╯Tagged untagged traffic with PIF
Untagged traffic from a device will be tagged with the PIF VLAN if it is explicitly defined.
Device Port
╭──────╮ ╭────────╮
│ │ untagged │ PIF 1 │ 1
│ ├──────────>│ VIF 20 ├──────────>
╰──────╯ ╰────────╯Blocking VLAN traffic at the port
Tagged and Untagged traffic will be filtered at the port based on PIF and VIF:
Device Port
╭──────╮ ╭─────────╮
│ │ 20 │ PIF 1 │
│ │ 30 │ VIF 20 │ 20
│ ├──────────>│ ├──────────>
╰──────╯ ╰─────────╯Ingress Traffic
Port allowing untagged traffic in via ALL
Untagged traffic will be allow through the port to the device if ALL networks are allowed:
Device Port
╭──────╮ ╭─────────╮
│ │ untagged │ PIF ALL │ untagged
│ │<──────────┤ VIF 20 │<──────────
╰──────╯ ╰─────────╯PIF will untag traffic sent to it
Traffic must be tagged with the PIF VLAN for it to reach the device:
Device Port
╭──────╮ ╭────────╮
│ │ untagged │ PIF 1 │ 1
│ │<──────────┤ VIF 20 │<──────────
╰──────╯ ╰────────╯
Device Port
╭──────╮ ╭────────╮
│ │ X │ PIF 3 │ untagged
│ │ │ VIF 20 │<──────────
╰──────╯ ╰────────╯Filter Tagged and Untagged Traffic
Tagged and Untagged traffic will be filtered at the port based on PIF and VIF.
Device Port
╭──────╮ ╭────────╮
│ │ 20 │ PIF 1 │ 20
│ │<──────────┤ VIF 20 │<──────────
╰──────╯ ╰────────╯UniFi APs
UniFi APs transmit both tagged and untagged data at the same time.
- Tagged: AP data. If configured, AP data is explicitly tagged with a VLAN before leaving the device.
- Untagged: AP Management Interface. By default the management interface is exposed with untagged traffic Management VLAN - VLAN1 to make adoption easier. In newer versions you can configure the management VLAN to a custom VLAN.
- The LAN network defined in Networks on the UniFi controller describes the properties of the Management VLAN. This is the network that Untagged traffic will be sent on.