Just some personal notes on VLANs…
First, refreshing my memory on the basics…
- “Hubs & Repeaters” Hubs=repeaters. Operate at OSI Layer 1 (Physical Layer). “Switches create separate collision domains but not broadcast domains. Routers create separate broadcast and collision domains. Hubs are too simple to do either, can’t create separate collision or broadcast domain.”
- “Switches & Bridges” Operate at OSI Layer2 (Datalink Layer). Spanning-Tree Protocol (STP) for loop avoidance. Switches are hardware based while bridges are software based.
VLANs operate at Layer 2 (the data link layer) of the OSI model. Administrators often configure a VLAN to map directly to an IP network, or subnet, which gives the appearance of involving Layer 3 (the network layer). In the context of VLANs, the term “trunk” denotes a network link carrying multiple VLANs, which are identified by labels (or “tags”) inserted into their packets. Such trunks must run between “tagged ports” of VLAN-aware devices, so they are often switch-to-switch or switch-to-router links rather than links to hosts. (Note that the term ‘trunk’ is also used for what Cisco calls “channels” : Link Aggregation or Port Trunking). A router (Layer 3 device) serves as the backbone for network traffic going across different VLANs.
A basic switch not configured for VLANs has VLAN functionality disabled or permanently enabled with a default VLAN that contains all ports on the device as members. The default VLAN typically has an ID of 1. Every device connected to one of its ports can send packets to any of the others. Separating ports by VLAN groups separates their traffic very much like connecting each group using a distinct switch for each group.
It is only when the VLAN port group is to extend to another device that tagging is used. Since communications between ports on two different switches travel via the uplink ports of each switch involved, every VLAN containing such ports must also contain the uplink port of each switch involved, and these ports must be tagged.
The second paragraph answers the question I had earlier: why does my wifi router WZR-HP-AG300H has one VLAN even when I turn off its VLAN functionality?
It also touches upon the practical consideration while managing VLANs, which I learned the hard way… It’s critical to secure a way to access your router even when the changes you are going to have take effect do not have the intended consequences.
Management of the switch requires that the administrative functions be associated with one or more of the configured VLANs. If the default VLAN were deleted or renumbered without first moving the management connection to a different VLAN, it is possible for the administrator to be locked out of the switch configuration, normally requiring physical access to the switch to regain management by either a forced clearing of the device configuration (possibly to the factory default), or by connecting through a console port or similar means of direct management.