The International Conference Centre – A Basic Guide to 802.1Q VLANs
Imagine a large conference centre that sits exactly on the border between America and Mexico. The centre welcomes visitors from both countries but due to all the issues surrounding the border, strict security measures have been introduced to limit the access of people moving around the building.
When a visitor approaches any entrance to the conference centre they have to queue up for an id badge. Visitors cannot pass through the entrance without receiving an id badge and it is securely fastened to them in such a way they cannot take it off while in the centre. Once they have their badge, visitors are allowed to continue on into the conference centre.
All of the entrances to the International Conference Centre on the American side are colour coded blue and visitors are allocated blue id badges. When an American visitor from inside the conference centre wants to leave, they approach any blue entrance and security removes their blue id badge and directs them back outside. Only visitors with a blue badge may leave through a blue entrance.
On the Mexican side, the entrances are green and work in exactly the same way. Mexican visitors are given green id badges which are returned to security when they leave (through a green entrance). Mexicans may not leave through the blue entrances and Americans may not leave through the green entrances.
All visitors are allowed to freely move around the conference centre but some doorways are blocked by checkpoints which require visitors to show their badge. A few of the checkpoints are also restricted to only allow passage to either American or Mexican visitors.
Just like entrances, checkpoints are colour coded either blue, green (or both blue and green). When visitors arrive at a checkpoint they show their id badge and so long as it matches one of the signs they are allowed to pass through.
It is important to note that visitors do not receive (or return) an id badge when passing through a checkpoint.
If a visitor doesn’t have an id badge (for whatever reason) then they cannot pass through a checkpoint unless it’s marked specifically to allow visitors with no badge. We could use a white colour to denote this, it’s not important right now but take a mental note because we will come back to it later on.
Some Further Examples
So far we have only concerned ourselves with entrances which are colour coded to a single colour but like checkpoints it is possible for these to use multiple colours. To make things even more confusing, it is also possible to mix and match both checkpoints and entrances on the same door!
Let’s look at some examples to understand how this works:
Example 1: The American Embassy
On the Mexican side there is a special door labelled “American Embassy”. The door has three coloured signs:
- A green sign marked “E” for entrance
- A blue sign marked “C” for checkpoint
- A second green sign marked “A” for allocate
For Mexicans, this door works pretty much the same as any other entrance from Mexico. They turn up, are given a green badge and then move into the conference centre. Mexicans leaving through this door return their green badge to security on the way out.
However Americans can also exit through this door in order to visit the American Embassy building which is located in Mexico. This door is treated as a checkpoint for Americans so they keep their badges and can use it to pass back through checkpoint again when they return to the conference centre.
The green allocate sign with an “A” isn’t so important for this door but it reminds security staff that visitors should always be given a green badge (if they don’t have one). We will see how this becomes more important in the next example.
Example 2: The Migration Exit
There is another special door on the Mexican side labelled “Migrate to Mexico!”. This door was an initiative by the Mexican government to entice Americans to move to Mexico and it has caused a few complications for the conference centre security team. It also has three coloured signs:
- A green sign marked “E” for entrance
- A blue sign marked “E” for entrance
- A second green sign marked “A” for allocate
Like the “American Embassy” door, both Americans and Mexicans can leave through this door and head off into Mexico. However unlike that door, Americans must also give back their id badge when they leave. Welcome Americans to your new life in Mexico!
When a visitor enters through this door they are given a green badge as determined by the “A” sign. It doesn’t matter what the visitor looks like or if they have an accent, they are treated the same in the eyes of the security team.
This is bad news for Bob Carter from California who exited through this door looking for the American Embassy. Bob was allowed to re-enter the conference centre but he now has a green badge and will be unable to exit back into America through a blue entrance.
Note that if we changed the allocate sign to be blue then the situation would be flipped and after entering the conference centre, Mexicans would be unable to return back to Mexico.
Example 3: Lost and Found
Inside the conference centre there is another special door labelled “Lost and Found”. This door has two coloured signs:
- A white sign marked “C” for checkpoint
- A second blue sign marked “A” for allocate
This door has been created to help visitors who have either lost their badge or somehow found themselves in the conference centre without a badge.
Both Mexicans (green badge) and Americans (blue badge) cannot pass through the door but visitors without a badge can and they are allocated a blue id badge and may continue on their way just like any other blue badge wearer.
