Understanding VLANs
Each VLAN is a collection of network nodes that are grouped together to form separate broadcast domains. On an Ethernet network that is a single LAN, all traffic is forwarded to all nodes on the LAN. On VLANs, frames whose origin and destination are in the same VLAN are forwarded only within the local VLAN. Frames that are not destined for the local VLAN are the only ones forwarded to other broadcast domains. VLANs thus limit the amount of traffic flowing across the entire LAN, reducing the possible number of collisions and packet retransmissions within a VLAN and on the LAN as a whole.
On an Ethernet LAN, all network nodes must be physically connected to the same network. On VLANs, the physical location of the nodes is not important; therefore, you can group network devices in any way that makes sense for your organization, such as by department or business function, by types of network nodes, or even by physical location. Each VLAN is identified by a single IP subnetwork and by standardized IEEE 802.1Q encapsulation.
To identify which VLAN the traffic belongs to, all frames on an Ethernet VLAN are identified by a tag, as defined in the IEEE 802.1Q standard. These frames are tagged and are encapsulated with 802.1Q tags.
For a simple network that has only a single VLAN, all traffic has the same 802.1Q tag. When an Ethernet LAN is divided into VLANs, each VLAN is identified by a unique 802.1Q tag. The tag is applied to all frames so that the network nodes receiving the frames know to which VLAN a frame belongs. Trunk ports, which multiplex traffic among a number of VLANs, use the tag to determine the origin of frames and where to forward them.
For VLAN configuration details, see Table 1.
Table 1: VLAN Configuration Details
Field | Function | Action |
|---|---|---|
| General | ||
VLAN Name | Specifies a unique name for the VLAN. | Enter a name. Note: VLAN text field is disabled when VLAN tagging is not enabled. |
VLAN ID/Range | Specifies the identifier or range for the VLAN. | Select one:
|
Description | Describes the VLAN. | Enter a brief description for the VLAN. |
Input Filter | Specifies the VLAN firewall filter that is applied to incoming packets. | To apply an input firewall filter, select the firewall filter from the list. |
Output Filter | Specifies the VLAN firewall filter that is applied to outgoing packets. | To apply an output firewall filter, select the firewall filter from the list. |
| Ports | ||
Ports | Specifies the ports to be associated with this VLAN for data traffic. You can also remove the port association. | Click one:
|
| IP Address | ||
Layer 3 Information | Specifies IP address options for the VLAN. | Select to enable the IP address options. |
IP Address | Specifies the IP address of the VLAN. | Enter the IP address. |
Subnet Mask | Specifies the range of logical addresses within the address space that is assigned to an organization. | Enter the address, for example, 203.0.113.0. You can also specify the address prefix. |
Input Filter | Specifies the VLAN interface firewall filter that is applied to incoming packets. | To apply an input firewall filter to an interface, select the firewall filter from the list. |
Output Filter | Specifies the VLAN interface firewall filter that is applied to outgoing packets. | To apply an output firewall filter to an interface, select the firewall filter from the list. |
ARP/MAC Details | Specifies the details for configuring the static IP address and MAC. | Click the ARP/MAC Details button. Enter the static IP address and MAC address in the window that is displayed. |
| VoIP | ||
Ports | Specifies the ports to be associated with this VLAN for voice traffic. You can also remove the port association. | Click one:
|
On SRX100 devices, dynamic VLAN assignments and guest VLANs are not supported.
On SRX240, SRX300, SRX320, SRX340, SRX345, SRX550M, and SRX650 devices, the VLAN range from 1 to 4094 on inet interfaces and the VLAN range from 1 to 3967 on Ethernet switching interfaces. On Ethernet switching interfaces, the VLAN range from 3968 to 4094 falls under the reserved VLAN address range, and the user is not allowed to configure VLANs in this range.
