Networking 101: VLANs and Network Layers
Originally Posted: April 15th, 2021
Networking 101: VLANs and Network Layers
Lesson One Open Beta
The other day someone asked me if I could explain VLANs in a way that’s understandable to normal people. It was a good question, but I didn’t have a good answer. Learning networking is hard, and teaching networking is even harder. This post is my first attempt. Consider this an open beta of lesson one. If you have questions or feedback, contact me or join my Discord server.
To understand VLANs, we need to cover some networking fundamentals and the OSI model. When I learned the OSI model for the first time, my eyes glazed over. I didn’t understand why it mattered. It’s easy to get lost in the details, and I’ll try to avoid doing that here. I want to balance moving quickly with being thorough, and the theoretical with the real-world. I’m using Ubiquiti’s UniFi system in my examples, but the same concepts apply to other manufacturers.
Binary Beginnings
The main goal of networking is getting information from point A to point B. Computers don’t understand information though, they only understand on and off. Binary 1’s and 0’s, on and off. We can use this simple language to represent complex things, like all the information on this webpage. This webpage is a carefully-crafted collection of 1’s and 0’s, delivered via millions of electrical pulses through a cable or over the air. It’s pretty amazing when you start peeling back the layers and understanding what allows this to happen.
Imagine you’re setting up a new network. It’s usually simple to get things up and running, but what is the right way to do things? What is a VLAN, and what is it used for? What’s a subnet? Why should we care about any of this? By the end of this post, I want to answer those questions. I also want this expand on this diagram, and have it make sense to you.
OSI Layer 1 - Physical
The OSI model is a conceptual way to break down networking into 7 layers. Let’s start at the bottom, which is the physical layer.
At layer 1, we transmit and receive short electrical pulses which represent raw binary bits, 1’s and 0’s, on and off. The physical layer contains cables like Ethernet, fiber, or coax, and radios waves such as Wi-Fi or cellular connections. This is the layer where binary information is converted into electrical signals, and from electrical signals back into binary information.
Layer 1 is the foundation of all networking, and the layers above all require a good layer 1 connection. If your physical connection stinks, you won’t get very far. Using good cables or having a good wireless connection comes first, and from there we can build up our network to layer 2.
OSI Layer 2 - Data Link
Here’s where things get complicated. Stepping up to layer 2, we have the data link layer. This is the layer of switches, wireless access points, frames, and MAC addresses. At layer 2, we deliver groups of bits back and forth. We establish connections between directly connected devices, and make sure the information we’re sending and receiving is accurate and reliable. You can think of layer 2 as everything that is needed to get to the other side of the cable, or through the air to the other antenna.
Layer 2 isn’t as simple as layer 1, and it introduces a lot of terminology. The important ones I want to cover are LANs, VLANs, trunk ports, and access ports. A LAN is a local area network, which is loosely defined as the network within a limited area. Your home network is likely a single layer 2 LAN.
Devices can communicate directly with other devices in their LAN. If you plug a computer and a printer into a layer 2 switch, they will be part of a single LAN, allowing you to print without other devices getting involved. You can expand a LAN by connecting more switches and more devices, but LANs are limited in size and location. Layer 2 networks are great for getting around a small area and connecting a handful of devices. Once it starts to get too big (100s of devices, or multiple buildings), you want to break it up.
Exit Physical, Enter Virtual
By default, everything you plug into an Ethernet switch is part of the same LAN. Managed switches aren’t limited to a single LAN though, which is where VLANs come in. VLANs are virtual local area networks. By using VLANs, we can divide a single switch into multiple virtual switches. This allows us to separate devices at layer 2 without buying another switch. You can think of VLANs as physically separate switches, even though the separation is virtual.
If you plug a printer into a port belonging to VLAN 20, it wouldn’t be able to communicate directly to your computer in VLAN 10. That’s what VLANs do - they separate one layer 2 LAN into multiple. Being in a different VLAN essentially removes the connection between devices, even if they are physically connected.
Before we cover trunk ports, access ports, and VLAN tagging, lets look at our diagram again with 3 different VLANs.
