What is the difference between a VLAN and a subnet?

Question

I have read numerous forums and articles regarding VLANs and subnets.
However, I haven't understood the functions of each apart from the following:

1. Subnets allow the segmentation of a network
2. VLANs are an isolated portion of a network

Questions

1. If I have multiple subnets I assume that you would need a router to communicate between each subnet. Only devices within each subnet would be in the local broadcast domain for that subnet. Is that right?

2. Do I need a subnet to setup a VLAN?

3. I am aware that a VLAN can exist within a subnet. But my understanding is that you would have to assign an IP address of that subnet to the VLAN. How can it be isolated from the rest of the subnet?

4. When would you set up a VLAN? Especially if I am able to segment my network using subnets?

5. I keep coming across the following point. However, I am unsure what this exactly means when it reads same physical network.

   Virtual local area networks (VLANs) allow us to create different logical and physical networks; whereas IP subnetting simply allows us to create logical networks through the same physical network.

Would appreciate real-world examples.

Answer 1

Subnet - is a range of IP addresses determined by part of an address (often called the network address) and a subnet mask (netmask). For example, if the netmask is 255.255.255.0 (or /24 for short), and the network address is 192.168.10.0, then that defines a range of IP addresses 192.168.10.0 through 192.168.10.255. Shorthand for writing that is 192.168.10.0/24.

VLAN - A good way to think of this is "switch partitioning." Let's say you have an 8 port switch that is VLAN-able. You can assign 4 ports to one VLAN (say VLAN 1) and 4 ports to another VLAN (say VLAN 2). VLAN 1 won't see any of VLAN 2's traffic and vice versa, logically, you now have two separate switches. Normally on a switch, if the switch hasn't seen a MAC address it will "flood" the traffic to all other ports. VLANs prevent this.

If two computers are going to talk using TCP/IP, then one of two conditions must be met:

• They must belong to the same subnet. This means the network address must be the same and the netmask must be equal or smaller. So, a computer with an interface with an IP address of 192.168.10.4/24 can talk to a computer with an interface with an IP address of 192.168.10.8/24 with no issues, provided they are both connected to the same physical switch or VLAN. If the second computer's interface connected to that same physical switch or VLAN was 192.168.11.8/24, it would ignore the traffic (unless the interface was in promiscuous mode).

• A router needs to exist between both computers that can forward traffic between subnets. Computer A and computer B need a route (or default gateway) to this router. Let's say a computer with an interface with an IP address of 192.168.10.4/24 wants to talk to a computer with an interface with an IP address of 192.168.20.4/24. Different subnets, so we must go through a router. Let's say there's a router with two interfaces (routers by definition have two interfaces), one on 192.168.10.254/24 and 192.168.20.254/24. If the route table or DHCP is setup correctly and both computer A and B can reach the router's interfaces on their respective subnets, then they can talk to each other indirectly via the router.

Forcing traffic to go through a router, even though it's not needed such as on our 8-port switch above, has security and performance benefits - it gives you an opportunity to filter traffic, an opportunity to optimally route traffic based on type, and routers do not forward broadcast traffic (unless unusually configured). VLANs are sometimes used as a "hack" to manage flows/visibility of IPv4 broadcast traffic.

Edit to answer some of your questions:

• Conceptually VLANs are equivalent to switches. What comes in 1 port of a VLAN is replicated("flooded") to all other ports unless the VLAN has seen/learned the MAC address before, then it is directed to that port. There is no gateway to the VLAN proper. A "gateway" always means the IP address of a router.

• For VLAN 1 to talk to VLAN 2, an interface in VLAN 1 must be connected to a router, an interface in VLAN 2 must be connected to a router, and that router must be configured to forward traffic between those subnets. In our 8 port example above, if we wanted to route traffic between those VLANs, we'd have to spend 1 port on each VLAN connecting to a router. Same with a switch.

I'm sure many high-end switches/hardware have a "VLAN router" "built-in" to them where spending an extra port within each VLAN connecting it to a physical router really isn't necessary if you want to route between VLANs in the same switch. This might be where the VLAN IP or "gateway" comes into play. (I invite those more knowledgeable to edit this)

Update: On Cisco switches, there's a feature called SVI or "Switched Virtual Interfaces" which basically act as the router between VLANs.

• When a computer gets its IP via DHCP, it also usually gets the "default gateway" from that same DHCP server. Someone has to configure the DHCP server correctly. Routing protocols such as RIP, IS-IS, OSPF, and BGP can also add routes. Of course you have the option of adding routes manually ("static" routes)

• If your switch has a serial port or port labeled "console" it's likely managed and supports VLANs.

Answer 2

I found the other explanations complicated.

