Webinar - VLAN and its Applications
G'day everyone and welcome to i-LAN Technology's presentation on VLAN and its applications. This is Part 1 in our series of webinars where we will look at how VLANs (or Virtual Local Area Networks) can be used in small and medium sized networks. In this webinar we will look at how VLANs can be configured and used using DrayTek routers, and in the following webinars we will expand our discussion to include DrayTek VigorSwitches.
My name is Jawa and I'm a Technical Sales Specialist at DrayTek Aust & NZ. If you have any questions during the video please comment in the chat box on the right side of the screen, and stick around at the end for a 5 minute Q&A session. If you're watching this after the live Premiere, please comment below or send us an email to email@example.com It's time to begin today's session. We'll start out with a look at what a VLAN is and what sort of advantages they offer.
Then we will compare and outline Port based and Tag based VLANs. We will also show a video that demonstrates VLAN configuration on a DrayTek access point & Router. Other topics include VigorSwitch VLAN configuration and VLAN applications. As mentioned, DrayTek Layer 2+ VigorSwitches will be covered in greater detail in our next webinar that's coming soon. Let's start off by looking at what a VLAN is and why we need to use it.
If you were to lookup the definition of a VLAN; it would read: "A virtual Local area Network (VLAN) is a logical group of workstations, servers, and network devices that appear to be on the same LAN despite their geographical dispersion". The VLAN information is in the Layer 2 header of an Ethernet Data packet as shown in this diagram. It is 12 bits of data between the Type and Source MAC Address sections of the Ethernet packet. So in other words, a VLAN is a group of devices physically on the same LAN as other devices but separated from them using information in the Ethernet packet, and they don't necessarily have to be altogether in one place.
Using VLANs allows you to segregate your network and prevent devices in one part of the network from getting access to other parts in the network, and vice versa. VLANs allow you to segment your network by function or application. Unicast, broadcast, and multicast packets are forwarded and flooded out ports in the same VLAN.
This also enhances the network performance since broadcasts and multicasts are not sent to other parts of the network. VLANs also ease network configuration by logically connecting devices without physically relocating those devices. Here we have a typical application of VLANs. We can see 4 local area networks: Administration, Sales, Support Department and the Warehouse.
The devices in each of these LANs could be in different locations within the company but are logically part of the same network. Some of you may be looking after large networks which may have IP cameras, IP phones and so on in addition to your PC data network. You'll find that if all these devices are installed in a flat network, you will soon see network congestion resulting in slow network response times as well as poor phone call quality. The solution is to separate each of these services by using VLANs. One of the benefits of using VLANs is that it increases the number of broadcast domains. Hence reducing congestion and improving performance of the network as described in our previous slide.
VLANs can also be used to create logical groups and allow communication between required subnets. Firewall rules can also be used to control data flow between networks where routing has been enabled, thereby helping to secure the network. External threats are of course minimised. If an outside attacker is able to gain access to one VLAN, they'll be contained to that network by the boundaries and controls in place to segment it from others. Also VLANs are not restricted to just one switch. They can span across multiple switches, hence increasing flexibility to your network.
And Grouping is logical here, not physical. To illustrate this, let's say within a building we have the Sales department on 1st floor but one of the sales persons is located on the second floor. So no matter where the PC is placed in the network, it can still be a part of the Sales VLAN. VLANs also help to make network administration much easier. By logically grouping users into the same virtual networks, you make it easy to set up and control your policies at a group level.
When users physically move workstations, you can keep them on the same network with different equipment. Or if someone changes teams but not their workstation, they can easily be given access to whatever new VLANs they need. Troubleshooting problems on the network can be simpler and faster when different user groups are segmented and isolated from one another. If you know that complaints are only coming from a certain subset of users, you'll be able to quickly narrow down where to look to find the issue. VLANs also provide improved quality of service by managing traffic more efficiently, so that end-users experience better performance.
There are also fewer latency problems on the network and improved reliability for critical applications. VLANs can also be used to prioritise traffic, to ensure critical application data keeps flowing even when lower priority traffic such as web browsing spikes. We will now look at the different types of VLANs.
