VLAN (2)

  • Though there is no VLAN20 link in between SW1 and SW2, PCs in VLAN20 can reach PCs connected to SW1 through R1 (R1 will perform inter-VLAN routing).

  • PC in VLAN20 (destination MAC of default gateway - R1) -> SW2 (received and forwarded on VLAN20 interface) -> R1 -> SW2 (received and forwarded on VLAN10 interface) -> SW1 -> PC on VLAN10.

Trunk ports

  • In small network with few VLANs, it is possible to use separate interface for each VLAN when connecting swithces to switches, and switches to routers.

  • When the number of VLANs increases, this will result in wasted interfaces and often routers will not have enough interfaces for each VLAN.

  • You can use trunk ports to carry traffic from multiple VLANs over a single interface.

  • These are different from access ports, which belong to a single VLAN only.

  • Separate connections for each VLAN are replaced by single connections (but traffic from multiple VLANs is allowed).

  • PC on VLAN10 -> SW2 -> SW1 -> PC on VLAN10

  • SW1 knows which VLAN the traffic belongs to (because both VLAN10 and VLAN30 was allowed there) by a method known as VLAN tagging.

VLAN tagging

  • Switches will tag all frames that they send over a trunk link. This allows the receiving switch to know which VLAN the frame belongs to.

  • Trunk port = Tagged port

  • Access port = Untagged port (they need not be tagged because the interface belongs to a single VLAN)

Trunking protocols

  • ISL (Inter-Switch Link)

    • Old Cisco proprietary protocol

    • Not in use in real world

  • IEEE 802.1Q

    • Industry standard protocol

    • dot1q

802.1Q tag

Ethernet frame

  • dot1q inserts a field between Source MAC and Type/Length fields of the ethernet header.

  • The tag is 4 bytes (32 bits) in length.

  • 2 main fields

    • Tag Protocol Identifier (TPID)

    • Tag Control Information (TCI) -> PCP, DEI, VID

TPIDPCPDEIVID

16 bits

3 bits

1 bit

12 bits

  • TPID

    • 16 bits (2 bytes)

    • Always set to value of 0x8100 (4 hex digits = 16 bits). Indicates that the frame is 802.1Q tagged.

    • This is where the Type field is usually located in an ethernet header. When the switch sees this value, it knows it is a dot1q tagged frame.

  • PCP

    • Priority Code Point

    • 3 bits

    • Used for Class Of Service (COS), which prioritizes important traffic in congested networks.

  • DEI

    • Drop Eligible Indicator

    • 1 bit

    • Used to indicate frames that can be dropped if the network is congested (to make sure important network traffic gets through).

  • VID

    • VLAN ID

    • 12 bits

    • Identifies the VLAN the frame belongs to.

    • 4096 total VLANs (2^12), range of 0-4095.

    • VLANs 0 and 4095 are reserved and can't be used. Actual range is 1-4094.

    • ISL also uses a VLAN range of 1-4094.

VLAN ranges

  • The range of VLANs (1-4094) is divided into 2 sections :

    • Normal VLANs : 1-1005

    • Extended VLANs : 1006-4094

  • Some older devices cannot use the extended VLAN range, however modern switches will support.

Tagging example

  • The PC in VLAN10 (right) wants to send traffic to PC in VLAN10 (left).

  • The traffic goes to SW2, which then forwards to SW1, with a tag indicating that the traffic belongs to VLAN10.

  • SW1 receives the frame, and because the destination is also in VLAN10, it will forward the traffic to the destination.

A standard Layer 2 Switch will only forward traffic in the same VLAN. It will not forward traffic between VLANs.

Native VLAN

  • ISL does not have this feature.

  • The native VLAN is VLAN1 by default on all trunk ports, however this can be manually configured on each trunk port.

(This has to be configured on each trunk port separately. It's not a global configuration on the switch.)

  • The Switch does not add an 802.1Q tag to frames in the native VLAN. It will forward the frame normaly, without adding the dot1q tag to it.

  • When a Switch receives an untagged frame on a trunk port, it assumes the frame belongs to the native VLAN.

  • So it is very important that the native VLAN matches between switches.

  • Switches will still forward traffic if there is a native VLAN mismatch, but problems may occur.

Native VLAN on a router

Native VLAN mismatch

Example 1

Example 2

  • The PC sends the frame to SW2 which forwards it to SW1 with a tag of VLAN30, since it is not the native VLAN of SW2.

  • But VLAN30 is the native VLAN of SW1.

  • When this frame tagged with VLAN30 arrives, it will simply discard the frame and will not forward it to the destination.

  • Because it expects all the traffic in VLAN30 to be untagged on that interface, it will consider the frame to be an error and not forward it.

Make sure the native VLAN matches on each switch.

Trunk port configuration

  • We'll configure g0/0 on SW1 and g0/0, g0/1 on SW2 as trunk ports.

On SW1

  • SW1(config-if)# switchport mode trunk (manually configure the interface as a trunk)

    • An error may occur : trunk encapsulation is 'auto'

    • Switches that support both ISL and dot1q have a trunk encapsulation of 'Auto' by default.

    • To manually configure the interface as a trunk port, you must first set the encapsulation to 802.1Q or ISL.

    • On switches that only support 802.1Q, this is not necessary.

    • SW1(config-if)# switchport trunk encapsulation dot1q SW1(config-if)# switchport mode trunk

  • SW1# show interfaces trunk

    • The trunk interfaces are listed : Port, Mode, Encapsulation, Status, Native VLAN.

    • Under that, the VLANs allowed on the trunk are displayed.

