0xBEN
/
Sign up to 0xBEN!
Already have an account? Sign in

How Do VLANs Work? Exploring the 802.1q Protocol

In this post, I cover the 802.1q protocol and the concept of VLANs
0xBEN
10 min read
How Do VLANs Work? Exploring the 802.1q Protocol
In: Computer Networking

Key Points

  • VLANs are a layer 2 concept. The segmentation is occurring on the switch. The switch needs the assistance of a router – a layer 3 device – to move traffic between VLANs.
ℹ️
Need a refresher on network layers? See my post on the OSI model.
  • The switch has a database called a CAM table where it keeps track of the following details about every plugged in computer:
    • MAC Address
    • Port Number
    • VLAN ID -- if it's a managed switch
  • VLANs require a "managed" switch. That means the switch has an embedded server of some kind where a network administrator will log into and configure each port with the desired VLAN tag number. An "unmanaged" switch – a dumb switch – is much simpler and only serves the purpose of forwarding traffic to the correct MAC address.
  • The design in the diagram above is known as "router-on-a-stick" (ROAS), because of the single trunk from the switch to the router. It is a common design in smaller networks.




802.1q Protocol

Ethernet 802.1Q Insert - IEEE 802.1Q - Wikipedia

How Does 802.1q Work?

802.1q – also referred to as Dot1Q – is an open standard developed by the Institute of Electrical and Electronics Engineers (IEEE).

⚠️
In order for VLANs to work, all network devices, such as routers, switches, and access points must understand and abide by the 802.1q protocol.

Header Injection

In the picture above, the top picture is a standard Ethernet frame. And, the bottom picture is an Ethernet frame with 802.1q bytes included.

When a computer plugged into the port puts a frame on the wire, the switch will inject the 802.1q header into the Ethernet frame and send it to one of two places:

  • The destination host
  • The router

We'll cover traffic flow in the section below.





VLAN Segmentation

💡
Recall that the network administrator logs into the management interface of the switch and configures each switch port with a VLAN ID. This VLAN ID is included in the 802.1q header data.

VLAN segmentation — by itself — is not a security feature. It is a means of breaking up a single physical network topology into smaller logical network segments. When combined with a firewall, you can create a more robust network security design.



How Does Traffic Flow?

Computer Networking Fundamentals

In essence, to transmit a packet, a host needs to know two things:

  • The destination IP address
  • The destination MAC address
Computer Networking Flowchart
In this post, I will go over a simple diagram and show a couple scenarios on the way data travels between two hosts
0xBEN0xBEN

Click here for a quick refresher on sending data between two hosts



Network Diagram


Click here to view this diagram in a new tab



Hosts in the Same VLAN

We'll single out port 6 and port 7 for the sake of this example: 10.80.80.10 sends a packet to 10.80.80.11

  • Port 6: VLAN 80
    • Host IP address: 10.80.80.10
    • Host MAC address: 81:A3:43:F3:4E:20
  • Port 7: VLAN 80
    • Host IP address: 10.80.80.11
    • Host MAC address: 42:70:92:50:79:30

Traffic Flow

💡
If two hosts are in the same VLAN -- either on the same switch or two separate switches configured with the same VLAN IDs -- then the data can be moved between the two hosts without the assistance of a router.
[10.80.80.10] ---> [Switch] ---> [10.80.80.11]

TL;DR

Show Details

  1. 10.80.80.10 sends an ARP discover broadcast on the wire to FF:FF:FF:FF:FF:FF to request the MAC address of 10.80.80.11
  2. The switch floods the broadcast only on ports configured with VLAN 80
  3. 10.80.80.11 replies to 10.80.80.10 with its MAC address
  4. 10.80.80.10 crafts a frame to put on the wire
    • Source IP: 10.80.80.10
    • Destination IP: 10.80.80.11
    • Source MAC: 81:A3:43:F3:4E:20
    • Destination MAC: 42:70:92:50:79:30
  5. The switch receives the frame
    • The destination MAC is in the same VLAN as the source MAC
    • The switch transfers the frame to port 7 where 42:70:92:50:79:30 is plugged in
    • The frame has completed its journey



Hosts in Distinct VLANs

In this example, we'll focus on port 4 and port 5: 10.6.6.6 sends a packet to 10.9.9.9