The 2 main types are port based and tag based VLANs. Starting with port based VLANs. As shown here, the VLANs are assigned to the LAN ports on the router. So, any devices plugged into one of these ports will be a part of that VLAN. We have 3 VLANs shown here. VLAN 0 for sales and VLAN 1 for admin, and a guest Wi-Fi VLAN.
Each of these workgroups will be isolated from each other but can still access the same internet connection. The next type of VLAN is 802.1q tag-based VLANs. In the example shown here we have 3 different work groups connected to a switch shown by the different colours. The VLAN ID is limited by 12 bits, or 2 to the power of 12, which gives a maximum limit of 4096. The actual number of VLANs that can be configured will be limited by the router or the switch model and would usually be between 2 and 50. To achieve this, we have a single port on the router configured with multiple VLANs which also have a VLAN tag.
This is the VLAN trunk connection which is connected to a managed switch. In the example shown, we also have the 3 different VLANs in the VLAN trunk connection to the switch. Each VLAN shown by the orange, green and blue colours can be for different work groups. The VLAN tag is inserted into the data packet header and this is used to identify which VLAN it belongs to. Another parameter in the VLAN tag is the 802.1p setting.
This is used to specify the priority level of the data packets, and ranges from 0 for best effort to 7 being the highest level. If you want to allow communication between each VLAN, then inter-LAN routing has to be enabled between them. In this diagram we only want to allow communication between the Administration workgroup and the Sales dept, so we enable routing between these two LANs. I'll briefly show you the configuration steps to set up VLANs in DrayTek routers. We will start with port based VLANs. This applies to DrayOS routers such as the Vigor2862 and Vigor2927 as well as others.
The steps involved are also covered in knowledge base articles that are available on our web site. Step 1 is go to LAN>>VLAN config menu. Then select Enable. The next step is to assign all ports and SSIDs to a VLAN. Select LAN subnet for the VLAN in the circle there. Ensure all LAN ports and SSIDs are assigned to a VLAN. The number of ports and LANs will vary by the router model.
Also do note that we do not enable VLAN tags for port-based VLANs. The next step is to enter the LAN subnet details for each LAN including the DHCP details. Enable routing if required, by selecting the intersection of the two LANs you wish to route between. Here we've enabled routing between LAN 2 and LAN 3.
For Linux based routers such as the Vigor3900 and Vigor2960 the setup is different. First step is to create the VLANs and then assign the LAN port as Untagged. The next step is to configure the LAN subnets for each VLAN. In the example here we have assigned the subnet 192.168.50.1 to VLAN 100.
For Inter-LAN routing in Linux routers we only have the global option to enable Inter-LAN routing. We need to select "Enable Inter-LAN Route". With the route group feature as shown here, you can use groups to allow or block routing between VLANs. You can also use firewall rules to control traffic flow between VLANs.
Setting up 802.1q tag-based VLANs in DrayOS routers is similar to the port based VLAN setup but includes a couple of extra steps. Step 1, like I mentioned, is to go to LAN>>VLAN config menu. Then select Enable. The next step is to assign all ports and SSIDs to a VLAN and select a LAN subnet for each VLAN. The extra step is enabling the VLAN Tag and assigning a VLAN ID.
The priority setting is optional. A value of 0 is the lowest priority and 7 is the highest. It is recommended to also select "Permit untagged device in P1 to access the router" as I have highlighted here. The reason for doing this is that usually we will have a switch between the router and a computer, and the switch handles the tagged data packet.
But if for some reason you want to connect a computer directly to the router, it will not be accessible. The next step is to enter the LAN subnet details for each LAN including the DHCP details. Enable routing if required, by selecting the intersection of the two LANs you wish to route between. Here we've enabled routing between LAN 2 and LAN 3. For Linux based routers select the VLAN for the member to be a tagged VLAN. In the example shown here we've selected LAN port 2 to be a member of VLAN 30 which will make it a tagged VLAN.
