An introduction to VLAN Trunking

Contents

  • Introduction
  • Applications of VLAN Trunking
  • VLAN encapsulation types
  • Trunking requirements

Introduction:
There are many Network Devices in the Data Center that require multi-homing (multiple network adapters) to tie in to multiple network segments.  As the number of those systems increase, it becomes more and more difficult to provide the network infrastructure (due to the sheer number of Ethernet connections that need to be provided) from the perspective of cost, space, and wire management.  A technology called VLAN (Virtual LAN broadcast domains logically segmented on an Ethernet switch) trunking that was once primarily the domain of network switches has now trickled down to the rest of the Data Center to address these issues.  Now it is possible for these multi-homing devices to be multi-homing in function without the need for multiple physical network adapters and the additional infrastructure associated with them.  VLAN trunking allows a single network adapter to behave as “n” number of virtual network adapters, where ”n” has a theoretical upper limit of 4096 but is typically limited to 1000 VLAN network segments.  In the case where a single gigabit Ethernet adapter is trunked in place of using multiple FastEthernet adapters, higher performance at a lower cost while increasing flexibility can be achieved.  This really is the best of all worlds.  In this article, I will give you an overview of VLAN trunking, how it works what it is used for.

Applications of VLAN Trunking:
Here are some common examples of Network Devices that benefit from VLAN trunking:

  • Routers
  • Firewalls (software or hardware)
  • Transparent proxy servers
  • VMWare hosts
  • Wireless Access Points

Routers can become infinitely more useful once they are trunked in to the enterprise switch infrastructure.  Once trunked, they become omnipresent and can provide routing services to any subnet in any corner of the enterprise network.  This is in essence what a routing module in a high-end core or distribution L3 (Layer 3) switch provides.  This technique can be a poor man’s substitute for a high-end routing module on a switch, or it can complement the high-end L3 switch by providing additional isolated routed zones for test labs, guest networks, and any other network segment that requires isolation.

Firewalls are another device that can greatly benefit from VLAN trunking now that all the big players like Cisco, Nokia/CheckPoint, and NetScreen support it.  In today’s high stakes environment where security concerns are ever increasing, the more firewall zones (subnets connected by separate virtual or physical network adapters) a firewall provides the better.  With the exception of NetScreen firewalls, firewalls can only block potentially hazardous traffic between zones and not traffic within the same zone.  Therefore, the more you separate devices like routers and servers by logical function and security level, the better off you are since you can limit unnecessary traffic and mitigate many security threats.  Since VLAN trunking provides a nearly unlimited number of virtual network connections at a lower cost and higher performance, it is the perfect addition to firewalls.  You can read more on this in:

Understand how to design a secure firewall policy

Increase firewall protection with a better network topology

Transparent proxy servers such as a Windows server running Microsoft ISA or a Linux server running Squid can now be built with a single gigabit Ethernet adapter costing as little as $40.  A traditional proxy server can be built with a single network connection, but a transparent proxy server usually cannot.  Since transparent proxy servers can be implemented with zero client deployment or SOCKS compliance; they are an extremely attractive new technology.  Trunking just makes it that much simpler and cheaper to implement.

VMWare hosts are servers that host multiple virtual servers for the purpose of server virtualization or system modeling for laboratory testing and research.  Although VMWare already provides the ability to have multiple VLANs within the VMWare host, it’s ability to connect those VLANs to physical VLANs is limited to the number of network adapters on the VMWare host.  A VMWare host can provide up to 3 network connections to each virtual machine.  Since applications cannot tell the difference between a virtual adapter and a physical one, a VMWare host armed with a trunked interface is significantly more flexible and simpler to manage.

