VLAN on a managed switch?

[bwana]

I thought the purpose of VLANs was to allow separate subnets on a router. In other words, if my router is set to 192.168.1.1, and my client pcs are 192.168.1.2-254, 255.255.255.0 they are all on one subnet. If I want two separate subnets, I need to create two VLANs and that is a function of the router. I would have one subnet at 192.168.2.x and another at 192.168.1.x

But I have this HP Procurve 1810 switch that has VLANS. It allows me to create VLANS but nowhere in the settings am I allowed to specify IP addresses. If no IP addresses are being specified, how is this a VLAN?

The documentation says something about restricting multicast packets to subnets. but that confuses me even more. If all the devices are in the same IP range, how can they be on different VLANs?

 

[abailey]

Don't get VLANs confused with subnets. Subnets are like you described. VLANs are just different virtual LANs. You can have two separate LANs with the same subnet, and you can also have two VLANs with the same subnet. Having multiple VLANs on the same subnet is something you usually see on a small network. This type setup can get to be a real mess as the network grows and thus most of the time you will see each VLAN having a separate subnet. The switch you are talking about seems to be a layer 2 switch. Layer 2 switches don't care about IP address, that is a layer 3 function (router function). That is why you cannot specify different IP's for the subnet on the switches. The switches simply divide up the network into VLANs and you need another device (like a router) to assign the subnet range for each VLAN.
In other words think of two VLANs like two separate switches. These switches can be running the same subnet or different subnets depending on what they are connecting to.

 

[bwana]

thank you bailey for clarifying that. one wonders then what purpose do VLANS serve? VLANs are therefore an aggregation of some of the physical ports of a switch into a subset. Subsets on different switches can be merged(tagged) into the same VLAN. But so What?

if i have many devices on a large switched network, then each device is identified by the switch using its MAC address. A direct connection between any two devices can thus easily be made. What benefit does it do any device to say it belongs to a 'special club' (VLAN) since the switch has to look at the MAC address anyway?

 

[sinshiva]

if two devices are on different vlans (with or without tagging) without routing or bridging or is bridged but with filters via ebtables, etc., there won't be communication with each other

though i like the idea of different vlans using different subnets, there is something to be said about the efficiency in handling segregation at layer2 for the soho network when dealing with both ipv4 and ipv6

 

[Nerre]

A VLAN is like having "several virtual cables in the same cable".

 

[Dreamslacker]

thank you bailey for clarifying that. one wonders then what purpose do VLANS serve? VLANs are therefore an aggregation of some of the physical ports of a switch into a subset. Subsets on different switches can be merged(tagged) into the same VLAN. But so What?

if i have many devices on a large switched network, then each device is identified by the switch using its MAC address. A direct connection between any two devices can thus easily be made. What benefit does it do any device to say it belongs to a 'special club' (VLAN) since the switch has to look at the MAC address anyway?

At it's most basic, think of VLANs as simply a method of making multiple virtual separate switches.

This might not seem useful to you as a basic user but it can come in useful in larger networks.

E.g. Consider an office with 20 network points and 2 groups of 10 users with separate network connections.

You could get 2 x 16 port switches, delegating 1 for each group of users.
i.e. Switch A connects to Group 1 and their router. Ditto for Switch B & Group 2.

Alternatively, you could get a 24 port VLAN switch and connect them all. Set VLAN A for ports connected to group 1 & their router and VLAN B for group 2 & their router.

The magic here is that if a user relocates, you simply go into the UI and change the ports VLANs instead of manually switching the cables. Also, if the number of users change in each group, you can reallocate the port resources dynamically.
e.g. 16 users in Group 1 & 4 in Group 2, you can still maintain the separation by changing the VLANs. If you had chosen to buy 2 x 16 port dumb switches, then you're out of luck here.

Next thing VLANs can do is to do what we call a port trunk - a single port that is a member of multiple VLANs.

So say you have a 3 storey building that was wired up a long time ago. You have only 1 cable going from the 1st storey to the 2nd, and 1 cable from the 2nd to the third.
Now, if each level requires it's own separate network, you can use VLAN trunks by having a VLAN switch on each level. Each level is assigned a single unique VLAN ID.
For the ports connected to the cables between levels, you simply make them members of all 3 VLANs. And for the ports on each switch serving each level, you make them untagged (aka access) ports for the VLAN in that level.

