Login/Register
Understanding vlan treatment on packet
Asked Answered
network-programminglanethernet
C

6

5

Hi every one i am trying to understand vlan behavior on tagged and untagged packets.i have come across these statement which sounds quite confusing to me

When a tagged packet enters a port, the default VLAN ID setting has no effect on the tag.


 1. The packet proceeds to the VLAN specified by its VLAN ID tag number.

 2. If the port in which the packet entered does not belong to the VLAN
    specified by the packet’s VLAN ID tag, the system drops the packet.


 3. If the port belongs to the VLAN specified by the packet’s VLAN ID,
    the system can send the packet to other ports with the same VLAN ID.

I am so confuse in all these statements.How does these three differ. They are contradicting one an other what does packet /port belong to specific vlan ID mean as port can have only one vlan ID

Connolly answered 22/12, 2011 at 8:10 Comment(0)
B
27

Overview

I have been refraining from answering this question, since I thought it would get migrated to Server Fault; since it is lingering here, I will address the specifics of your question. It is also difficult to completely respond without more context of why the author was making those points, but I will endeavor to answer as best I can. I'm not sure why I spent so much time answering this question, other than it's Christmas and my wife is out of the country visiting her family...

Diagram

I think the concepts are best illustrated by something called a multi-layer switch, which is just an ethernet switch that also understands IP addresses. I drew a diagram to illustrate:

  • The switch has four physical interfaces, numbered Port 1/1, Port 1/2, Port 1/3 and Port 1/4
  • The switch has one virtual interface, Vlan12. The virtual interface has an ethernet mac-address and an IP address assigned to it.
  • Three ethernet frames are assumed to enter Port 1/1
  • Port 1/1 is configured to accept Vlan tags 12 and 13. Port 1/1 also has a default Vlan of 1; this means that any untagged frames are put into Vlan 1.
  • The first decision point an ethernet switch uses is determining what Vlan a frame belongs to.
  • Next the ethernet switch looks at it's database of ethernet mac-addresses that it knows

Switch with Ethernet Vlans

Answers

I am so confuse in all these statements.How does these three differ. They are contradicting one an other what does packet /port belong to specific vlan ID mean as port can have only one vlan ID

Actually it depends on the kind of port we are discussing. The author is very clearly describing what happens on an ethernet switch port in trunk mode.

  • Ethernet trunk mode ports can process than one Vlan ID, if they are in trunk mode (see Port 1/1 in the diagram). Port 1/1 can accept ethernet frames with either Vlan 12 or Vlan 13; however, those frames must have an 802.1q tag on them so the switch knows which Vlan they belong in
  • Ethernet Access mode ports have only one Vlan assigned.

To address the points in quoted from the text...

When a tagged packet enters a port, the default VLAN ID setting has no effect on the tag.

  1. The packet proceeds to the VLAN specified by its VLAN ID tag number.

This is best illustrated by what could happen to Frame A.

Even though Port 1/1 has a default Vlan (Vlan 1), Frame A remains assigned to Vlan 12. As such, it could exit Port 1/2, 1/3 or go directly to Virtual Interface Vlan12:

  • If Frame A goes out Port 1/2, the 802.1q tag (12) sent into Port 1/1 remains on Frame A, because Port 1/2 is in trunk mode
  • If Frame A goes out Port 1/3, the 802.1q tag (12) sent into Port 1/1 is removed from Frame A, because Port 1/3 is in access mode
  • If Frame A is delivered to Virtual Interface Vlan12 (if Frame A's destination mac-address is 000a.dead.beef), the switch doesn't need to forward the frame anywhere else. Normally the reason that you would see an ethernet frame addressed to a virtual interface on the switch is for management purposes, such as telnet, ssh or snmp. There are other reasons, but let's not complicate things any more for now.

... 2. If the port in which the packet entered does not belong to the VLAN specified by the packet’s VLAN ID tag, the system drops the packet.

This is best illustrated by what happens to Frame B.