  • Port 4: VLAN 666
    • Host IP address: 10.6.6.6
    • Host MAC address: 02:EC:09:C0:65:59
  • Port 5: VLAN 999
    • Host IP address: 10.9.9.9
    • Host MAC address: 25:83:ED:92:D1:89

Traffic Flow

💡
Two hosts in distinct VLANs have two layers of separation. Obviously, the two devices are on different subnets and therefore, are unable to directly communicate without the assistance of a router. Furthermore, the switch will not move traffic from VLAN 666 to VLAN 999.
[10.6.6.6] ---> [Switch] ---> [10.6.6.1]
                               (router)
[10.9.9.9] <--- [Switch] <--- [10.9.9.1]

TL;DR

Show Details

  1. 10.9.9.9 is on a foreign subnet, so 10.6.6.6 sends an ARP discover broadcast on the wire to FF:FF:FF:FF:FF:FF to request the MAC address of the default gateway --- 10.6.6.1
    • 10.6.6.1 is a virtual interface designated by igb1.666 on the router
    • The igb1.666 notation indicates that the parent interface is igb1 and it is tagged with the VLAN ID 666
  2. The switch floods the broadcast only on ports configured with VLAN 666
  3. 10.6.6.1 replies to 10.6.6.6 with its MAC address
  4. 10.6.6.6 crafts a frame to put on the wire
    • Source IP: 10.6.6.6
    • Destination IP: 10.9.9.9
    • Source MAC: 02:EC:09:C0:65:59
    • Destination MAC: 17:53:4A:C1:D4:29 (look carefully)
  5. The switch receives the frame
    • The destination MAC is in the same VLAN as the source MAC
    • The switch transfers the frame to port 1 up to the router
  6. The router receives the frame and inspects the packet
    • The destination IP address is noted as 10.9.9.9
    • The router sends an ARP discovery broadcast on igb1.999 to FF:FF:FF:FF:FF:FF to request the MAC address for 10.9.9.9
    • The switch floods the ARP broadcast only on ports configured with VLAN 999
    • 10.9.9.9 responds to 10.9.9.1 with its MAC address
  7. The router prepares a frame to put on the wire
    • Source IP: 10.6.6.6
    • Destination IP: 10.9.9.9
    • Source MAC: 17:53:4A:C1:D4:29 (again, look carefully)
    • Destination MAC: 25:83:ED:92:D1:89
  8. The switch receives the frame
    • The source MAC and the destination MAC are in the same VLAN (999)
    • The switch transfer the frame to port 5 where 25:83:ED:92:D1:89 is plugged in
    • The frame has completed its journey
ℹ️
This works because...

✅ The router and the switch both understand 802.1q
✅ The router and and the switch share the same VLAN IDs
✅ The router is the default gateway for all VLANs




Practical Example

Creating VLANs with pfSense

First let's look at the concept of an interface and subinterfaces. An interface is the physical RJ-45 jack on the device. A subinterface is a software-defined interface on the device. The subinterface – in other words – is not a physical interface.

igb1 interface on a router

In the network diagram above, the router has two interfaces igb0 and igb1. igb0 is the WAN interface – meaning that all external traffic enters and exits here. igb1 is the LAN interface – meaning that this is the default gateway for all local traffic.

igb1.666, igb1.999, and igb.80 are subinterfaces. They were created by logging into the router and creating these interfaces as subinterfaces of the igb1 interface. In other words, igb1 is the parent interface of these subinterfaces.

Create the VLAN

  • Log into pfSense. Then, go to Interfaces > Assignments.
pfSense Community Edition VM running in my Proxmox lab
  • Click on VLANs
  • Click Add
  • Configure the VLAN with your details
  • Click Save


Configure the Interface

  • Go back to Interface Assignments
  • There is a new interface available to be added
  • Click Add
  • Click your interface name, OPT4 in my case
  • Configure it to your liking. Make sure the interface is enabled.
  • I have created a 192.168.1.0/24 network – /24 = 255.255.255.0. The IPv4 address in this case is the address the default gateway will use. There is no upsteam gateway because this is a LAN.
  • Click Save


Configure the DHCP Server

  • Go to Services > DHCP Server
  • Select your interface name. SUPER_SPECIAL in my case.
  • Configure your DHCP settings. Make sure to enable the DHCP server.
  • Click Save at the bottom of the screen.


Configure Firewall Rules

  • Go to Firewall > Rules
  • Choose your interface. SUPER_SPECIAL in my case
  • You will notice there are no firewall rules by default
  • pfSense is a default deny firewall, so unless you explicitly allow something, it will be blocked.
  • Firewall rules are outside the scope of this article, so experiment with it and decide how you want traffic to flow between your networks.




