Help us improve your experience.

Let us know what you think.

Do you have time for a two-minute survey?

 

Understanding VLANs

 

Each VLAN is a collection of network nodes that are grouped together to form separate broadcast domains. On an Ethernet network that is a single LAN, all traffic is forwarded to all nodes on the LAN. On VLANs, frames whose origin and destination are in the same VLAN are forwarded only within the local VLAN. Frames that are not destined for the local VLAN are the only ones forwarded to other broadcast domains. VLANs thus limit the amount of traffic flowing across the entire LAN, reducing the possible number of collisions and packet retransmissions within a VLAN and on the LAN as a whole.

On an Ethernet LAN, all network nodes must be physically connected to the same network. On VLANs, the physical location of the nodes is not important; therefore, you can group network devices in any way that makes sense for your organization, such as by department or business function, by types of network nodes, or even by physical location. Each VLAN is identified by a single IP subnetwork and by standardized IEEE 802.1Q encapsulation.

To identify which VLAN the traffic belongs to, all frames on an Ethernet VLAN are identified by a tag, as defined in the IEEE 802.1Q standard. These frames are tagged and are encapsulated with 802.1Q tags.

For a simple network that has only a single VLAN, all traffic has the same 802.1Q tag. When an Ethernet LAN is divided into VLANs, each VLAN is identified by a unique 802.1Q tag. The tag is applied to all frames so that the network nodes receiving the frames know to which VLAN a frame belongs. Trunk ports, which multiplex traffic among a number of VLANs, use the tag to determine the origin of frames and where to forward them.

For VLAN configuration details, see Table 1.

Table 1: VLAN Configuration Details

Field

Function

Action

General

VLAN Name

Specifies a unique name for the VLAN.

Enter a name.

Note: VLAN text field is disabled when VLAN tagging is not enabled.

VLAN ID/Range

Specifies the identifier or range for the VLAN.

Select one:

  • VLAN ID—Type a unique identification number from 1 through 4094. If no value is specified, it defaults to 1.

  • VLAN Range—Type a number range to create VLANs with IDs corresponding to the range. For example, the range 2–3 will create two VLANs with the ID 2 and 3.

Description

Describes the VLAN.

Enter a brief description for the VLAN.

Input Filter

Specifies the VLAN firewall filter that is applied to incoming packets.

To apply an input firewall filter, select the firewall filter from the list.

Output Filter

Specifies the VLAN firewall filter that is applied to outgoing packets.

To apply an output firewall filter, select the firewall filter from the list.

Ports

Ports

Specifies the ports to be associated with this VLAN for data traffic. You can also remove the port association.

Click one:

  • Add—Select the ports from the available list.

  • Remove—Select the port that you do not want associated with the VLAN.

IP Address

Layer 3 Information

Specifies IP address options for the VLAN.

Select to enable the IP address options.

IP Address

Specifies the IP address of the VLAN.

Enter the IP address.

Subnet Mask

Specifies the range of logical addresses within the address space that is assigned to an organization.

Enter the address, for example, 203.0.113.0. You can also specify the address prefix.

Input Filter

Specifies the VLAN interface firewall filter that is applied to incoming packets.

To apply an input firewall filter to an interface, select the firewall filter from the list.

Output Filter

Specifies the VLAN interface firewall filter that is applied to outgoing packets.

To apply an output firewall filter to an interface, select the firewall filter from the list.

ARP/MAC Details

Specifies the details for configuring the static IP address and MAC.

Click the ARP/MAC Details button. Enter the static IP address and MAC address in the window that is displayed.

VoIP

Ports

Specifies the ports to be associated with this VLAN for voice traffic. You can also remove the port association.

Click one:

  • Add—Select the ports from the available list.

  • Remove—Select the port that you do not want associated with the VLAN.

Note

On SRX100 devices, dynamic VLAN assignments and guest VLANs are not supported.

On SRX240, SRX300, SRX320, SRX340, SRX345, SRX550M, and SRX650 devices, the VLAN range from 1 to 4094 on inet interfaces and the VLAN range from 1 to 3967 on Ethernet switching interfaces. On Ethernet switching interfaces, the VLAN range from 3968 to 4094 falls under the reserved VLAN address range, and the user is not allowed to configure VLANs in this range.