Frames, Trunks, and VLAN Tags
By default, most switches put all ports into VLAN 1. In the network shown above, we’ve added two additional VLANs, 10 and 20. VLAN 1 is still there, so we have 3 different virtual LANs inside this single switch. To avoid needing 3 cables to connect these 3 different networks, we use what’s known as a trunk port. Just like how VLANs allow you to split a single physical switch into many virtual switches, trunks allow us to split a single physical connection into many. The single cable going from the router to the switch can transport traffic on VLAN 1, 10, and 20 at the same time.
To keep traffic separated, VLANs are identified by the VLAN ID tag which is added to every group of bits that are sent. At layer 2, this grouping of bits is called a frame, and the most common type is the standard Ethernet frame. This standard packaging has fields for the hardware MAC address of the sender, the receiver, the VLAN it belongs to, and a few other fields which help in the delivery process. The part I want to focus on is the VLAN ID. This is a number that can range from 1 to 4094, and it identifies the VLAN that the frame belongs to.
Looking at the example again, we kept VLAN 1 as the default untagged network. If a computer is plugged in and sends frames with no VLAN ID, it’ll use VLAN 1. Frames that are sent without a VLAN tag are called untagged frames. We can specify a single untagged VLAN on a port, making it an access port. That’s what we did for the laptop, making it a VLAN 10 device.
Frames that are sent with a VLAN ID are called tagged frames. We can tell devices like wireless access points to send all traffic with a particular VLAN tag, assigning all Wi-Fi devices to a particular network.
Quick Review: What’s a VLAN?
A VLAN is a virtual local area network, or virtual LAN. You can think of a LAN as a single physical switch, and a VLAN as a single virtual switch. VLANs allow us to separate our network at layer 2, grouping ports and wireless connections together, or separating them. We can create multiple VLANs on a single switch, or access a single LAN across multiple switches and radios.
Trunk ports allow us to have multiple VLANs, and access ports allow a single VLAN. In the diagram, the cable between router and switch is a trunk, and it has VLANs 1, 10 and 20 going across it. Trunks have a “native” untagged VLAN, which is the VLAN that is accessible without tags. A computer plugged into a trunk port would use the untagged network. VLAN 10 and 20 are tagged VLANs, meaning traffic for those networks are sent with a small identifier to show which VLAN it belongs to.
The computer that’s plugged into the VLAN 10 access port can only communicate with other devices in VLAN 10, but what if it wants to talk to a device that’s in VLAN 20? That’s when we have to go up one more level, to layer 3.
OSI Layer 3 - Network
This is where it gets fun. Stepping up to layer 3, we have the network layer. This is the layer of routers, packets, and IP addresses. At layer 3, we route groups of bits between networks. Layer 3 devices act as the GPS of the networking world, mapping out directions and pointing the way for all the layer 1 and 2 connections along the way. You can think of layer 3 as everything that is needed to get from one LAN to another, or from a LAN to the Internet and back.
Layer 3 builds on the lower two layers, and here we define logical addresses called IP addresses. At layer 3 we have routers, which are the post office of the network world. We also have packets, which are the letters we’re sending back and forth. We route information between groups of devices we call subnets. On every step of the journey, a packet is wrapped inside a frame header, and thrown to the next physical link in the chain.
What’s a Subnet?
A subnet is a layer 3 network. It’s a logical grouping of devices which can all communicate with each other directly at layer 3. Rather than communicating directly with the other end of the wire or radio wave, we can directly address any device in our subnet. We do this by addressing packets to it’s IP address. The router can directly address the wireless access point, even if it has to take multiple layer 2 trips on the way there.
Layer 3 networks also have the ability to transcend the limits of a layer 2 LAN, traveling to the Internet or any other connected networks. Layer 3 can take you all around the world, and even into space. Kind of. It’s not that simple, but one step at a time here, right?
Instead of referring to subnets by their VLAN ID, we define them by their range of IP addresses. Most IPv4 LANs use the common RFC1918 address ranges of 192.168.0.0/16, 172.16.0.0/12, or 10.0.0.0/8. Subnetting and the CIDR notation I just used requires a bit of fun math, but that’s a topic for another day. Lets focus on our example again, and use an easy subnetting scheme which matches up with our VLAN IDs. Layer 2 VLANs normally correspond with Layer 3 subnets, and it’s common to give a LAN network 254 usable IPv4 addresses.