Configure VLANs on the Switch

In the case of the managed switch, if you want a host to be on VLAN 1234, you just need to reconfigure the port with the new VLAN ID.

💡
Then, when you turn on the device, the host will send a DHCP discover broadcast and the switch will flood that on VLAN 1234. This broadcast will reach igb1.1234 and pfSense will assign an IP address from the SUPER_SPECIAL address pool.

Additionally, now that the device is on VLAN 1234, any firewall rules you have created will determine how packets may flow. Any other devices on VLAN 1234 will be able on the same LAN, so they can talk freely.





Multi-Switch Architecture

What if you had a multi-switch architecture like this – where switch 1 is the core switch and switch 2 is an access switch? How would hosts communicate?

10.80.80.22 to 10.80.80.5

  • They are both on the same logical LAN.
  • 10.80.80.22 sends an ARP broadcast to FF:FF:FF:FF:FF to ask for the MAC address of 10.80.80.5.
  • Switch 2 injects the 802.1q payload into the layer 2 headers of the packet.
  • The ARP broadcast goes up the trunk to switch 1 and the broadcast is flooded to all ports – on VLAN 80 – on the switch.
  • 10.80.80.5 receives the ARP broadcast and replies to BE:BC:AE:CF:ED:FC with its MAC address – ED:DF:CD:ED:BF:DF.
  • 10.80.80.22 – which is at BE:BC:AE:CF:ED:FC – then crafts a packet and sets the destination IP address as 10.80.80.5 and the destination MAC address as ED:DF:CD:ED:BF:DF.
  • 10.80.80.22 sends the packet on the wire. Again, switch 2 injects the 802.1q payload. Switch 1 receives the packet and inspects the frame. It notes the destination MAC is in its table and that they are both in the same VLAN and forward the packet to ED:DF:CD:ED:BF:DF.

172.16.1.10 to 192.168.1.10

  • They are both on different subnets. This is going to require a router.
  • 172.16.1.10 knows the destination is on a different route. It prepares a packet with the destination address as 192.168.1.10 and the destination MAC address as the default gateway.
  • Switch 2 receives the packet and inspects the destination MAC address. It is not in its CAM table. It sends the packet up the trunk. Switch 1 receives the packet and checks its CAM table. The destination MAC is in the CAM table on the trunk port. It forwards the packet to the router.
  • The router receives the packet and checks the destination address – 192.168.1.10. It checks its ARP table and routing table. 192.168.1.10 is at DE:BE:CB:CE:AB:CD and is on sub-interface igb1.123. The router injects the 802.1q payload into the layer 2 headers and sends the packet back down the trunk to switch 1.
  • Switch 1 receives the packet. It inspects the layer 2 headers and notes the destination MAC address of DE:BE:CB:CE:AB:CD. That is in the CAM table on VLAN 123. It forwards the packet on to its destination.

Deeper Dive on the Subject

Configuring 802.1q VLANs | 0xBEN | Notes
Network Diagram . ``````` . ,” ^ ”, : |…
0xBEN | Notes

Wrapping Up

I hope this has made it easier to understand the concept of VLANs and how the 802.1q protocol can be used to segment devices into smaller LANs. There is much more to explore on this topic, and networking in general.

Written by
0xBEN

0xBEN

View all posts
Comments
More from 0xBEN
Infrastructure-as-Code with Proxmox
Proxmox

Infrastructure-as-Code with Proxmox

In this project, broken up into multiple modules, you will gain hands-on, interactive practice with defining and managing Infrastructure-as-Code using industry-standard DevSecOps tooling and zero-trust security principles.
0xBEN
11 min read
Building a Security Lab in VMware Workstation Pro
VMware

Building a Security Lab in VMware Workstation Pro

In this project, broken up into multiple modules, you will build a comprehensive cybersecurity home lab using VMware Workstation Pro. Upon completion, you will have an environment where you can safely practice penetration testing against a wide variety of targets, as well as detection in your SIEM.
0xBEN
7 min read
Table of Contents
Great! You’ve successfully signed up.
Welcome back! You've successfully signed in.
You've successfully subscribed to 0xBEN.
Your link has expired.
Success! Check your email for magic link to sign-in.
Success! Your billing info has been updated.
Your billing was not updated.