      • By default, all VLANs, 1-4094 are allowed on the trunk.

      • For security purposes, we might want to limit which VLANs can be forwarded on the trunk.

    • Under that, VLANs allowed and active in management domain.

      • This includes the default VLAN of 1, as well as VLANs 10 and 30, which are already configured.

      • VLANs 1002-1005 do not appear here.

    • Under that, VLANs in spanning tree are shown.

  • SW1(config-if)# switchport trunk allowed vlan xxx

    • '10,30' : 'show interfaces trunk' command now shows VLANs 10 and 30 as being allowed on the trunk. Command for this example.

    • 'add 20' : 'show interfaces trunk' now shows VLANs 10, 20 and 30 as allowed. SInce, VLAN20 is not created on the switch, it isn't displayed in 'VLANs allowed and active in management domain' section.

    • 'remove 20' : VLAN20 will be removed from the list of allowed VLANs.

    • 'all' : All VLANs are allowed. Same as default state.

    • 'except 1-5,10' : Allows all VLANs except those mentioned.

    • 'none' : No VLANs are allowed on the trunk. This allows no traffic to pass over the trunk.

Reasons to restrict the VLANs

  • Security : To make sure only traffic in the necessary VLAN can use that connection.

  • Network performance : This avoids unnecessary traffic, because broadcasts and such from other VLANs won't be sent over the trunk.

Change native VLAN

For security purposes, it is best to change the native VLAN to an unused VLAN. Also make the native VLAN match between SW1 and SW2.

  • SW1(config-if)# switchport trunk native vlan 1001 SW1(config-if)# do show interfaces trunk

NOTE

  • Notice that g0/0 is not listed anywhere in the result of 'show vlan brief' command, even in VLAN 10 or 30.

  • 'show vlan brief' command shows the access ports assigned to each VLAN, not the trunk ports that allow each VLAN.

  • Instead use 'show interfaces trunk' command to confirm the trunk ports.

On SW2

On interface connected to SW1 - g0/0

  • SW2(config)# interface g0/0 SW2(config-if)# switchport trunk encapsulation dot1q SW2(config-if)# switchport mode trunk SW2(config-if)# switchport trunk allowed vlan 10,30 SW2(config-if)# switchport trunk native vlan 1001 SW2(config-if)# do show interfaces trunk

On interface connected to R1 - g0/1

  • SW2(config)# interface g0/1 SW2(config-if)# switchport trunk encapsulation dot1q SW2(config-if)# switchport mode trunk SW2(config-if)# switchport trunk allowed vlan 10,20,30 SW2(config-if)# switchport trunk native vlan 1001 SW2(config-if)# do show interfaces trunk

Now both g0/0 and g0/1 are displayed in the output of the 'show interfaces trunk' command.

Router on a Stick (ROAS)

  • When we used 3 separate interfaces for the connection from SW2 to R1, we assigned a separate IP address to each one on R1.

  • Each one served as the default gateway for the PCs in each VLAN.

  • Now, we are using only 1 physical connection between the devices. So, we must use 'subinterfaces' on R1.

  • The one physical interface which connects g0/0 on R1 and g0/1 on SW2 can be divided into 3 separate subinterfaces, which allows us to perform inter-VLAN routing, with only 1 physical interface.

  • g0/0 on R1 : g0/0.10 for VLAN10, g0/0.20 for VLAN20, g0/0.30 for VLAN30.

  • These 3 logical subinterfaces are really one physical interface, g0/0 connected to SW2's g0/1, but can operate like 3 separate interfaces.

On R1

  • R1(config)# interface g0/0 R1(config-if)# no shutdown (router interfaces are shutdown by default)

  • R1(config-if)# interface g0/0.10 -> subinterface R1(config-subif)# encapsulation dot1q 10 -> VLAN ID R1(config-subif)# ip address 192.168.1.62 255.255.255.192

    • This tells the router to treat any arriving frames tagged with the specified VLAN number as if they arrived on this subinterface.

    • It will also tag all the frames leaving this subinterface with VLAN10 using dot1q.

  • R1(config-if)# interface g0/0.20 R1(config-subif)# encapsulation dot1q 20 R1(config-subif)# ip address 192.168.1.126 255.255.255.192

  • R1(config-if)# interface g0/0.30 R1(config-subif)# encapsulation dot1q 30 R1(config-subif)# ip address 192.168.1.190 255.255.255.192

  • R1# show ip interfaces brief (The subinterfaces along with the physical interface appears, but the physical interface will not have an IP address assigned)

  • R1# show ip route

    • Connected and Local routes are added just like when IP addresses are added to regular physical interface.

    • When R1 sends frames out of these subinterfaces, it adds the VLAN tag configured on the subinterface.

    • Eg: If a packet arrives destined for the 192.168.1.64/26 subnet, it will send the packet out of its g0/0 interface tagged with VLAN20.

The subinterface number does not have to match the VLAN number. However it is recommended that they do match, to make it easier to understand.

Lab

  • If you allow a VLAN and if it isn't displayed under 'VLANs allowed and active in management domain', it is not yet created.

    • To create a VLAN, enter the interface and type 'vlan 30' and then exit.

  • Router address need not be the last usable address in a network, but it is advised to follow a system. Either the first or the last usable address in the network is preferred.

  • To know which port the PCs are connected to the Switch, check for the MAC address of the PCs in the Switch's MAC address table ('SW1# show mac address-table').

Extra

To find the mode in which the switch's port is configured in :

  • SW# show interfaces interface-id switchport

PreviousVLAN (1)NextVLAN (3)

Last updated