Communication between different VLANs

Question

In my previous understanding, there is no way to communicate between two VLANs using only layer 2.

After all, this is the purpose of having VLAN.

I found a forum that claims the following.

1.VLANs can communicate with other VLANs when they both use the same trunk link to connect to the same layer 2 switch.

Others claim that

2.VLANs with the same default gateway can communicate with other VLANs under the same layer 2 switch

Another one said that

3. native VLAN can access other VLANs under the same layer 2 switch.

I had searched online, but I got a different answers from different websites.

*Communication between different VLANs means A PC 1 in VLAN10 communicates with PC 2 in VLAN20

edit: Thank you all ans all 1-3. Allow me to also ask one last question. What about subnet mask? if 2 VLANs are in the same IP subnet, can they communicate ?

Answer 1

there is no way to communicate between two VLANs using only layer 2.

That is correct.

VLANs can communicate with other VLANs when they both use the same trunk link to connect to the same layer 2 switch.

Not at all. As you stated, the point of using VLANs is to separate traffic on L2.

A trunk link is an efficient way to connect multiple VLANs across switches. The VLANs stay separate all the same.

VLANs with the same default gateway can communicate with other VLANs under the same layer 2 switch

Also not necessarily true. VLANs can be separated by several L3 hops/gateways.

The same default gateway = same gateway IP address cannot be true since VLANs need to use distinct IP subnets, and each gateway needs to be part of that subnet.

native VLAN can access other VLANs under the same layer 2 switch.

That might be true if you do it wrong. A frame from the 'native' VLAN is transmitted without VLAN tag on a trunk, so if you use different VLAN IDs as native on both sides of the trunk, those VLANs are bridged and effectively become one. Many would argue that you should tag all VLANs on a trunk, generally, to avoid that problem.

Other than being transmitted without tag, the native VLAN is nothing special, so the general statement is false.

if 2 VLANs are in the same IP subnet, can they communicate ?

Generally not. In your diagram VLANs 2 and 3 are actually bridged (as described above), essentially becoming one VLAN/broadcast domain with different IDs left and right. That would work but should be considered a configuration error.

If the VLANs weren't bridged, nodes couldn't even communicate using L3 gateways since they'd expect the destination to be 'on link' but it isn't. (You could make it work by putting up some elaborate NAT scheme or proxy ARP that I won't dive into here.)

So, if you do it right,

• nodes on different VLANs cannot communicate directly on layer 2.
• nodes on different VLANs and different IP subnets can communicate on layer 3 using gateways when those are set up appropriately (belong to the same routing domain, essentially).
• those gateways may be routers or L3 switches.

Answer 2

In my previous understanding, there is no way to communicate between two VLANs using only layer 2.

Correct

1.VLANs can communicate with other VLANs when they both use the same trunk link to connect to the same layer 2 switch.

Plain wrong.

2.VLANs with the same default gateway can communicate with other VLANs under the same layer 2 switch

Plain wrong. Also this makes no sense at all. You can't have two VLANs (actually two IP networks) with the same gateway in a properly done configuration. And there's no gateway on a layer 2 switch since, well, it's layer 2.

native VLAN can access other VLANs under the same layer 2 switch.

Plain wrong.

There's not much to add. Two networks cannot communicate together without a layer 3 device (I.E. a router). Except if you bridge the VLANs together and they share the same IP network, but then you actually have a single VLAN (in an awful setup).

Answer 3

All these statements are incorrect or at least wildy incomplete.

1.VLANs can communicate with other VLANs when they both use the same trunk link to connect to the same layer 2 switch.

No. VLAN separation on the local switch is the same as it is on a remote switch beyond a 802.1q trunk link.

At Layer2, only advanced or strange things can interconnect two VLANs at Layer 2 (as in: they become one broadcst domain). An example could be a "loop" or "ear" cable from one (local) switch port to another port of the very same switch, where one port is untagged VLAN 10 and the other port is untagged VLAN 20.

If one were to build something like that, great caution is advisable: all sorts of "interesting" spanning-tree situations might arise, and traffic flow patterns across the switch might become... a bit strange.

2. VLANs with the same default gateway can communicate with other VLANs under the same layer 2 switch

Inaccurate/Incomplete. The term "default gateway" already implies a "Layer 3 thing" being in the discussion.

If that "default gateway" ...

• is an upstream Layer 3 device (L3 switch, a router or a firewall) which has each a L3-Interface into VLAN 10 and VLAN 20 (e.g. 192.168.10.1 and 192.168.20.1)
• the IP networks for VLANs 10 and 20 are distinct (e.g. 192.168.10.0/24 and 192.168.20.0/24)
• the devices in VLAN 10 and VLAN 20 are configured the respective L3 devices' IP address as their local "default gateway" (e.g. 192.168.10.1 for VLAN 10, 192.168.20.1 for VLAN 20).
• the setup on that L3 device permits traffic forwarding ("routing") between the L3-interfaces of VLAN 10 and VLAN 20

... then yes, devices connected in VLAN 10 or 20, even on the same L2 switch, can talk to each other, but with routing by and through the external L3 device. Note that this does not "merge" VLANs 10 and 20 on the local switch.

3. native VLAN can access other VLANs under the same layer 2 switch

No. The term "native" VLAN applies to a 802.1q trunk link, where one of the VLANs should be defined as the "native" (untagged). The switch will map untagged incoming frames into that VLAN. The swicth will also talk LACP, LLDP/CDP, and possibly spanning-tree protocols without VLAN Tag on that link.

There are corner cases (Q-in-Q) where service provider and customer need to make special arragements for untagged customer frames, to prevent these from leaking out into the service provider's S-VLAN for that given customer (but a single one).

Other than that: No.

Answer 4

In simple terms... the only way two VLANs can pass traffic -- without a router (layer-3) -- is if someone has done something stupid.

• If you connect a VLAN 2 access port to a VLAN 3 access port - and STP or CDP/LLDP/etc. doesn't kill the link - they will effectively pass traffic; of course, that link is making them one VLAN. (there are the rare, oddball cases where this is done on purpose.)

• The next way is technically a "misconfiguration", but many switches will allow this insanity... the access port assigned multiple untagged (access port!) VLANs. However, this oddity only allows that one host / port to talk to / see both VLANs; the other hosts within each VLAN do not see traffic from the opposite VLAN. [HP calls this a "hybrid" port, designed for "protocol based" VLANs]