In this manner, you are able to connect the router for level 3 to the correct VLAN switch port on level 1 and still serve the clients there.

 

[azazel1024]

Other possibilities (to expand on the points above)...as a home user, things you can do, especially if you have access points that support VLANs as well...

You can setup your APs with two VLANs, one for the main SSID/WiFi network where all switch ports are members of that VLAN and then you can set a secondary/guest SSID to the second VLAN, which can only access the router for internet access (some APs can do this with guest SSID access with network segregation, which only allows access to the gateway IP address from the AP, but a number of routers running in AP mode won't work correctly with guest SSID network segregation).

You can set it up with a couple of VLANs so that if you want a server to be accessible from the wider internet with increased security, instead of simply having port forwarding enabled from the router to the server, you can also have the server on a secondary VLAN that only has access to the router and nothing else...so if anyone ever managed to get control over the server from outside, they couldn't access anything else on the network through the server.

On really big networks, ICMP (Internet Control Messaging Protocol) traffic can take up a lot of "time" from devices. ICMP packets are sent out by basically everything on an ethernet network to say "hi. Is anyone there? What is your MAC?". It allows switches and other L2 devices to build MAC address tables so that they know where to send packets (among other things). However, get a TON of devices on a network and you can have HUNDREDS (or thousands) of devices periodically sending ICMP packets over the network "storming" all of the devices.

Using VLANs you can break up networks on an L2 level and just have shared resources accessible to multiple VLANs, even though everything is physically still connected. No routers needed to do this (saves costs/increases speeds).

You can also control traffic priority by using VLANs. You can set VOIP devices to their own VLAN and then set traffic priority on the switches to the voice VLAN and set a lower priority to data traffic. You can break it up even more if you have a third tiers that can have even lower priority, say setting up all of the VOIP devices on the highest priority VLAN, the video conferencing gear on the second priority VLAN, regular workstations on the third priority VLAN and network printers on the fourth priorty VLAN (or something like that).

Anyway, for a typical home user VLANs are going to do nothing, other than be a curiosity, but they have great utility for SMB/Enterprise and even in some cases with home users depending on exactly what they are doing.

 

[LoneWolf]

A lot of good replies here.

At home, VLANs benefit mainly the tech enthusiast. That's about it. If all you need is a single /24 mask (e.g., 192.168.1.1-1.254), you won't need them.

However (and this also is where you get into enterprise networking) say you decide you want to have the ultimate networked home. You want, say, six IP security cameras, and you want four VoIP phones, and then another four wireless access points.

By using VLANs, you can distribute the traffic, both for organization's sake, and prioritization. So I might do this with my (for example) 24-port managed switch:

VLAN 10 (Data) on my first five ports, 192.168.100.1 - 100.254
VLAN 11 (Voice) on my next five ports, 192.168.101.1 - 101.254
VLAN 12 (Security) on my next five ports, 192.168.102.1 - 102.254
VLAN 13 (Wireless-Private) on my next five ports, 192.168.103.1 - 103.254
VLAN 14 (Wireless-Guest on the same five ports as VLAN 13, 104.1-104.254

By doing the above VLANs, I can do the following:

1. I can keep groups of devices organized for easy management.
2. I can optionally use QoS (Quality-of-Service) to prioritize the voice VLAN over other traffic, ensuring my VoIP phones always have clear calls even if someone is running Bittorrent. This may require the VLANs working in conjunction with a head-end device (router, etc.) that is also VLAN aware and configured with the same IDs.
3. If I only have one Ethernet port somewhere in the house where I need a PC and a phone, I could run two VLANs on a single switchport, and do what is called tagging of the traffic, so that both can operate on the same port (the PC would run daisy-chained through the phone).
4. I could run two VLANs on a switchport for my wireless access points, and set them up so that my private wireless uses one VLAN and my guest wireless uses another. Then I could ensure that my guest VLAN had only Internet access, and couldn't touch other devices on the network. With VLAN tagging, each network could be provided a different DHCP scope.

This is a pretty basic rundown; with a proper small-business router or firewall, you can use the VLANs to guarantee a minimum bandwidth on a VLAN, or limit bandwidth to a maximum on another. You could set up one VLAN to only have internal LAN access.

Most people don't need to do the above in their home other than for lab-work for training for their job, or puttering around. However, you could set your kids' up with a wireless SSID that has Internet content filtering while yours is open, via VLANs and OpenDNS Family Shield for their network.