Virtual LANs (VLANs)
By design, Network Hosts connected to the same Local Network topology, whether by means of an Access Point or Switch, can pass traffic back-and-forth transparently.
Often, a flat, transparent network topology can be undesirable, especially if Users with Different Access Privileges, such as Guests & Admins, send and receive data on the same LAN.
By contrast, Virtual LANs, or VLANs for short, logically divide a local network topology in order to isolate traffic to separate broadcast domains.
Conceptually, deploying two different LANs is the same as configuring two different VLANs on the same hardware.
However, VLANs consolidate hardware, like in “Router-on-a-stick” topologies.
In this example, three Hosts connected to the same Switch can reach each other via Broadcast.
However, once assigned a VLAN, Hosts can only broadcast to other Hosts in the same VLAN.
InterVLAN traffic therefore, requires a Router or Layer-3 Switch.
According to 802.1Q, the industry standard for Virtual LANs, Network Traffic receives VLAN Assignment through “tagging”.
More specifically, the Header of a Layer-2 Frame receives a specific “tag” or VLAN ID, representing the VLAN to which the “tagged” traffic belongs.
In general, most vendors, including Ubiquiti, use VLAN1 as the Default VLAN so Network Devices and Protocols communicate and work ‘out-of-the-box’.
However, today’s Network Layer-2 Network Devices all support 802.1Q for traffic “tagging”, where Host packets receive VLAN assignment.
Because Host traffic in VLAN 10, 20, and 30 is tagged with their respective VLAN ID’s, they can only broadcast to other Hosts within their Virtual LANs, and not to Hosts in other VLANs.
In order to work with “tagged” traffic, Interfaces and Ports receive Port VLAN Assignments, or PVID for short, and classify as one of two Port Types: Access Ports, and Trunk Ports.
Access Ports connect to Host Devices, and therefore have a single Port VLAN ID.
On the other hand, Trunk Ports connect to other Trunk Ports of VLAN-Ready Devices, and can receive as many Port VLAN IDs as are required per the Network Topology.
To help illustrate how “VLAN tagging” works with traffic, consider the following:
A Host sends traffic upstream without “tags”.
The “untagged” traffic reaches the Access Port, at which point, the Access Port inserts the VLAN ID, or, the “tag”, to the Frame Header.
With the VLAN “tag” now in the Frame Header, Trunk Ports recognize which areas of the Layer-2 Network to carry the VLAN Traffic going upstream.
As “tagged” traffic moves downstream, the Access Port removes the VLAN “tag” from the Layer-2 Header, so the Host receives the traffic “untagged”.
Trunk Ports can also carry “untagged” traffic if desired, but only one VLAN ID can and should be assigned to the “untagged” traffic.
Like all traffic destined to non-local networks, inter-VLAN traffic, must be routed through a Local Gateway.
To clarify, interVLAN traffic must be routed for two reasons:
At Layer-2, each Virtual LAN represents a separate broadcast domain, while
At Layer-3, each VLAN receives a unique Network IP Range.
Similar to how Switch Ports and Access Point SSIDs receive PVIDs, a Router can be configured with Virtual Interfaces to participate in a Virtual LAN.