I've read through some of the differences between a subnet and VLAN but I'm having a hard time figuring out if I'm actually utilizing a VLAN properly.
My switch by default is on the 10.0.0.0/24 network. It is considered an untagged network because there's no VLAN on it. Any computer can join this subnet and read broadcast traffic. Am I correct to assume the last sentence is right?
I then create on the switch say VLAN 10 with a network of 10.0.10.0/24. I set a static IP of 10.0.10.11/24 on my computer and 10.0.10.12/24 on another computer. Lets say both are Mac running OS X 10.10. The switch port for both Macs are set to all (4096).
Since I did not "tag" the NIC of either Mac, how am I still able to talk to the other Mac through file sharing, SSH, etc? Isn't this VLAN 10 I created on 10.0.10.0/24 required to have both Mac's tagged to access it?
Now lets say if I add a third device, a linux box, with its interface tagged for VLAN 10. It has an IP of 10.0.10.13/24. Can I ssh into either Mac?
What is the difference between tagging a switch port vs NIC? Can a tagged NIC still talk on the same subnet of other untagged devices?
Best Answer
Let's see if I can make things clearer.
First, VLANs are a layer 2 construct, and subnets are a layer 3 construct. It is true that in most cases there is a 1:1 relationship between them (i.e., one VLAN per subnet, and vice versa), but that doesn't mean they are the same thing.
Switches, being a layer two device, forward packets based on MAC addresses and never look at IP addresses. So in the context of a switch, it's wrong to say that a VLAN has a particular subnet on it. The switch doesn't know or care.
It is the end devices (hosts or routers) on a VLAN that define the IP subnet. If they're all configured for the 10.0.10.0/24 network , then that's what it is. If you change the IP subnet on your hosts, you have changed the subnet for that VLAN.
EDIT:
The term "tagging" applies to the 802.1q protocol, which is a variation of "standard" ethernet protocol. In fact most PCs, Macs, etc, can not understand the 802.1q protocol -- they simply ignore it. So when you say
That doesn't quite make sense. The switch port your Mac is plugged into accepts untagged frames, and if you've configured it, also tagged frames (802.1q frames). Your Mac however only sends and receives untagged frames, regardless of how many different VLANs are tagged on that port. In other words, it is unaware that there are tagged frames being sent out that port, because it doesn't understand them.
Whatever VLAN is untagged on the port you MAC is plugged into, is the VLAN your MAC is on.
So for example, unless you've changed the configuration, VLAN 1 is untagged on all ports. So, by default, any port you plug a MAC or PC into will send and receive frames on VLAN 1, because that VLAN is untagged on all the ports.
Now, if you want to create a new VLAN (10), and only have some devices use it, you will set those ports to send VLAN 10 untagged (In the Cisco world, you set VLAN 10 as the "native" VLAN on the ports).
If two PCs are on switch ports 1 and 2, and you set only those ports to have VLAN 10 untagged, then they will only be able to send frames to each other. All other ports will still use VLAN 1 (untagged). Hosts on VLAN 1 and hosts on VLAN 10 can't talk to each other
The default VLAN (usually VLAN 1) is still a VLAN, and has the same properties as any other. VLANS are tagged or untagged when one talks about port configuration. The same VLAN can be tagged on one port and untagged on another. There is no such thing as a "tagged" or "untagged" network.