VLANs for the Homelab: A beginner's guide to segmenting networks

Buus Rowe (Banned)

0/5 stars (0 votes)

I tried to condense the many hours I spent learning what VLANs are and how to implement them, trying to concentrate on the important information.
What is a VLAN?
A VLAN is short for Virtual LAN. A VLAN is an isolated broadcast domain. If that doesn't mean anything to you, we can just call it an isolated segment or isolated section of a network, where devices on that segment cannot "see" devices on other segments.
One way which has helped me to grasp this concept is thinking about mDNS or DLNA devices (another little rabbit hole to decrease, but for now stick with me). Look at a wireless printer or perhaps a Chromecast. These devices usually use technology which allows them to "magically" appear on your phone if you're linked to the same network. That is because your phone (or laptop) and the Chromecast or printer are in exactly the same broadcast domain or segment. If your laptop as well as your Chromecast were each in different segmented VLANs, it would be as though the Chromecast doesn't exist so far as your laptop is concerned.
Finally, a VLAN isn't a subnet. That is imporant, we will touch on this in another post about inter-VLAN routing.
So it breaks my Chromecast. Why would I wish to use it?
Within the case of trying to print to a radio printer from your work laptop, having each device in a different network segment will be annoying, there are lots of valid use-cases for VLAN segmentations in the homelab or home newtworking setups, including:
Isolating work-from-home devices (such as a work laptop, printer) from personal devices
Isolating "production" servers from "staging" or "development" servers if you are running some form of application on your homelab
Isolating IoT or untrusted devices - for instance having all your Alexa or smart home devices connected on an isolated VLAN so that they can't "see" and spy on your own internal network
Ability to finely control inter-VLAN routing - that is one we will touch on down the road, as VLANs allow a network administrator to establish rules for how different VLANs can connect to each other and with the internet - for example a "kids" VLAN that doesn't have access to a specific game after 10PM
VLAN-aware Switches and Routers
Before we move in to additional information about implementation, I wish to briefly discuss the hardware side. This will be an extremely high-level overview as there are plenty of resources for learning the specific "behind-the-scenes" of how VLANs work in networking hardware. I am aiming to make it easily understood for a newcomer or beginner.
Remember: Part of setting up VLANs is learning the quirks of your particular equipment rather than to assume one vendor will undoubtedly be like another in their VLAN implementation. You will see different manufactures will have slightly different implementations, but the overall concept remains exactly the same!
Why can't all routers and switches support VLANs, isn't it just a software thing?
Yes and no. At the end of the day, all a VLAN is really in practice is a tiny bit of extra information added to every "packet" of information traveling during your network. This information should be interpreted and treated accordingly by your equipment. This could be done in software or hardware. BUT, remember that our routers and switches are usually not very powerful when it comes to software tasks.
Network switches are low-power, efficient devices that a straightforward job really efficiently with hardware. That's why a Mikrotik CRS-328 can switch 63gbps of traffic when it has a single 800 mhz CPU. The minute it needs to utilize its CPU to route traffic, like routing traffic in one VLAN to some other, that throughput number falls to under 500 mbps.
There are 3 answers to this problem:
Throw more power at it: a robust CPU are designed for VLAN tagging without much issue - look at a Proxmox or other virtualization server, that may handle VLAN traffic
Use hardware that's optimized for the duty: find a "managed" switch that has Layer 2 capability in the event that you just need simple VLAN capability or Layer 3 Hardware capability if you'd like the switch to be able to route traffic between different VLANs
Be OK with lower speeds or decreased efficiency. That is sometimes the answer, especially for the homelab. For example, my travel router, a GL-AR750s has OpenWrt installed and is able to do VLAN filtering through software. I'm fine that this isn't the most efficient setup possible and value the convenience and cost effectiveness more in this situation. This may connect with many beginners, who have a router that can just be flashed with OpenWrt and handle VLANs through its CPU. It's still the same VLAN goodness, just slower and cheaper!
VLAN terminology glossary
The following are some important terms and concepts to understand. These will allow you to grasp diagrams and examples of VLAN setups and translate them to your personal equipment:
VLAN ID/VID:
This can be the number, 1-4095 of the VLAN. That is used by networking equipment to recognize and group members of the same VLAN together. You should realize that the number is all that matters. If you label VLAN 10 "Sally" using one switch and VLAN 10 "Jimmy" on another, the only thing the switches really value is the VID
Tag
A VLAN tag is a little piece of information added to a packet that tells networking equipment which VLAN that packet belongs to.
Tagged
When establishing a VLAN-aware switch, you'll often run into the term tagged or untagged by means of a checkbox or dropdown menu for each physical port on the switch or router (and sometimes the "CPU" is known as its own port, like regarding OpenWrt or "bridge" regarding Mikrotik - this is very important to inter-VLAN routing which will be discussed later). When selecting "tagged" - you're indicating to the switch that the traffic on that port with the VID you're marking as TAGGED should keep its VLAN tag when it leaves/enters the switch.
If a VLAN is tagged on a port and you connect a non-VLAN aware device, that traffic will undoubtedly be invisible compared to that device, while a VLAN-aware device will be able to grab that traffic and filter it. This is useful for trunking (also defined in this list).
Untagged (access port on Cisco)
The inverse of the above, you're telling the switch that traffic with the untagged VID could have its tag removed as it leaves the switch, so it will show to the connected device as if it is regular non-VLAN traffic.
PVID
This is the physical port VID. You can think of this as the "default" VLAN ID for the port, and therefore packets coming into/leaving the switch without tag will be considered to be part of this VLAN. You could be confused by the point of the when you also have untagged/access ports. On Mikrotik in the event that you decide on a PVID for a port it'll automatically show that VID as untagged on that port, without you needing to manually add it. On my TP-Link T1600G I had to select a PVID for a port and choose a port as untagged. From what I can tell reading on forums, some vendors separate egress/ingress via untagged/PVID respectively. Just know to make certain together with your documentation which pattern your equipment follows.
home networking
Trunk
This is one of my favorite and what I think may be the most powerful elements of VLANs, trunks. A trunk is formed once you tag multiple VIDs on a single port on one switch. This port can then be used to connect another VLAN-aware switch and be able to use the same VLANs on that switch too. An extremely real usage of this: I have 2 VLAN-aware switches in my network: a Mikrotik CRS-328 that is connected with a trunk port to a Mikrotik CRS-317. This enables me to utilize extend my network and also have the excess 10G SFP+ ports on the second switch, while still keeping exactly the same network segmentation.