Ref: https://learn.cantrill.io/courses/2022818/lectures/45662102

YouTube: https://www.youtube.com/watch?v=otG3cDbqi2E

• Summary:
• Contents:

Physical LAN scaling problems

• 🔧 Physical Local Area Network (LAN) = devices connected to a L2 Switch
  • Separate collision domains (one for each “device↔switch port” connection)
    • Better performance than LAN with just a L1 Hub
  • Shared broadcast domain → All-Fs frames received by all devices
• ❗ Poor scaling
  • Add more devices → more broadcasts
  • Devices could belong to different logical groups (testers, sale, finance…), but have same physical LAN and same broadcast domain → not ideal
• Scaling problems worse if LANs extend over different locations (floors, buildings…)
  • e.g. different buildings for logical group (testing, finance, sales…)
  • L2 Switches can connect for cross-location communication, but broadcast domain gets much bigger (Switch 1 domain + Switch 2 domain)
  • Staff member changes role (e.g. testing to sales) but not location → needs physical cable between locations → gets messy

Virtual Local Area Network (VLAN) - 802.1Q Standard

• 🔧 Virtual Local Area Network (VLAN) = logical L2 network
  • Can divide a physical LAN into several virtual LANs (VLANs)…
  • …using 802.1Q standard (colloquially .1Q - “dot one Q”)
    • 💡 Used in e.g. AWS Direct Connect → DX private & public VIFs use 802.1Q VLANs
• 802.1Q adds extra field (32b) to MAC Header in frames
  • Out of 32b, 12 of those bits store VID (VLAN ID)
  • Different VLANs have different VIDs → multiple VLANs can operate on same LAN
    • ❗ Each VLAN is isolated from each other VLAN → separate broadcast domain!
• VID is 12b → 4000+ VLANs possible

802.1Q Switches and Trunk Ports

• 🔧 802.1Q Switch = L2 Switch with .1Q capability
  • ❗ Sets ports to Access port (single VID) or Trunk port (all VIDs)
    • Access ports communicate with devices using standard Ethernet (no VLAN tags)
    • Trunk port = connection between two .1Q switches → carries all VIDs
• Example: Two .1Q switches connected, two broadcast domains, finance and testing laptops
  1. A finance laptop (VID=20) sends broadcast frame (all Fs) to Switch 1
  2. Frame arrives at Switch 1 on access port (switch knows which VLAN it belongs to)
  3. Switch 1 broadcasts frame to all access ports of same VLAN (in this case the other finance laptop connected to Switch 1)
  4. Switch 1 also broadcasts frame to all trunk ports, but adds VID=20 to frame in 802.1Q field before sending the frame to trunk ports
  5. Switch 2 receives broadcast frame tagged with VID=20 on its trunk port
  6. Switch 2 broadcasts same frame to all other trunk ports it has (in this case no other trunk ports)
  7. Switch 2 also strips 802.1Q tag/field from frame, then broadcasts frame to all access ports belonging to same VLAN (in this case, the finance laptop connected to Switch 2)
  • 💡 Testing laptops isolated from this broadcast, even if in same physical LAN!
  • 💡 A unicast frame will reach any device in same VLAN, even if on different location, without spamming other VLANs in the process
• ❗ .1Q switches & connected devices don't need to be in different locations, they can be in same location and traffic still be isolated into different VLANs!
• ‼️ Devices on different VLANs can NOT communicate with each other without a L3 Router!