We now need to set up the 802.1q trunk port. This is needed when connecting the router to a smart switch and we require all the VLANs to be available on the switch ports. In DrayOS routers select all the VLANs to belong to the same LAN port. In the example here we've assigned all the VLANs to port P1. For Linux routers, to set up an 802.1q trunk port
we just select all the tagged VLANs to belong to the same LAN port. In the example shown here we have LAN port 2 configured as the 802.1q Trunk Port. A typical application of VLANs utilising the 802.1q Trunk is shown in this diagram.
The switch is connected to the router and we connect the PCs to the switch LAN ports, with each department assigned to a VLAN. Now here's a short video created a few years ago which shows how to configure VLANs on an access point and connect to a DrayTek router via an 802.1q VLAN trunk. The video is available on YouTube at the link shown. I'll also include a link in the description below if you'd like to check it out again later. Hey everyone this video demonstrates how to set up your access point with multi SSID. We can setup multi SSID to separate wireless LANs to different subnets.
Here in this example, AP connecting to a router has multiple subnets and it is passing traffic via trunk port. We will configure AP900 and Vigor2860 one by one. So let's configure Vigor2860 first.
Connect Vigor2860 to a computer. Open your web browser and log in to Vigor2860. Here we'll configure 4 LAN subnets with network address 192.168.1.0, 2.0, 3.0 and 4.0, all with subnet mask 255.255.255.0. To configure LAN1 go to LAN >> General Setup. Click on Details Page.
Enter IP address, subnet mask and DHCP configuration. Similarly we need to configure LAN2, LAN3 and LAN4. At this stage router does not allow to configure remaining LAN subnets as they are inactive. To make them active we'll go to LAN >> VLAN configuration.
Enable VLAN. We'll use port six as a trunk port, hence it will be part of all the VLANs. Now select LAN subnet, and a VLAN ID under "VLAN tag". Now let's allocate remaining ports. Here we will keep remaining ports under VLAN 4 as untagged. Click ok to save the settings.
After router restarts, log into the router again and go to LAN >> General Setup and configure remaining LAN subnets. For that, first enable LAN2, LAN3 and LAN4. Now check IP, subnet mask and DHCP settings for LAN2 and change if required. Similarly check LAN3 and LAN4. Now we'll configure access point. Connect AP900 to a computer.
You will need to use static IP to a computer to access AP900, as DHCP server is inactive by default. Now go to LAN >> General Setup and disable DHCP client. Ensure that DHCP server is turned off so that all IP addresses will be assigned by Vigor2860 only. Then go to wireless LAN >> General Setup. Enable wireless LAN. Uncheck "Enable 2 subnet" option,
and configure 4 VLANs with different VLAN ID as set on the router. Enter SSID name for them. Now go to wireless LAN >> Security. For each SSID, select an authentication mode, WPA algorithm and enter passphrase.
Click okay to save. Also set key renewal interval to 3600 if not set. Both devices, Vigor2860 and AP900, are now configured. We will connect LAN port No 6 of 2860 to AP900 through a network cable.
Now we will test the setup. From laptop, go to wireless and try to connect SSIDs one by one and check IP addresses. Wireless client getting IP address according to the SSID it connects to. Hence only one LAN physical connection between router and AP can pass the traffic for all VLANs. You can also enable inter-LAN routing under LAN >> General Setup, to allow communication among all VLANs.
Now we'll briefly take a look at VLAN options in DrayTek VigorSwitches. We'll go over VLANs in VigorSwitches in more detail in our next webinar. In a large network as shown in this diagram, much of the data traffic is between devices or servers on the local network, so not much traffic needs to go to the Internet. For example, IP cameras store videos to a local NVR, the IP phones register to a PBX, and documents and files on PCs are stored on the local file server. Utilising VLANs as well as layer 2+ features in DrayTek VigorSwitches will improve network performance and also reduce the need to have a higher end router to handle local traffic.
The configuration steps we use when setting up VLANs in VigorSwitches are: Add the VLANs by selecting tagged or Port-based. Assign VLAN Membership for Ports. Assign a port as Trunk port.