VLAN 1 = 192.168.1.0/24
192.168.1.1 to 192.168.1.254
VLAN 10 = 192.168.10.0/24
192.168.10.1 to 192.168.10.254
VLAN 20 = 192.168.20.0/24
192.168.20.1 to 192.168.20.254
That was a lot of densely packed information, so lets z̶o̶n̶e̶ ̶o̶u̶t̶ ahem, I mean take a look at our diagram again. This time, at layer 3.
How does a VLAN Differ from a subnet?
In the vast majority of networks, we align our separations of the network at layer 2 and 3. This means that for every VLAN, we have a single layer 3 subnet. To keep things simple, a lot of people tend to use the VLAN ID as part of the subnet address. There’s nothing stopping us from assigning any IP address range we want, but keeping those numbers the same makes for easier management, and a clearer understanding that they are linked to each other.
Above layer 3 we have layer 4 through 7, which I’ll cover later. Layer 4 through 7 handle a lot of important aspects of how networking works, and the layers all depend on each other. I wanted to focus on the foundation of layers 1 through 3 first. I also want to get away from the theoretical, and return back to our real world example network.
Putting It All Together
Stepping back, let’s consider this setup from all three layers at the same time.
At layer 1, we’re using Ethernet and Wi-Fi to connect devices.
At layer 2, we created a few VLANs to separate out devices into groups.
At layer 3, we’re routing or restricting traffic between networks, and sending and receiving Internet traffic.
Real-world Application
Let’s look at the simple setup shown in the diagram above. We have an Internet connection, a router, a switch, and an access point. Let’s look at things from the routers perspective. The UniFi Dream Machine is actually all three devices in one, but for now, let’s pretend it’s only a L3 router.
Layer 1
At layer 1, cables and radio waves. We have an Ethernet cable to the Internet, and cables to our switch and our wireless access point. Our switch allows us to add more cables and wired connections, and our AP allows us to wirelessly connect to devices around us. We have many paths to exchange bits, and in turn, information.
Layer 2
At layer 2, we have more to look at. Let’s focus on our local area network, and the link between router and switch. We use this single cable to connect to multiple VLANs, since it’s a trunk. We’re using the default untagged VLAN 1, but we’ve also added two more VLANs, 10 and 20. This means we have three separate LANs to put devices into.
We control the VLANs and layer 2 separation with our switches, and layer 3 and subnet assignment with our router. Routers and firewalls allow us to control which networks can communicate, and which can not. To reach devices in other VLANs and other networks, we need to step up to layer 3 and use a router.
Layer 3
At layer 3, these networks all use the router as it’s default gateway, meaning it’s responsible for sending information to and from other networks.
We can assign 192.168.10.0/24 as our main network, where most of our devices live. We can assign 192.168.20.0/24 as our guest or IoT network, and prevent it from communicating to our other local networks. Separating them at layer 2 and 3 allows us to make firewall and routing rules to allow or disallow any traffic between them.
Another Example
If we have a laptop and a printer in VLAN 10, they would have unique IP addresses within the 192.168.10.0/24 range. We can assign the computer to be 192.168.10.25, and the printer to be 192.168.10.100. Since they are in the same L2 and L3 network, they are able to communicate directly. We would be able to print from the laptop with no routing needed.
The laptop would send an ARP request for the MAC address of the printer. Once it has the MAC address, it can send it's frames to the proper address, and the switch will deliver them. We could add in more switches, or connect to the printer wirelessly and the process would be the same. As long as they are in the same L3 network and no restrictions are put in place, they can directly address each other.
If we move the printer to VLAN 20 and change it's IP address to 192.168.20.100, we need a router to communicate between them.This is where a lot of the value of layer 3 separation comes in. If you don’t want two devices to communicate, put them into different subnets and use a router or a firewall to block them. Without a separation at layer 3, your security options are much more limited.
In networking, you need to divide to conquer.
An overview of the new UniFi E7, E7 Campus, and E7 Audience Wi-Fi access points. It includes spec comparisons to other models, attempts to explain 6 GHz standard power, and if UniFi is truly enterprise-grade now.