Port 1/1 is not configured to accept Vlan ID 20, so when the switch sees "20" in the 802.1q tag, Frame B is discarded.

... 3. If the port belongs to the VLAN specified by the packet’s VLAN ID, the system can send the packet to other ports with the same VLAN ID.

This again refers to Frame A; in this case the author describes what could happen if the switch does not deliver Frame A to Virtual Interface Vlan12.

One comment mentioned that an unknown mac-address is flooded out all ports; this is true, but not part of the original question.

Finally I included Frame C for your reference. This is to illustrate the behavior of a default Vlan on an ethernet trunk port.

Merry Christmas, and good luck with your studies.

Burning answered 25/12, 2011 at 13:6 Comment(5)
Turns out that there are some misconceptions here. E.g., in the answer #2, frame B won't be necessarily discarded by port 1/1. Actually, it'll be accepted on ingress by default. See IEEE 802.1Q-2011 8.6.2 Ingress filtering: "A frame received on a Port that is not in the member set (8.8.10) associated with the frame’s VID shall be discarded if this parameter is set. The default value for this parameter is reset, i.e., Disable Ingress Filtering, for all Ports.".Alar
You seem to be missing the point of vlans allowed on port 1/1. The switch is only configured to allow tags 12 and 13Burning
I'm aware of that. What I'm curious is whether "Ingress Filtering" will be automatically enabled on the port if you configure PVID(s) for this port. That seems to be a separate flag, presumably. To me, the standard doesn't explicit state it, but it'd be surprizing if any vendor didn't do that.Alar
New VLAN learner here: Really appreciate the detailed answer with the diagram! But I'm confused by the part about Frame A that it has three possible paths. What determines the final path that Frame A goes? Is it a switch-dependent behavior? Or does any document specify the algorithm to determine which path Frame A should take?Marci
re: actually frame A may and in particular case will be transferred by all three path at the same time... 'mac learning' and 'mac flooding' were not part of the original question... only vlans treatment is in questionBurning
O
3

Let's take a step back and just look at the concept here.

If you just have a "dumb" switch, it only has one VLAN, and that VLAN is "untagged". That means each packet has a "normal" Ethernet header which does not include the 802.1q tag.

If you want to multiplex more than one network over a single physical medium, the switch has to have some way to tell the networks apart. The way it does that is by using a VLAN tag. Let's imagine you have two switches connected to each other, and you have three VLANs, 100, 200, and 300.

Imagine the two switches are connected to each other with only 1 cable to port A on each switch. You would configure port A on each switch to accept and forward tagged traffic on those three VLANs. Then you would configure the ports you wanted to be in VLAN 100, 200, and 300 as that port's default VLAN, on each port exposed to end users.

In summary, a few important points:

  • VLAN tags are used to multiplex multiple logical layer 2 networks over the same physical link
  • VLAN tags are normally used between infrastructure devices (and possibly servers) and are not seen on end users' networks
  • A switch is typically configured such that when a packet is switched, the appropriate tag is added as the packet traverses the network infrastructure, and then removed before an end user device sees the packet again.

Kind of hard to explain. Hope this helps.

Ornithischian answered 25/12, 2011 at 9:12 Comment(0)
F
2

When a tagged packet enters a port, the default VLAN ID setting has no effect on the tag. means that when a packet enters some switch with some VLAN ID assigned to it.. it will continue travelling inside the switch with same vlan id. If the packet has no vlan id then packet will be assigned default vlan id which is generally 1.

1. The packet proceeds to the VLAN specified by its VLAN ID tag number.

because the packet has vlan id assigned, it will proceed ahead with same vlan id.

2. If the port in which the packet entered does not belong to the VLAN specified by the packet’s VLAN ID tag, the system drops the packet. packet will enter into some port decided by switch based on destination ip address in packet header and routing table inside switch. If that port does not have permissions to transmit packets with vlan id of that particular packet, then the port will drop the packet.