• VLAN lets you tag all network packets with a magic number (e.g. 3).
• Only other network cards set to 3 will see those packets

Set a bunch of computers to VLAN 3 and they'll be in their own little isolated world; they won't see any other traffic.

Suddenly you can have multiple LANs operating on the same wires (i.e. virtual LANs). You can even have two computers with the same IP, since they have a different VLAN tags (e.g. 3 verses7)

---

Setting a VLAN ID is done by configuring the network card driver:

Your mileage will vary with your network card and its drivers.

Answer 3

The simplistic explanation is that VLANs exist to allow different subnets to share physical cabling, ports, and switching. You could have distinct subnets on your network without vlans, but you'd have to have a different set of wires for each.

Answer 4

1.If I have multiple subnets I assume that you would need a router to communicate between each subnet.

Yes, you need a router to move packets between subnets.

Only devices within each subnet would be in the local broadcast domain for that subnet. Is that right?

Yes, a subnet is a broadcast domain.

2.Do I need a subnet to setup a VLAN?

Yes.

3.I am aware that a VLAN can exist within a subnet but my understanding is that you would have to assign the VLAN an IP address of that subnet.

No, as I understand it, VLANs are defined in the switches and isolate the traffic of each VLAN.

How can it be isolated from the rest of the subnet?

A VLAN is a subnet.

4.When would you set up a VLAN especially if I am able to segment my network using subnets?

When you need to segregate traffic into two or more groups without separating the physical infrastructure (chiefly switches) into two or more physical groups.

5.I keep coming across the point that Virtual local area networks (VLANs) allow us to create different logical and physical networks; whereas IP subnetting simply allows us to create logical networks through the same physical network. however am unsure what this exactly means when it reads same physical network.

A physical LAN is comprised mostly of switches and cables arranged (in the case of Ethernet) into a single tree structure.

Normally a LAN is a single subnet. An organisation might have several LANs linked by routers.

A single physical LAN can be split into several logical LANs (VLANs) using VLAN support in the switches. Each VLAN then has a separate subnet. A router is therefore needed to move packets between the logical LANs (VLANs).

---

Update: some answers to follow up questions in comments.

if I wanted devices on 2 separate VLANs to communicate that a router is not needed as I can use trunking.

Here's some quotes from http://www.formortals.com/an-introduction-to-vlan-trunking/

"VLAN trunking allows a single network adapter to behave as “n” number of virtual network adapters, where ”n” has a theoretical upper limit of 4096 but is typically limited to 1000 VLAN network segments."

"Routers can become infinitely more useful once they are trunked in to the enterprise switch infrastructure. Once trunked, they become omnipresent and can provide routing services to any subnet in any corner of the enterprise network."

So you still need a router but, with VLAN trunking, it can be a one-armed router (router on a stick). High end switches include routing capabilities, so you may not need a separate router because your high-end switch is also a layer 3 router.

When you say that I need a subnet to setup a VLAN what do you mean exactly?

VLANs are a layer 2 concept. Just as Ethernet switches are a layer 2 device. VLANs can make a couple of switches do jobs where you might otherwise need half a dozen switches in isolated groups. However your nodes (computers, printers, etc) typically use layer-3 addressing (IP).

For nodes in one VLAN (N for Network) to communicate with nodes in another VLAN (N for Network) you need an InterNetwork Protocol (in other words IP). In IP to move packets between Networks we need each Network to have a different layer-3 network address.

This is where sub-netting comes in - dividing an organisation's allocated layer-3 network address range into sub-networks by using subnet masks. Then you can use a router to allow devices in one subnet (in one VLAN) to communicate with devices in another subnet (in another VLAN).

Answer 5

1.If I have multiple subnets I assume that you would need a router to communicate between each subnet. Only devices within each subnet would be in the local broadcast domain for that subnet. Is that right?

IP Networks (subnets) are a layer 3 concept. If two PC's are attached to the same L2 switch without VLAN's they will be in the same L2 broadcast domain, but not L3 broadcast domain.

2.Do I need a subnet to setup a VLAN?

No. However, if you want devices in a VLAN to communicate with one another they will likely need some L3 protocol.

3.I am aware that a VLAN can exist within a subnet but my understanding is that you would have to assign the VLAN an IP address of that subnet. How can it be isolated from the rest of the subnet?

Not clear what you are asking.

4.When would you set up a VLAN especially if I am able to segment my network using subnets?

VLANs are simply a way of making a L2 device appear to be multiple L2 devices.

5.I keep coming across the point that Virtual local area networks (VLANs) allow us to create different logical and physical networks; whereas IP subnetting simply allows us to create logical networks through the same physical network. however am unsure what this exactly means when it reads same physical network.