Download your favorite Linux distribution at LQ ISO.
Go Back > Forums > Linux Forums > Linux - Networking
User Name
Linux - Networking This forum is for any issue related to networks or networking.
Routing, network cards, OSI, etc. Anything is fair game.


  Search this Thread
Old 04-22-2010, 04:29 AM   #1
Registered: Jun 2006
Location: Bangalore,india
Distribution: Linux(Redhat,fedora,suse,ubantu), Solaris (s8/s9/s10/nevada/open-solaris)
Posts: 285

Rep: Reputation: 32
difference between VLAN and subnetting

What are the function differences between VLAN and subnetting ?

Old 04-22-2010, 05:33 AM   #2
Registered: Jun 2001
Location: UK
Distribution: Gentoo, RHEL, Fedora, Centos
Posts: 43,417

Rep: Reputation: 1975Reputation: 1975Reputation: 1975Reputation: 1975Reputation: 1975Reputation: 1975Reputation: 1975Reputation: 1975Reputation: 1975Reputation: 1975Reputation: 1975
well subnetting is logically dividing a large network e.g. into smaller more manageable segments at a design stage e.g.,, but vlans are used to technically isolate different network segments which would typically be assigned to different subnets whilst sharing the same physical network equipment and cabling.

You can have a handful of subnets, each with their own dumb switch connected to a different port on a router for that subnet, and that would have nothing at all to do with vlans. Using vlands you can have one link from one router port to one switch and then hand pick which ports on that switch contain which vlans, especially when you are sending multiple vlans on one cable, like you would between the switch and the router. So there you see subnets with and without vlans. and conversely you can have vlans without subnetting, e.g a bridging firewall sits invisibly on a single subnet but needs an internal vlan and an external vlan in order to keep the safe and unsafe traffic apart, but using the same address ranges. This scenario could be in having a network connection from your ISP and wanting to directly put a server on each address, but in order to make them safe, you put said firewall in front in a bridge mode.

Generally you'd say one subnet = one vlan, but that's not always true in both directions, as above. They are certianly absolutely not the same thing in any way though.
Old 04-22-2010, 08:12 AM   #3
Registered: Apr 2010
Location: Johannesburg
Distribution: Fedora 14, RHEL 5.5, CentOS 5.5, Ubuntu 10.04
Posts: 559

Rep: Reputation: 92
Chris is give you an example of the above explanation.

In my environment my SINGLE subnet is; which basically translates into usable addresses between to

This is ONE subnet; with a network mask of

However, for the purposes of the applications/application servers that live in this environment; within this subnet I have MULTIPLE VLANs defined.

The idea here (for my case specifically) is to separate traffic in exactly what the name implies - virtual networks.

As Chris says in his post; the converse is also true where I could have a single VLAN with multiple subnet's living within it.
Old 05-26-2010, 08:20 AM   #4
LQ Newbie
Registered: Jun 2007
Location: Mumbai, India
Distribution: centos, opensuse
Posts: 15

Rep: Reputation: 0
Question 'bridge firewalling' with vlans

Hello there folks, since the idea of using a bridging firewall is of importance to me, I would like to ask folks here particularly Mr. Kewpie to elaborate more on it.

Well..we could even discuss about my interface that I have here:
I have a bridge firewall with two interfaces, PortA and PortB. PortA connects to the LAN and PortB connects to the WAN.

Now since I want to have a invisible firewalling bridge to separate the 'bad' and the 'good' traffic I create a vlan interface on PortA with an ID of 3 so there is a virtual interface PortA.3. I have only given an IP addr to the bridge itself br0 for managing it. The details:

br0 -
PortA -
PortB -
PortA.3 -
PortB -

My local machine's interface eth0 connects via a LAN cable to PortA. I create a vlan interface here with the same ID as that of the bridge for the 'bad' traffic. Thus the details for my local machine are:

eth0 -
eth0.3 -

The router is at and the DNS server is at both of which are accessible via the bridge (are located at the WAN end of the bridge).

1. Now I have flushed all rules for ebtables and iptables on my bridge (which is rather a brouter). The only rule that I have is:

ebtables -t broute -A BROUTING -p 0x8100 -j redirect --redirect-target DROP
this causes the bridge to route all packets that are vlan tagged. Additionally I have added a default route on my bridge so that it is able to bridge packets to 'unknown IP destinations' based on their MAC address. Without this I cannot ping the brouter from eth0.3 to br0.