3. If the port belongs to the VLAN specified by the packet’s VLAN ID, the system can send the packet to other ports with the same VLAN ID. Otherwise if the port has permissions to transmit packets with that particular vlan id then it will transmit the packet ahead.

this same criteria will be followed in every switch it encounters till the packet reaches its destination.

Fronia answered 10/2, 2015 at 10:32 Comment(1)
And BTW a port can have a range of vlan ids and we can configure whether to allow packets with these vlan ids or drop.Fronia
E
1

both frames B and C would be discarded. If native vlan is not allowed in the trunk then the untagged frame wont be allowed to travel

Electret answered 11/9, 2015 at 22:24 Comment(0)
N
0

VLAN tag is a part of a packet link header (on the 2nd ISO/OSI layer).

You have two possibilities of setting a port:

1) Port belongs to the VLAN (access mode).

This implicates two behavior:

a) Inside of switch every port has its own VLAN ID (default is normally VLAN 1). Every port in this mode rejects ingress 802.1q tagged frames and automatically assigns untagged frames to the VLAN ID of this port.

b) If a frame enters a port associated with this mode, and egresses a trunk port (below), the frame will be tagged with an 802.1q header with the appropriate VLAN ID associated with the ingress port.

As you can see, When you set a half ports on the switch to the VLAN5 and a half to the VLAN2, you will divide switch to the two parts and you will have two virtual switches.

2) Port is 'trunking port'

Through this port are going packets without modifications to other switch or PC, which can work with the tagged packets. On some switch you can use filter, where you can specify, which VLAN (or, which number of tag of VLAN) can pass through this port. But this port don't change the VLAN tags.

In this case, packets outside of switch goes exactly with the same tags, as inside of switch.

Nuno answered 22/12, 2011 at 8:55 Comment(10)
I'm sorry but your description in 1) is incorrect. The proper term is the port being in "Access mode", and ports in said mode do not consider frames tagged with a Vlan header.Burning
@MikePennington Every vendor have own terminology, but in fact is my answer right. The terminology of Cisco is for 1) switchport access and the 2) is switchport trunk, where can be a native vlan. But it is so confusing in this case, I think. Please, try a read once more and don't give me a bad vote. Thanks a lot.Nuno
@MikePennington once more - port in access mode tagged incoming packets (which have no tags) and clear tag for outgoing packets. I think, that it is in my answer and that this is a right.Nuno
@MikePennington I read your profile and I know about your profession and certification. But I'm still consider, that I'm right. You know, that simpler switches have as a basic VLAN1 and every port is an accessport to this VLAN. Why? Because every traffic, which are going to the switch (and is without a VLAN tag), is in the incoming queue tagged by tag Nr.1 and in the outgoing queue is this tag cleared. Maybe some dumb switches and smart routers can do this work without incoming tagging, but in general, there is this behavior. Did you ever try to remove all (include default) VLANS on the C2950?Nuno
@MikePennington I'm very sorry about that, but you don't understand my answer completely. I wrote, that packet, which goes from switch, is without tags and packet, which goes to the switch goes without tags. Only packets in switch are tagged and switch process packets with tags. Please, try read my answer in this intention and change your mind about me and about my answer, or you can dispute my answer with authorities from Cisco. My answer is not in opposite of informations, which you wrote and I'm absolutely sure about it, but I will edit my answer to be more accurate.Nuno
@MikePennington I rewrote my answer according our discussion.Nuno
@MikePennington Thanks for rewrite, as I'm not native speaker. But you are not right in the point 1)b). Every packed must be tagged, because in the opposite side cannot work divising switch to two (or more) parts. How can switch know, which packed are going to which port, if you have even two VLANs, and if every ingress packet will not be tagged? Every ingress packed is tagged, in the simplest case only by tag of VLAN1, when all ports are in access mode in this VLAN. Please, edit answer in this intence. Thanks.Nuno
@MikePennington Every packed ingressed to switch by port in access mode is tagged by VLAN Id of VLAN, in which is this port "added". On every egressed packed by port of access mode are VLAN Id from packed cleared. Inside of switch have every packet 802.1q VLAN Id, outside of switch are packets w/o this tag. In opposite side, ports in trunk mode don't change VLAN tags. If you don't believe me, please, consult it with Cisco authorities, and then edit, please, answer in this way. Many thanks.Nuno
@MikePennington I'm sorry, you are right. I reverted answer to his edit. I'm so sorry again. I though, that inside of switch have every packed 802.1q header, but they can be only tagged by another mechanism. OK, I was wrong. Thanks for your explain.Nuno
Oh please can any one explains me this.i will be very thankfulConnolly
S
0

