Video Suggestion: Difference between VLANS, Subnets, and what they do

Site Feedback & Video Suggestions
1

Hello there,

Ive been using the Unifi line of products since I started doing any home network stuff and have always been confused about VLANs, Subnets, and the differences between them.

Using Unifi for everything has really hidden away what is actually happening under the hood making this topic confusing. It wasent untill your most recent video, How To Setup VLANs With pfsense & UniFi 2023, that it started to make sense to me. Other videos Ive seen in the past talking about the differences just made them sound the same but my only experience with subnets and VLANs was with a all Unifi setup.

In the Unifi controller when using a USG, USW, and UAP, you define a network with a subnet and a Vlan, tag a physical port with a network so a physical device can connect to whatever network, and then define a SSID with a network so those devices are on that network. All of the technical stuff is hidden away, making things easy when using just Unifi, but a little harder when using any other equipment.

After your video my understanding is now:

  • Routers define subnets and sometimes VLANs
  • Switches don’t really understand subnets but know what port it should go based on a VLAN tag othewise send to all.

I think a good example in a video would be to leave out Unifi entirely, using PFSense, a VLAN aware switch, and maybe 2 APs, one VLAN aware and one not.

2 Likes
2

This is something I see a lot in this forum. Many people tend to misuse the term ‘VLAN’ and confuse it with ‘subnet’. Neither one of the terms is specific to Unifi.

A ‘subnet’ is just what it says - a subdivision of a (larger) network. In terms of CIDR, 2000::/3 is the network of globally accessible IPv6 addresses. For example, 20a2:bbbb:cccc:dddd::/64 is a subnet of that network. Anything smaller than that (i.e., with a larger prefix) is a subnet of it and so on. So any IP network is a subnet of the network which comprises all possible addresses (i.e. ::/0 in IPv6 and 0.0.0.0/0 in IPv4).

A router forwards packets between networks based on routes. It knows which destination network is reachable on which of its interfaces. In a residential or small enterprise environment, where there is usually only one router, there is only one subnet reachable from each interface (e.g. there is one interface connecting to the office LAN, one to the guest LAN, etc.). This is different from internet backbone routers, where there can be hundreds or thousands of different networks reachable via a specific interface (because there are other routers later in the path).

Within a network, packets are forwarded by switches to the correct Ethernet recipient. Suppose your home network as a whole was divided into three distinct subnets. Before VLAN, you would need three independent switches, one for each network. All ports of the switch belong to the same network. With port-based VLAN, you can essentially split one physical switch into multiple logical ones and assign the ports to them. Traffic entering a port can only exit on a port belonging to the same logical switch. With this approach, you would only need one physical switch for all three subnets. Today, port-based VLAN (whose implementation varies between switch manufacturers) is largely deprecated in favor of IEEE 802.1Q. This is part of the Ethernet standard and is where the term ‘VLAN tag’, a number between 0 and 4095, comes from.

So in conclusion, whenever you talk about dividing your network into different smaller networks (e.g. office LAN, guest LAN), you are talking about subnets. VLAN is a technology that allows you to implement subnets more easily and resource-efficiently, but is not at all required.

2 Likes
3

Hi.

All that @paolo wrote is right.

Maybe I can build on that a bit and maybe find the source of the confusion that is NOT related to either Unifi or this forum.

TL;DR

OSI Model

When we talk about networking there is a “reference model” that organizes the network in 7 “layers” (the “OSI reference model”).

When we speak about VLANs and subnets we focus on layers 2 and 3.

Layer 1

The lowest layer (layer 1) is the physical layer, which takes care of the electronic (or optical) signals over the physical medium (how the network adapter puts and reads electrons on a wire or light on fiber optics). This is not affected by either VLANs or subnets.

Layer 2

The next layer (layer 2) is the data link layer which deals with the protocols between stations that share a medium.

Ethernet originally consisted of a single cable where all stations connected to the same coaxial cable (10base5). It eventually evolved to stations connected to a hub (and then a switch) where each cable connects only one station to the switch, but the implicit logic is that somehow the medium is shared by all the stations.

VLANs

VLANs live in layer 2 and are used to create “virtual” physical media (cables) over the same medium, as if there were multiple independent switches (and multiple independent network adapters on the hosts).

We use IEEE 802.1Q to add a small VLAN header to the ethernet frame to add a 12 bit “VLAN Identifier” (VID or VLAN-Id) that indicates to which “virtual cable” or “virtual interface” this frame has to go. Values 0 and 4095 are reserved, so this lets us with VLAN IDs from 1 to 4094.

Layer 3

The next layer (layer 3) is the network layer which deals with addressing and sending packets from one node to another even when there is no direct connection between the nodes.

IP (version 4 and version 6) lives in layer 3. So do all the routing protocols (BGP, RIP, OSPF, etc). IP addresses are defined here.

Subnets

Subnets which are partitionings of the address space, thus, also belong in layer 3.

This is where you define that subnet 10.10.10.0/24 is used for PCs in the 4th floor and that subnet 10.11.12.0/24 is used for servers in the data center.

The confusion

There are quite a few sources of confusion here and even some professional sysadmins have problems with this since they usually learn a specific technology from a specific vendor and learn this vendor’s jargon and way of doing subnets and VLANs (e.g: @StoneMonarch learnt it form Unifi’s way of doing things which is quite peculiar, as @LTS_Tom stated more than once).

Other source of confusion is this. Theoretically, routers do layer 3, switches do layer 2. However, some routers (especially those for SOHO or branches) have a built-switch and many mid to high-end switches have some layer 3 support where it can route packets among different subnets without relaying them to a router.

Some clarification

For some rules of thumb, this might help you:

  • Subnets are identified by IP addresses and masks (like 192.168.77.0/24 or fcae:ea51::/64).
  • VLANs are identfied by VLAN IDs, which are numbers between 1 and 4094
  • VLANs are used to simulate the existence of multiple physical networks and adapters
  • There may be more than one subnet over the same VLAN but this is uncommon and you shouldn’t do it unless you know precisely why
  • You shouldn’t use the same subnet over different VLANs
1 Like