Example 4: An Entrance is Always an Entrance
There is one quirk with entrances which we’ve not talked about yet but it’s important to know. The security guards are strictly trained not to think and to follow their instructions to the letter no matter what the visitors are doing. These instructions are:
- if a visitor doesn’t have an id badge then they are given one as dictated by the gate colour / allocate colour
- if a visitor has a valid badge then they pass through the entrance and that badge is taken from them.
- If a visitor has a badge but it is not valid for the entrance then they are denied access and have to go back (they keep their badge)
The quirk is that the security guards do not care which direction visitors are moving. If a visitor arrives at the conference centre with a badge then it is taken off them and they are shepherded inside without a badge. Similarly if they try to exit through an entrance without a badge then they are given one as they leave.
This can lead to unexpected behaviour when visitors arrive at an entrance with a badge they are not supposed to have or if visitors have their badge removed unexpectedly. To maintain security, the conference centre has to carefully consider each route a visitor may take through the building so situations like this cannot occur.
Example 5: “White” Doors
In the previous section about Checkpoints we briefly mentioned the idea of a white colour coding for visitors without a badge. This requires special consideration because these white doors won’t behave like the other colours:
White checkpoints (“C”) and entrances (“E”) behave exactly the same way and are interchangeable. Visitors without a badge may pass through freely without interruption and no badge is assigned or can be returned. Meanwhile visitors with a badge are turned around and denied access (unless their colour is also specified on the door).
Doors marked with a white allocate (“A”) do not actually assign any badges to visitors that pass through. If a coloured (non-white) entrance (“E”) is also present on the door then white allocate is no longer valid according to the following rules:
- Where only one coloured entrance is specified then that colour is implied and takes precedence.
- For multiple colours, allocate must be specified explicitly (or some other mechanism is required to determine which colour takes priority).
Bringing it back to VLANS
If you have any experience with VLANs then you have probably already joined the dots back to the International Conference Centre. For the uninitiated though let’s break it down:
- A doorway in the conference centre refers to either a physical port on a network device (like a switch or router) or to a logical port or virtual interface (like traffic entering the network from different Wi-Fi networks on a wireless access point).
- A visitor refers to a network packet passing through the network. For the purposes of VLAN It’s important to remember that (just like with our security guards) the network equipment only considers each packet based on the “id badge” it’s wearing and It doesn’t care who the packet it is, if its seen the packet before, or where the packet is going.
- A colour corresponds to a VLAN ID which is a number we use to identify each VLAN in the network. For example our blue American network might have a VLAN ID of 5 and our green Mexican network a VLAN ID of 64. The number itself doesn’t matter in the same way blue or green doesn’t have any significance – it is just an identifier to separate the packets
- An id badge corresponds to the VLAN Tag which is a space on every packet where a VLAN ID is stored. The space cannot be empty and must contain a number so by default this value is set to zero (0) which is the equivalent to no id badge (or “white” in our conference example).
- An entrance is what we call an “Access” port or “Untagged” port in VLAN terminology. These ports are responsible for allocating VLAN ID to packets moving in and out of the network. It’s important to remember that packets will enter the network without a VLAN Tag and leave the network without a VLAN Tag (though some exceptions apply). If they leave with a tag then this could cause unexpected consequences in other networks further down the chain and If they arrive with a tag then they might be denied entry or run into problems like we saw in Example 4.
- A checkpoint is what we call a “Trunked” port or “Tagged” port in VLAN terminology. These ports are responsible for directing the flow of packets through the network according to their VLAN ID. A packet shouldn’t leave the network via a trunked port though it is common for the final physical port to be trunked and for the adding/removing of the VLAN Tags to be performed in the logical network (i.e. in software on a firewall, router, access point, etc.).
- The allocate sign corresponds to the PVID of a port which is basically the VLAN ID that takes precedence on a particular port where multiple Access/Untagged rules exist. More sophisticated rules can be used for determining which VLAN should take priority for a given packet but its unlikely you will ever encounter this unless dealing with a very complex enterprise network.
- The example of white VLANs refers to the default VLAN ID of zero (0). As previously mentioned, a packet has a space for a VLAN tag and this must always have a value, which by default is zero. The system has to have a way of handling these packets but because zero is the same as empty it does create some unique scenarios which must be accounted for.
Hopefully this article has helped you to get your head around 802.1Q VLANs. If you have any comments or suggestions for improvement then please leave these below!
Lennox IT are specialists in business IT support and solutions. If you need any help with networking for your business then please don’t hesitate to get in touch.