Developers' Blogs: Pete

Upon installing a FW developer machine in a vlan (not wlan, notice the simple v) enabled environment, i noticed the for-now essential vlan package is not in the first cd, and netconfig not supports it. What the heck are vlans, and why are they important?

Vlan is a layer2 technology in OSI terms (data link layer), a marginal hack on ethernet. basically it prefixes each ethernet frame leaving a switch with a vlan tag, which is a plain integer, and also expects frames coming in tagged by this way. under linux, you can utilize the feature by instructing the kernel with a cli tool to expect this, and configre the real interface to have subinterfaces. there are many naming schemes for generating the virtual subinterface's names, let's see a basic example:

(the only) physical interface: eth0
we have frames taggged for vlans 4,9 and 11
the resulting sub-ifs: eth0.4 eth0.9 eth0.11

the created sub-interfaces can be given unique layer3 configuration (IP address, mask, GW) like they were real phys interfaces.

What are the advantages? Well, you can have a 200 port switch, and put the first 100 and the others to different vlans and pretend you have 2 100-port switch, segmenting broadcast traffic, providing security (there is no inter-vlan communication*), maybe different gateways with different firewall policies.

Well, so far the vlan package is not needed, because on all ports untagged frames are leaving, only the switch knows internally that which ports belongs to which vlan and passes traffic according to the setup. The ports are configured into "access" mode, in Cisco's terminology.

But, let's say, we want to serve the two layer2 partitions with the same firewall - either we need 3 nic's (one for each vlan, and one for the uplink), or we configure the switch to pass us the traffic of both vlans on the same wire thus 2 interfaces are enough. Considering a desktop pc can be easily upgraded with about 5-6 nic's, this seems not a big leap forward, but consider enterprise equipment (like entry level 1U boxes) with limited or no expansions for extra nic's and ten or more vlans and i bet you get the point

* inter-vlan communication is only possible with a router (or a switch with layer3 capabilities aka. layer3 switches) routing L3 (ip, ipx, appletalk) packets. using various tunneling technologies, ethernet frame level communication can be estabilished, too

* the situation above is fictious, was created to provide a simple vlan primer and may lack design issues, therefore not recommended (without thinking over) in a real-life situation*