Understanding VLAN’s is not always easy. Especially if you learn it from the internet by yourself.
Firstly what is the purpose of VLAN’s? How do you differentiate between Tagged and Untagged Ports? and What is the PVID?
A simple definition is: A VLAN is a group of devices on one or more LANs that are configured to communicate as if they were attached to the same wire, when in fact they are located on a number of different LAN segments.
Let’s simplify this. For now, think about a twenty-four port switch to which there are two companies connect. They share the same internet connection but the companies are not able to see each other network. This is where Vlanning comes in. Without expanding your Network by buying additional equipment you can segment this switch to act like three different switches. Each segment working independently from one another.
This makes managing networks easier and at the same time more difficult to manage. If you understand the concept of VLAN and how it works with other devices and technologies Maintenance and Upgrades will be easy.
But like everything else, you can quickly over complicate a Network Environment and cause more issues than what you are solving.
Lets quickly work through a few concepts that you need to know to understand this better.
VLAN ID
The VLAN ID is a specific number that you assign to that VLAN Segment. This ID gets added to the frames that are being sent either by device itself or by the switch when it receives the traffic. If the port, the data is being sent to on the switch is a member of the same VLAN ID it will accept the data and send it on. If the VLAN ID is not correct it will drop the data.
VLAN-Aware vs VLAN-Unaware
One of the most difficult things to explain is the difference between a tagged port and an untagged port.
The basics are there are two types of device you can plug into your network. They are VLAN-aware device and VLAN-Unaware Devices.
Think of it like this, your home PC does not have an option to specify a VLAN when plugin it into your Network so it is VLAN-Unaware. Whereas most IP phones have the option to add a VLAN ID which makes it VLAN-aware.
Untagged
Similar an Untagged port does not require the device connected to give a VLAN ID when receiving data, thus a VLAN-Unaware Device. It will rather add it to the correct VLAN ID on the switch side with something called PVID. When sending out the same port it will strip the VLAN ID if the VPID is the same.
Tagged
Tagged Port, on the other hand, requires the data to have the VLAN ID already in the frame when receiving the data from a VLAN-Aware Device. It will keep the VLAN ID in the frame when it sends from the same port.
PVID
A Port VLAN ID (PVID) is a default VLAN ID that is assigned to an untagged port to designate the virtual LAN segment to which this port is connected.
What this means that if a port is untagged in multiple different VLAN’s any VLAN-Unaware Devices will be automatically placed in the PVID as per specified on that Port. Only one PVID can be specified per port so logically it makes no sense on why to have multiple Untagged VLAN’s on the same port.
Where PVID works is for ports that support both tagged and untagged packets. For example IP Phone and Computer. If a packet is received by the switch without a VLAN tag, the PVID tag is added. When the switch sends a packet out it will strip the VLAN tag if it matches the PVID. This allows a computer to work on the same port without any networking changes.
You should have a better understanding of how VLAN’s work. The concept stays the same regardless of the device Physical or Virtual. If you have a big network I would advise you to read up on Trunk Ports as well. For Smaller Network you should be able to secure your environment with a little bit of Planning.
Excellent and clear explanation of VLANS, PVID, tagged and untagged!
Thanks!
So what is the best way to implement the first diagram, that is the one with Company A and Company B? I have a switch that uses PVID and tagged/untagged ports but I’m not able to configure it in a way to do what I want, and am having to use a different switch with port-based VLANs to accomplish
This depends on what you have at your disposal. The above was merely an example of something I did for a few companies which shared an internet connection with no Firewall. The VLANs allowed them to invest in one switch but have different IP ranges without seeing each other Network equipment. The router was set up with different IP interfaces that only allowed internet access.