And finally, configuring the ports. In VigorSwitches we have 3 different types of VLANs. These are Voice and Surveillance VLAN, MAC based and protocol-based VLAN.
Again, these will be covered in more detail in our next webinar. Central switch management in DrayTek routers provides a convenient and easy way to manage and configure VLANs in VigorSwitches. Instead of logging into each switch and working through the configuration pages, you can just log into the router and centrally configure, and deploy the switches in your network.
You can also monitor the switch and LAN clients' status as well as perform maintenance tasks. It also allows easy deployment. Here we have a screenshot of one of the configuration pages. The VLAN configuration is quick and easy by using the graphical user interface.
With a few mouse clicks, VLANs can be assigned to switch ports, and it'll also update the router VLAN configuration. It will auto detect uplink and downlink, and also auto configure PVID for the access port. Furthermore, it will auto configure a trunk port when multiple VLANs are selected. The PVID value can be selected from a drop-down menu. We will deep dive into Central Switch Management in a future webinar where we'll talk about DrayTek switching technologies. Let's look at some typical scenarios where VLANs can be advantageous.
Let's assume that a company wants to separate the employees Wi-Fi network and Guest Wi-Fi so it can restrict network access for guest users. We want guest users to be able to access the internet but we don't want them accessing other LAN resources such as the servers, printers & internal portals. So, two VLANs can be defined here to accomplish this - VLAN1 and VLAN2. The LAN subnet for VLAN1 can be set as 192.168.1.0, and the subnet for VLAN2 can be set as 10.0.0.0, and of course in this case we want to keep inter-LAN routing disabled. Another scenario is where four companies are located in the same building.
They share the broadband network and use a Vigor router for load balancing, security, and VoIP features. So, four VLANs can be defined - VLAN5, 6, 7 and VLAN8. There can be many other instances where VLAN can be very helpful. Another example where VLANs are used is in adding a VLAN tag for the WAN connection. This is set up in the WAN >> General Setup configuration menu in DrayOS routers. Some NBN service providers use VLAN tagging for WAN connections.
When connecting a DrayTek router to the NBN via one of these service providers, you'll need to enable the VLAN tag. Otherwise data connection will not be available. Most ISPs in Australia use a VLAN tag of 100 or 2 but there are a few exceptions. The table you see at the bottom shows service providers in New Zealand who use a VLAN tag of 10. The example shown here is for New Zealand where we need to place a Vodafone router with a built in ATA for VoIP services behind the DrayTek router.
Here the WAN connection uses tagged VLAN and the attached VoIP router also requires a Tagged VLAN connection coming from the DrayTek router's LAN port. This screen shot shows the settings we've used. We've basically configured VLAN 1 on LAN port 4 as a tagged VLAN port with a VLAN ID of 10. All other ports and SSIDs are allocated to VLAN0 with no VLAN tags.
Alright. So, that brings us to the conclusion of today's session. Let's summarise the key takeaway messages, which are: VLANs help in improving network performance by reducing congestion, enhancing security, adding flexibility, allowing a logical grouping of users by function (not location) and they make it easier to administer networks. DrayTek routers and switches support port based and Tag based VLAN. DrayTek routers support VLAN tagging on WAN interfaces as well, which is something that's often required by NBN ISPs in both Australia and NZ. Something that we didn't have time to go into today which DrayTek routers also support, is virtual WANs. This allows simulating several WAN connections through one physical WAN connection, which is often used for Triple Play services in some countries.
Well, that's about it from me but please do stay tuned. We'll be answering any questions in the live chat on the right of your screen for the next five minutes. For more information about DrayTek products please check out our website at www.draytek.com.au or send us an email to firstname.lastname@example.org, or just give us a call on 02 98 3888 99. Please like and subscribe below, and if you'd like a notification of new premiere videos we're about to launch, or anytime we put up a new video, just give the bell a click too.
Thank you for your attention, I hope to you again soon. Goodbye. :)