One of the hottest new applications of VLAN trunking is wireless networking.  The new Cisco AP 1200 for example can behave as 16 virtual Wireless LAN infrastructures.  Some VLANs can be used for low security guest Internet access, others for minimum security enterprise users, and administrators can be put on a high security VLAN with enhanced firewall permissions.  All this can be achieved using a single Wi-Fi infrastructure to emulate up to 16 Wi-Fi infrastructures.  The Cisco AP 1200 does this by assigning each of the 16 VLANs it’s own Wi-Fi SSID, so when you look at it from NetSumbler (free wireless sniffer), you will think you are looking at up to 16 different wireless networks.  Those 16 VLANs are then trunked over the AP 1200’s FastEthernet port.  This offers wireless nirvana in Wireless LAN capabilities.

VLAN encapsulation types:

There are several types of VLAN encapsulation.  The two most common types are Cisco’s proprietary ISL (Inter Switch Link) and the IEEE 802.1q specification.  ISL is an older standard that Cisco was using to connect it’s switches and routers, but now that 802.1q is ratified, all of the newer Cisco gear either support both ISL and 802.1q or only 802.1q.  Older Cisco equipment may only support ISL trunking, so you must look up the individual specifications of your gear before attempting to connect them.

The 802.1q standard works by injecting a 32 bit VLAN tag into the Ethernet frame of all network traffic in which 12 of those bits define the VLAN ID.  The VLAN ID simply declares what VLAN the Ethernet frame belongs to, and the switch uses that ID to sort out and place the frames in their proper VLANs.  Once a frame reaches the end of the line or hits a non-trunked port, the VLAN tag is stripped from the frame because it no longer needs it.  This also means that if you attempt to trunk a host to a non-trunked port, it obviously will not work because that non-trunked port will strip the VLAN tags upon entry.  Note that there are very serious security implications of using VLAN technology; I will elaborate on that in a future article on VLAN Layer 2 security.

Given that a VLAN tag must be inserted into each and every Ethernet frame, it does mean that there is a little overhead in terms of slightly increased frame sizes and some CPU over head required to inject the tags.  Because of this, separate physical network adapters will always perform better than virtual network adapters on a single adapter of the same speed.  But remember, this performance deficiency is quickly reversed if a single gigabit Ethernet adapter is used in place of multiple FastEthernet adapters.  Given all the rewards of VLAN trunking, the small overhead is more than justified.

Trunking requirements:
VLAN Trunking requires that the network switch, the network adapter, and the drivers for the operating system all support VLAN tagging in order for them to trunk.  Almost any enterprise grade switch made by Cisco, Extreme, Foundry, and others support 802.1q.  A few examples of this on the smaller scale are the Cisco’s 2950 series and Netgear’s FSM726.   Most high end client adapters support VLAN trunking, but one of the most common ones you will find is the Intel Pro/100 and Pro/1000 adapters because it is included on almost every server manufacture’s motherboard.  For those without an integrated Intel adapter, a separate Pro/1000 PCI card can be bought for as little $40.  Drivers support on the Intel adapters are excellent and covers almost everything from BSD to Linux to Windows client and server operating systems.  My follow up article on how to actually implement VLAN trunking will focus on Cisco and Intel equipment.

26 thoughts on “An introduction to VLAN Trunking”

  1. This was informative, I am a networking student in cisco 3 trying to understand what on earth my teacher is talking about. Thank you for writing such an entertaining article on such a boring subject.

  2. @Paul
    No problem. It always helps to understand WHY you need a technology before learning HOW to deploy the technology.

    Be sure to read up on the implementing VLAN trunking article linked at the end. It’s a little dated, but the fundamental concepts haven’t really changed.

  3. George, thanks for the great article on VLAN Trunking. I’m not a networking person, but I’m trying to understand a little more about VLANs

    For ‘normal’ VLANs, is the 12 bit VLAN ID inserted into the Ethernet frame or does this only happen when VLAN tagging (virtual switch tagging) is implemented in VMware ESX3i for example?

  4. Thank you for the very clear explanation.
    I am wondering if each virtual network adapter can have its own (locally administered) mac address, or if the mac address is unique, per physical network adapter.
    many thanks !

