VLAN: a network of computers that that behave as if they are connected to the same wire even though they may actually be physically located on different segments of a LAN. VLANs are configured through software rather than hardware, which makes them extremely flexible. One of the biggest advantages of VLANs is that when a computer is physically moved to another location, it can stay on the same VLAN without any hardware reconfiguration.

VLANs Befinits:

• VLANs are supported over all IEEE 802 LAN MAC protocols, and over shared media LANs as well as point-to-point LANs.
• VLANs faciliated easy administration of logical groups and moves, adds, changes in member of these groups.
• Traffic between VLANs is restricted. Brideges forward unicast, multicast and broadcast traffic only on LAN segments that server the VLAN to which the traffic belongs.
• As far as possible, VLANs maintain compatibility with existing bridges and end stations.
• If all Bridges Ports are configured to transmit and receive untagged frames, bridges will work in pluy-and-play 802.1D mode. End stations will be able to communicate throughout the Bridged LAN.
• Improved security.

Note: A VLAN bridge in its default configuration is transparent to untagged frames but is not transparent to tagged frames.

There are three types of frames: untagged, VLAN-tagged and priority-tagged. The maximum number of VLANs that can be supported is 4094 rather than 4096 because 1, FFF are reserved..

Regarding IEEE 802.1Q standard, Tag-based VLAN uses an extra tag in the MAC header to identify the VLAN membership of a frame across bridges. This tag is used for VLAN and QoS (Quality of Service) priority identification. The VLANs can be created statically by hand or dynamically through GVRP. The VLAN ID associates a frame with a specific VLAN and provides the information that switches need to process the frame across the network. A tagged frame is four bytes longer than an untagged frame and contains two bytes of TPID (Tag Protocol Identifier, residing within the type/length field of the Ethernet frame) and two bytes of TCI (Tag Control Information, starts after the source address field of the Ethernet frame).

• TPID : TPID has a defined value of 8100 in hex. When a frame has the EtherType equal to 8100, this frame carries the tag IEEE 802.1Q / 802.1P.

• Priority : The first three bits of the TCI define user priority, giving eight (2^3) priority levels. IEEE 802.1P defines the operation for these 3 user priority bits.

• CFI : Canonical Format Indicator is a single-bit flag, always set to zero for Ethernet switches. CFI is used for compatibility reason between Ethernet type network and Token Ring type network. If a frame received at an Ethernet port has a CFI set to 1, then that frame should not be forwarded as it is to an untagged port.

• VID : VLAN ID is the identification of the VLAN, which is basically used by the standard 802.1Q. It has 12 bits and allow the identification of 4096 (2^12) VLANs. Of the 4096 possible VIDs, a VID of 0 is used to identify priority frames and value 4095 (FFF) is reserved, so the maximum possible VLAN configurations are 4,094.

Note that user priority and VLAN ID are independent of each other.  A frame with VID (VLAN Identifier) of null (0) is called a priority frame, meaning that only the priority level is significant and the default VID of the ingress port is given as the VID of the frame.

Ingress, Forwarding, and Egress Rules:

Below is a single instance of frame relay between the ports of a bridge with two ports.       

        Port1                                                                                                                                     Port2

 1. Ingress Process : 

Each port is capable of passing tagged or untagged frames. Ingress Process identifies if the incoming frames contain tag, and classifies the incoming frames belonging to one and only one VLAN. It will discard or accept the frame for further processing on the basis of that classification and the received frame format, which can be one of three possible types:

• Untagged, and not explicitly identifying the frame as belonging to a particular VLAN;
• Priority-tagged, i.e., including a tag header conveying explicit user priority information but not identifying the frames as belonging to a specific VLAN;
• VLAN-tagged, i.e., explicitly identifying the frames as belonging to a particular VLAN.

Each port has its own Ingress rule. If Ingress rule accept tagged frames only, the switch port will drop all incoming non-tagged frames. If Ingress rule accept all frame type, the switch port simultaneously allow the incoming tagged and untagged frames :

• When a tagged frame is received on a port, it carries a tag header that has a explicit VID. Ingress Process directly pass the tagged frame to Forwarding Process.

• An untagged frame doesn't carry any VID to which it belongs. When a untagged frame is received, Ingress Process insert a tag contained the PVID into the untagged frame. Each physical port has a default VID called PVID (Port VID). PVID is assigned to untagged frames or priority tagged frames (frames with null (0) VID) received on this port.

After Ingress Process, all frames have 4-bytes tag and VID information, and then go to Forwarding Process.

2. Forwarding Process : 

The Forwarding Process decide to forward  the received frames according to the the Filtering Database. If you want to allow the tagged frames can be forwarded to certain port, this port must be the egress port of this VID. The egress port is an outgoing port for the specified VLAN, that is, frames with specified VID tag can go through this port. The Filtering Database stores and organizes VLAN registration information useful for switching frames to and from switch ports. It consists of static registration entries (Static VLAN or SVLAN table) and dynamic registration entries (Dynamic VLAN or DVLAN table). SVLAN table is manually added and maintained by the administrator. DVLAN table is automatically learned via GVRP protocol, and can't be created and upgraded by the administrator. 

The VLAN entries in Filtering Database has the following information :

1. VID : VLAN ID

2. Port : The switch port number

3. Ad Control : Registration administration control. There are 3 type of ad control, including forbidden registration, fixed registration and normal registration. 

   • Forbidden registration : This port is forbidden to be the egress port of specified VID..

   • Fixed registration : While ad control is fixed registration, it means this is a static registration entry. This port is the egress port of the specified VID (a member port of the specified VLAN). The frames with specified VID tag can go through this port.

   • Normal registration : While ad control is normal registration, it means this is a dynamic registration entry. The forwarding decision is depended on Dynamic VLAN table.

4. Egress tag Control : This information is used for Egress Process. The value may be tagged or untagged. If the value is tagged, the outgoing frame on the egress port is tagged. If the value is untagged, the tag will be removed before frame leaves the egress port.

                                                                      Filtering Database

                                                                  Dynamic VLAN (DVLAN) table

3. Egress Process : 

The Egress Process decide if the outgoing frames will be sent tagged or untagged. Egress Process refer to the egress tag control information in Filtering Database. If the value is tagged, the outgoing frame on the egress port is tagged. If the value is untagged, the tag will be removed before frame leaves the egress port.

A VLAN Bridge supports Port-based VLAN classification, and may support Port-and-Protocol-based VLAN classification.

• In Port-base VLAN, the VID associated with an untagged(frame with no tag header) or priority-tagged frame(frame with a tag header that carries the null VLAN ID) is determined based on the port of arrival of the frame into the bridge. This requres the association of a specific Port VLAN ID, or PVID, with each of the bridge's ports.
• In Port-and-Protocol-base VLAN, the VID associated with an untagged or priority-tagged frame is determined not only based on the port of arrival of the frame into the bridge but also based on the protocol identifier of the frame. This requires the association of multiple VIDs with each of the ports of the bridge. This is known as the "VID Set".