logo
Jiff Slater
🤔 About
✍️ Contact
📚Knowledge
30 Jul 2021
These articles have been archived. You may find them useful but I am no longer offering support for them. Check out my latest articles on plkt.io.
VLAN Primer
21 February 2019

I recently picked up a simple TP-Link switch that supports 802.11q, also known as Virtual LANs.

Here’s a quick primer I wrote to guide myself when configuring my network. All diagrams were created with Graphviz.

Consider the simplest home network possible. You have a combination router/modem that connects your LAN to the WAN. We’ll hide the modem in this diagram as it acts on a lower layer than the router.

graph network {
node [shape=box, style=filled];

a [label="WAN"]
b [label="Router"]
c [label="LAN"]

a -- b -- c

}

Let’s add some more details. The router gets a mostly static IP address from the ISP and also provides DHCP services to the clients in the LAN.

graph network {
node [shape=box, style=filled];
a [label="WAN"]
b [shape=record, label="{ Firewall | { Router } | Switch } }"]
c [label="LAN"]

a -- b [headlabel="42.52.11.44"]
b -- c [taillabel="192.168.1.1/24"]

}

Now, we’ll flesh out the LAN to show some clients. Dotted lines show wireless clients. TODO FIX GRAPH

graph network {
node [shape=box, style=filled];

a [label="WAN"]
b [shape=record, label="{ 42.52.11.44\nFirewall | { Router } | Switch \n 192.168.1.1/24 } }"]
c [label="192.168.1.2\nPlaystation"]
d [label="192.168.1.3\nKindle Fire"]
e [label="192.168.1.4\niPhone"]
f [label="192.168.1.5\nNintendo Switch"]
g [label="192.168.1.6\nPC"]

a -- b
b -- {d, e, f} [style=dotted]
b -- {c, g}
}

This is a typical home network. Now let’s introduce a VLAN into the network. It operates at layer 2 and creates the appearance of network traffic that is operating on a single network. Because most home modem/routers don’t support VLANs, we introduce another device that sits between the modem and LAN and serves as the router.

In this VLAN, we want wireless traffic to be segmented from wired traffic. Usually this could be easily configured by issuing separate subnets for the wired and wireless clients but we want to have total isolation between the two. Each VLAN has its own broadcast domain.

Here, we introduce a separate wireless switch and tag traffic coming from the switches. In this configuration the router acts as the default gateway for both subnets and can see all VLAN traffic.

graph network {
node [shape=box, style=filled];

a [label="WAN"]
h [label="Modem"]
b [shape=record, label="{ 42.52.11.44\nFirewall | { Router } }"]
c [label="192.168.1.2\nPlaystation"]
d [label="192.168.2.2\nKindle Fire"]
e [label="192.168.2.3\niPhone"]
f [label="192.168.2.4\nNintendo Switch"]
g [label="192.168.1.3\nPC"]
i [label="Switch (wired)"]
j [label="Switch (wireless)"]


a -- h
h -- b
b -- i [label="192.168.1.1/24\nVLAN 10"]
b -- j [label="192.168.2.1/24\nVLAN 20"]
i -- {c, g}
j -- {d, e, f} [style=dotted]

}

All images generated with thanks from https://dreampuf.github.io/GraphvizOnline