Virtual LANs (VLANs)

• Terminology
• VLANs and Security
• VLAN Configuration
• VLAN Priority

See also

• Configuring Switches with VLANs

• QinQ Configuration

VLANs enable a switch to carry multiple discrete broadcast domains, allowing a single switch to function as if it were multiple switches. VLANs are commonly used for network segmentation in the same way that multiple switches can be used: To place hosts on a specific segment, isolated from other segments. Where trunking is employed between switches, devices on the same segment need not reside on the same switch. Devices that implement trunking can also communicate on multiple VLANs through a single physical port.

This chapter covers VLAN concepts, terminology and configuration in pfSense® software.

Requirements

There are two requirements, both of which must be met to deploy VLANs.

1. 802.1Q VLAN capable switch

   Every decent managed switch manufactured in the last 25 years is capable of 802.1Q VLAN trunking.

   Warning

   VLANs cannot be used with an unmanaged switch.

2. Network adapter capable of VLAN tagging

   A NIC that implements hardware VLAN tagging or long frames is helpful, but not required. Interfaces without appropriate hardware can still use VLANs, but not as fast or as efficiently.

   Each VLAN frame has a 4 byte 802.1Q tag added in the header, so the frame size can be up to 1522 bytes. A NIC with hardware features for VLAN tagging or long frames is helpful because other adapters will not be able to send frames larger than the normal 1518 byte maximum with 1500 MTU Ethernet. This means interfaces without those hardware features must use a lower MTU, and thus are limited in how much data they can send in a packet, reducing efficiency.

   Note

   If an adapter is listed as having long frame functionality, that does not guarantee the specific implementation of that NIC chipset properly implements long frames. Realtek rl(4) NICs are the biggest offenders. Many will work fine, but some do not properly implement long frames, and some will not accept 802.1Q tagged frames at all. If problems are encountered using one of the NICs listed as having long frame functionality, the best practice is to try an interface with VLAN hardware tagging instead. There are no known similar problems with NICs listed as having VLAN hardware tagging.

Ethernet interfaces with VLAN hardware functionality:

ae(4), age(4), alc(4), ale(4), bce(4), bge(4), bxe(4), cxgb(4), cxgbe(4), em(4), igb(4), ix(4), jme(4), liquidio(4), msk(4), mxge(4), nge(4), re(4), sge(4), stge(4), ti(4), vge(4).

Ethernet interfaces with long frame functionality :

axe(4), bfe(4), cas(4), dc(4), et(4), fwe(4), fxp(4), gem(4), le(4), nfe(4), rl(4), sis(4), sk(4), ste(4), vr(4), vte(4), xl(4).