  5. You really should mention that VLANS have security considerations of their own. From the SANS website:

    Recommendations

    Try not to use VLANs as a mechanism for enforcing security policy. They are great for segmenting networks, reducing broadcasts and collisions and so forth, but not as a security tool.

    If you MUST use them in a security context, ensure that the trunking ports have a unique native VLAN number.

    1. I don’t agree with that advice Phil. It might be better to use physical networks in theory, but it’s so darn impractical that you end up sacrificing security because of cost considerations. There’s a finite budget for security and it’s better to spend the money elsewhere than trying to stick with a small theoretical advantage to physical network separation.

      VLANs are only insecure if the switch gets hacked (fairly unlikely if locked down correctly), or if you use VLAN 1 or whatever the native VLAN is on the switch which opens the possibility for VLAN hopping. But if you implement VLANs and layer 2 security correctly, VLAN security is the least of your worries.

    1. If you follow my implementation guide, I tell you how to avoid security issues. Link to implementation guide is in this article.

  6. George, I appreciate the information regarding VLAN’s. However, what always comfuses me is the differencies between a VPN and a VLAN in relation to Ethernet.

    Is there any simple network diagrams available that is able to show this?

    Many Thanks.._Lee

    1. Lee, a VPN is very different from a VLAN. A VPN gives you a virtual private network over the Internet. This can be used to connect two offices or be used as a form of remote access for telecommuters. This is far above the Ethernet stack as it is operating on the IP layer.

      A VLAN is something that splits a single physical Ethernet switch into multiple virtual switches that are on separate Ethernet networks.

  7. Excellent article.
    I am still learning about basic networking, but the way you explain things makes it all make sense.

    Have you published any books?

  8. Hello all

    I’d like to configure apliance based on Debian with VMWARE and VLAN due to every virtual machine will be on separate DMZ with different trustlevel ( I am using ASA as a “router-on-stick”) . I configred VLANs on debian according to some guide founded on internet and I installed virtual machines. I have two issues now.
    1. problem with a tagging – I see in arp table on ASA box missmatched entry
    sh arp
    Outside 62.168.112.201 0015.c7c2.3819 33
    Inside 10.30.10.242 001b.532d.f341 9995
    Wirelles 10.40.10.24 001f.3cde.b8ac 43
    Wirelles 10.40.10.25 0021.e98c.8166 486
    Wirelles 10.40.10.21 001f.3cde.b8ac 7376
    Wirelles 10.40.10.20 0025.5694.f580 7978
    Wirelles 10.40.10.23 0021.e98c.8166 8986
    Wirelles 10.40.10.10 0024.144f.7666 9792
    Wirelles 10.40.10.22 0023.76c8.71eb 10287
    Trunk 10.70.10.10 1c17.d392.91c0 9964
    DMZ 10.20.10.20 00c0.a8f6.7e07 499
    DMZ 10.20.10.15 0021.5a1f.85a3 2922
    Proxy 10.50.10.10 0021.5a1f.85a3 3740
    Proxy 10.110.10.10 0021.5a1f.85a3 3912
    AntiSPAM 10.60.10.10 0022.19d5.00e9 146

    2. when I assigned some VLAN interface to virtual machines it dosn’t work

    Could somebody be please so kind and help me with this ?
    Thanx

  9. i like the article but the difference between the two trunking method is not clear to me. please could you break it down a bit more

  10. Found this very informative, I like the way you got down to it without having to read war and piece first. Thanks for that. After reading this I think I already no the answer to a question that has come up in our Network switching topology. We have an existing ELAN domain (NON TRUNKING) set up dot1q access With serveral working UNI’s all is good so far. Our engineers are tring to add a EVC to this ELAN domain. I seen a statement you made that that a vlan tag is tripped off a non trunked port so this will not work if they trying to mix ELAN and EVPL service on a 6509 cat switch.

Comments are closed.