When a tagged packet enters a port, the default VLAN ID setting has no effect on the tag.

  1. The packet proceeds to the VLAN specified by its VLAN ID tag number.

  2. If the port in which the packet entered does not belong to the VLAN specified by the packet’s VLAN ID tag, the system drops the packet.

  3. If the port belongs to the VLAN specified by the packet’s VLAN ID, the system can send the packet to other ports with the same VLAN ID.

First - Terminology.

  1. Default VLAN ID. This is simply the default VLAN ID of a port that has not been configured. When you configure it to not the default.. its not the default.
  2. Native VLAN ID. This the VLAN assigned to an untagged packet (untagged with a vlan id) when it enters a Trunk or Tagged port of a VLAN aware switch.
  3. Trunk or Tagged port. This is the confusing part - This port does not have a VLAN ID (Port VLAN ID), because it expects the incoming packets to have a VLAN tag. When they don't it assigns the packet to the Native VLAN. So Tagged refers to the tagged packets the port expects, and not the port itself. It is also called a trunk (cisco terminology) port because this is an entry point and exit point for many packets tagged with many VLAN IDs. In addition, if an outgoing trunk port has the Native VLAN ID of the tagged packet, it will remove the tag from the packet as it leaves the switch.
  4. Access or Untagged Port. The flip side of the confusion referred to in point 3, this port expects untagged packets, and assigns them to the Port VLAN ID. Untagged refers to the incoming and outgoing packets. A packet tagged with that VLAN will exit the switch with its VLAN information removed, reverting it to an untagged packet. It is also called an Access (cisco terminology) port because it is how non-vlan aware equipment gets access to the vlan. There is a special case where manufacturers will accept VLAN tagged packets to an access port if it matches the Port VLAN ID - it was placed there for VLAN aware network devices such as VOIP phones so that the port doesn't have to be switched between "access" and "trunk" if you plugged in a computer to that port instead. But normally the access port would drop incoming packets that are VLAN tagged.

So.. The first sentence should use "Native VLAN ID". A tagged packet would get dropped by an access port with a "Default VLAN ID". But a trunk port would accept packets that have a vlan tag.. and the Native VLAN ID doesn't apply since that's only used for "Untagged" packets.

Point 1 should read "Exits the switch on ports assigned a Port VLAN ID". Which might still be the "Default VLAN ID".

Point 2 describes an "Access" or "Untagged" port, with the exception for when a packet tagged with a VLAN ID matches the Port VLAN ID.

Point 3 is the point of a VLAN aware network. The port with the same VLAN ID would be an access port. This also happens when tagged packets enter a Trunk port, or untagged packets enter a Trunk port and the Native VLAN ID is assigned to those packets. The switch sends the packet to access ports that match the VLAN ID (untagging the packet), and all other Trunk ports (untagging the packet if its tag matches the Native VLAN ID of that port). The trunk ports connect to other switches with Trunk ports for incoming packets, and access ports for devices on that VLAN.

Those points address the OP's points. In addition, for completeness, each trunk port can have VLAN filters to not accept some VLANs, or to not send packets for some VLANs.

Scherman answered 12/9, 2024 at 18:32 Comment(0)

© 2022 - 2025 — McMap. All rights reserved.