A VLAN or Virtual LAN is a method of dividing a physical Ethernet switch into separate physical and logical networks. On the physical side, instead of one Ethernet switch, it appears as if you have multiple physical Ethernet switches. Multiple Ethernet switches give the advantage as discussed in the SOHO network. The best part is that VLAN'ing a switch is a software programmed process that is configured through the switch user's interface. You decide how you want to divide your switch into virtual switches or VLANs.
VoIP and VLANs Video
Physical VLAN'd Switch
Logical VLAN'd Switch
There are very good reasons to VLAN your network:
When a switch with VLAN capabilities turns on for the first time, all ports belong to the default VLAN ID 1. This is so that when you turn on a switch, all the ports work by default. VLANs are identified by numbers and called VLAN IDs and the first VLAN is numbered 1. Theoretically, you can have up to 256 VLAN IDs on a single switch or more but practically the maximum used is much less at around 6 to 10 for a small network.
Remembering which VLAN ID is assigned to which purpose is difficult and confusing. The solution is to provide names to the VLAN IDs. This way you can identify the VLAN by its name, for example, Floor10, Accounting, Voice, Data, Engineering, ServerNet, etc.. Just a note: there are no rules as to the numbering of VLAN IDs and naming as long as they follow the correct syntax for your switch. You can use any VLAN ID for any name - it's up to you.
The physical Ethernet ports of the switch are assigned to the VLAN IDs. The switch will have specific configuration commands through a command line interface (CLI) or web GUI. You can assign multiple ports or a single port to a VLAN. Some switch manufacturers look at it differently and say that you are assigning "VLANs to the port" instead of "ports to a VLAN". Either way, the end result is the same, there is a port to VLAN assignment.
Each VLAN will have its own network address. VLAN 20 will belong to and have a different network address than VLAN 30. There is a convention (not a rule but a best practice) that the network address corresponds to the VLAN ID. For example, VLAN 10 (Desktop) uses network address 192.168.10.0/24 and VLAN 30 (VoIP) uses network address 192.168.30.0/24. The purpose is to make it easier to troubleshoot the network and to easily determine which VLAN and network, a device belongs to. As networks grow and the number of VLANs increase, following this rule of thumb will simplify network management.
There is no standard VLAN configuration method for Ethernet switches. Each switch manufacturer uses their own configuration commands either through a web GUI or command line. The config examples will use the Cisco command line just because I'm familiar with Cisco switches. Regardless, all follow the same basic process:
Again because there is no standard, we'll use Cisco. In User Exec mode (type "end" to get there), type "show vlan". It will show the new VLAN and the ports now assigned to it.
VLAN Name Status Ports ---- -------------------------------- --------- ------------------------------- 1 default active Fa0/9, Fa0/10, Fa0/11, Fa0/12 Fa0/13, Fa0/14, Fa0/15, Fa0/16 Fa0/17, Fa0/18, Fa0/19, Fa0/20 Fa0/21, Fa0/22, Fa0/23, Fa0/24 Gig1/1, Gig1/2 10 Desktop active Fa0/1, Fa0/2, Fa0/3, Fa0/4 Fa0/5, Fa0/6, Fa0/7, Fa0/8
What about Unassigned Ethernet Ports?
Ports that haven't been manually assigned to an Ethernet port remain part of VLAN 1. Usually best practices require that unused Ethernet ports be "shut down" for physical security reasons. That way no one can accidentally or intentionally (as in hacking) access a VLAN that the Administrator does not want them to access.
How do you access between VLANs?
From the information provided so far, you can't. Each VLAN is its own network with its own network address. In order to access one VLAN from another you need to access between networks. This requires a different device: a router or a layer 3 switch. A layer 3 switch can only route between Ethernet networks. It can't route across a WAN protocols and it is limited in the higher level routing protocols at this time. Routing between VLANs is further covered in the Routing webpage.
Normally an Ethernet port on a switch can only be assigned to one VLAN but there are special circumstances where a port can be configured to use more than one VLAN. The first use is a IEEE802.1Q trunk (often referred to as dot1q for short). This trunk is only used to connect switch to switch and switch to router to allow VLAN traffic to pass. IEEE802.1Q is a standard created by the IEEE to pass many VLANs between switches.
Switch to Switch Dot1Q Trunk
A second circumstance is when a VoIP phone is connected to a switch. Inside a VoIP phone is a 3 port Ethernet switch. The LAN port is connected to the Ethernet switch port that has two VLANs assigned to it: VLAN 30 VoIP (voice) and VLAN 10 Desktop (data). There is an internal port that is connected to the IP phone on the VoIP VLAN and a third physical port that is used for connecting to a PC on the Desktop VLAN. This reduces the requirement of running separate Ethernet cables for voice and data to each user's desk.
VoIP Multi-VLAN Port
This is an example of creating a multi-VLAN port for a VoIP phone on a Cisco switch. There is an additional line from a normal VLAN configuration that identifies the voice vlan.
interface fa0/1 switchport mode access switchport access vlan 10 switchport voice vlan 30
Note that the IP phone is on a different network (192.168.30.0/24) then the desktop PC (192.168.10.0/24). The IP phone's internal Ethernet switch must be configured either manually through the phone's web GUI or through the server's tftp configuration files in order to know which VLAN is the voice VLAN.
If this page has helped you, please consider donating $1.00 to support the cost of hosting this site, thanks.