107• Improving LAN security. By assigning user groups to different VLANs, you can isolate them at Layer2. To enable communication between VLANs, routers or Layer 3 switches are required.• Flexible virtual workgroup creation. As users from the same workgroup can be assigned to the sameVLAN regardless of their physical locations, network construction and maintenance is much easierand more flexible.VLAN fundamentalsTo enable a network device to identify frames of different VLANs, a VLAN tag field is inserted into thedata link layer encapsulation.The format of VLAN-tagged frames is defined in IEEE 802.1Q issued by the Institute of Electrical andElectronics Engineers (IEEE) in 1999.In the header of a traditional Ethernet data frame, the field after the destination MAC address and thesource MAC address is the Type field indicating the upper layer protocol type, as shown in Figure 32.Figure 32 The format of a traditional Ethernet frameIEEE 802.1Q inserts a four-byte VLAN tag after the DA&SA field, as shown in Figure 33.Figure 33 The position and format of VLAN tagA VLAN tag comprises the following fields: tag protocol identifier (TPID), priority, canonical formatindicator (CFI), and VLAN ID.• The 16-bit TPID field with a value of 0x8100 indicates that the frame is VLAN-tagged.• The 3-bit priority field indicates the 802.1p priority of the frame. For more information about framepriorities, see the ACL and QoS Configuration Guide.• The 1-bit CFI field specifies whether the MAC addresses are encapsulated in the standard formatwhen packets are transmitted across different media. A value of 0 indicates that MAC addressesare encapsulated in the standard format; a value of 1 indicates that MAC addresses areencapsulated in a non-standard format. The value of the field is 0 by default.• The 12-bit VLAN ID field identifies the VLAN the frame belongs to. The VLAN ID range is 0 to 4095.As 0 and 4095 are reserved, a VLAN ID actually ranges from 1 to 4094.A network device handles an incoming frame depending on whether the frame is VLAN tagged and thevalue of the VLAN tag, if any. For more information, see “Introduction to port-based VLAN.”NOTE:• The Ethernet II encapsulation format is used here. Besides the Ethernet II encapsulation format, otherencapsulation formats, including 802.2 LLC, 802.2 SNAP, and 802.3 raw, are also supported byEthernet. The VLAN tag fields are also added to frames encapsulated in these formats for VLANidentification.• For a frame with multiple VLAN tags, the device handles it according to its outer-most VLAN tag andtransmits its inner VLAN tags as payload.