To get some feel of what happens when I ping my brouter from eth0.3 heres the output of
'tcpdump -nep -i any host'
on the bridge:

17:36:49.238115 PortA, IN:  In 00:25:11:8f:c6:21 ethertype 802.1Q (0x8100), length 104: vlan 3, p 0, ethertype IPv4, > ICMP echo request, id 35341, seq 1, length 64

17:36:49.238149 PortA.3, IN:  In 00:25:11:8f:c6:21 ethertype IPv4 (0x0800), length 100: > ICMP echo request, id 35341, seq 1, length 64

17:36:49.238411 br0, IN:  In 00:25:11:8f:c6:21 ethertype IPv4 (0x0800), length 100: > ICMP echo request, id 35341, seq 1, length 64

17:36:49.238698 br0, OUT: Out 00:0d:48:36:59:88 ethertype IPv4 (0x0800), length 100: > ICMP echo reply, id 35341, seq 1, length 64

17:36:49.238722 PortA.3, OUT: Out 00:0d:48:36:59:88 ethertype IPv4 (0x0800), length 100: > ICMP echo reply, id 35341, seq 1, length 64

17:36:49.238743 PortA, OUT: Out 00:0d:48:36:59:88 ethertype 802.1Q (0x8100), length 100: vlan 1280, p 2, LLC, dsap Unknown (0xbe) Individual, ssap ISO8208 (0x7e) Response, ctrl 0x0000: Information, send seq 0, rcv seq 0, Flags [Response], length 80
Thus as can be seen from the above output, the last response (in blue) is the faulty one here since the vlan id has changed from 3 to 1280 plus it doesn't look like an ICMP reply anymore. This means that as it is about to be routed from PortA.3 to PortA (is it routing here or is it bridging??) something goes haywire with the packet it seems.This error shows up at the ping's output as I cannot see the reply in the ping. I can however see the packets and (although surprisingly) see the requests and replies, as can be seen below

Heres a sample of tcpdump on eth0:
17:59:04.913957 00:25:11:8f:c6:21 > 00:0d:48:36:59:88, ethertype 802.1Q (0x8100), length 102: ethertype IPv4, > ICMP echo request, id 56333, seq 3, length 64
17:59:04.915406 00:0d:48:36:59:88 > 00:25:11:8f:c6:21, ethertype 802.1Q (0x8100), length 102: ethertype IPv4, > ICMP echo reply, id 56333, seq 3, length 64
Heres a sample of tcpdump on eth0.3:
17:59:04.913947 00:25:11:8f:c6:21 > 00:0d:48:36:59:88, ethertype IPv4 (0x0800), length 98: > ICMP echo request, id 56333, seq 3, length 64
17:59:04.915406 00:0d:48:36:59:88 > 00:25:11:8f:c6:21, ethertype IPv4 (0x0800), length 98: > ICMP echo reply, id 56333, seq 3, length 64
Could someone shed some light on this?

2. Secondly when I try to ping to the DNS server from an untagged interface (eth0), i can see the ARP request coming in from PortA and leavin out from PortB without being bridged, since the bridging code realizes it is to be routed and not bridged since the dest IP address is not that of the brouter itself but is yet unknown. Being the bridge that it is, it floods all the remaining port (which in our case is PortB) with this request.

But if I try to ping the server from eth0.3, the packet hits the only rule in the BROUTING chain and hence is routed to PortA.3 from PortA, from there it is later bridged to br0. Now why doesn't the bridge behave like it did in the case described in the above paragraph? From here nothing seems to happen. I cannot even see the bridge forwarding it to any port. It is as if the packet seems to have been consumed.

I am keen to hear from you fellas !

Aijaz Baig.


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off

Similar Threads
Thread Thread Starter Forum Replies Last Post
Route non-vlan packet to a vlan interface mic.sed Linux - Networking 2 04-23-2010 02:39 AM
VLan help on Cisco 870 to Linux vlan spide21 Linux - Networking 4 07-30-2009 08:20 AM
VLAN configuration - native VLAN and setting PVID kumarwaiting Linux - Networking 0 07-24-2006 02:51 AM
subnetting Fabian030 General 4 09-11-2003 03:11 AM
subnetting juanb Linux - Networking 3 08-26-2003 10:56 AM > Forums > Linux Forums > Linux - Networking

All times are GMT -5. The time now is 05:51 AM.

Main Menu
Write for LQ is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
Facebook: linuxquestions Google+: linuxquestions
Open Source Consulting | Domain Registration