Consider the scenario where i have a switch which is connected to multiple end devices say X, Y, Z where X is in Vlan_X and Y is in Vlan_Y and Z is in Vlan_Z.
This switch is connected to external network via a Router for routing the data. Also here each Vlan is designated with a unique IP as each Vlan represents a subnet.
Now both X and Y sends a TCP/UDP request over the network, which is routed through Router.
My question is how does the router identify the MAC address of X and Y when routing back replies for them ?
Since the line between the Router and Switch is Trunk enabled, how does Router add the correct Vlan ID in the 802.1q corresponding to X or Y ?
Thanks
Charan
Ignore the existence of the vlan's for a moment - assume you have three separate devices
switch_VX , switch_VY and switch_VZ with the hosts X,Y,Z connected to them.
Now assume that your router has a distinct ethernet cable to each switch.
On your router you are going to have three different ethernet ports.
eth_VX , eth_VY, eth_VZ
In this setup it should be obvious how it works .
Each switch has it's own Layer 3 protocol address subnet for any protocols you are using (IPv4, IPv6, AppleTalk, IPX etc)
The router needs a configuration on each interface that has an address from the same address range that the switch is using.
Then the router gets to the host by looking at it's protocol address , looks for the interface that matches, and then uses the right protocol->mac translation mechanism to talk to the end host.
For IPv4, that means the router looks in its routing table, finds eth_??, and then goes looking in the ARP table for the MAC address of the host it's looking for.
Each host is configured with an address from the subnet that's on the switch it's using, and each host is configured to use the address of the router as its default gateway.
Logically that's exactly how it works - always.
However, confining people to use separate sets of switches for each subnet is not efficient. Requiring a separate ethernet cable, and port on the router for each switch isn't efficient. It gets even more costly when you want to do a proper service and add redundant cables and routers etc..
So the manufacturers changed the physical topology a bit, and moved some of the physical stuff to software configured instead. However the devices are still doing exactly the same job.
So instead of separate switches you have separate vlans on the device (or set of devices).
In the explanation above replace switch_VX with switch_vlan_X. The VLAN configuration on the switch creates effectively a completely seperate switch. It runs its own MAC Address Table, it's got its own copy of spanning-tree running. Internally inside the switch it has to record the VLANID inside each ethernet frame - so that it makes sure that it never gets sent out the wrong ports. The switch adds the VLANID when it receives a frame, and strips it off before it sends it out. So the end hosts have no idea that it's happening. It's all hidden.
So that removes the multiple switches, and we can configure our vlans on one switch.
But we still have multiple cables to our router. So let's fix that by configuring the switch engine to treat the port connected to the router as special. Instead of stripping off the VLANID for all frames - let's instead send the frames up to the router with the VLANID still on them. We'll need to agree on a common format for the frames, so the routers know where to look. 802.1Q is the industry standard, but there are some other options out there. Most vendors call the port a ''trunk'' port when it is configured to leave the VLANID in place.
Now the router is getting a stream of frames on a single interface but they have VLAN identifiers in there that need to be removed. Let's get the router to do that in software.
So in the description above, instead of different ethernet interfaces ; we'll have a software interface that understands VLANs. Replace all mentions of eth_VX with eth_vlan_X .
Now the router knows when it gets a frame that is part of VLAN X, that it is associated with the interface eth_vlan_x , and it can remove the VLANID and process it appropriately.
If the router wants to send a frame out the interface eth_vlan_x, it knows that it needs to insert the VLANID X into every fraame.
So we started with a logical setup, and changed the physical layout to be more flexible and more efficient. However, logically it is absolutely no different to the setup that uses independent separate devices.
Related
I want to send data(I think I can achieve it sending http requests) between two ESP's that are connected to the same LAN. I don't want to use one as an access point! I have one esp that is acting as a homekit device, and I want to send data(for example, sensor readings) to it from another esp. I've seen many tutorials where one device is acting as an access point, but that's not what I need. I also don't really need to access the esp data directly from my laptop, so I believe I don't need the html page. I would appreciate any help, code, or any existing tutorials, because I didn't find a single one.
Configuring one ESP as an AP is only done for convenience. You can configure both of them in STA (station) mode and they will connect to, e.g. your phone hotspot or your wifi router.
Connected to the same hotspot, they are on the same network, and they will be able to communicate with each other (unless the hotspot is configured to not allow this ... ). The tricky part will most likely be for the "client" to determine the IP address of the "server" in order to create the connection.
If you have admin access to the hotspot, you can cheat and hard code the IP addresses (assuming that the hotspot will assign the same IP address to the device the next time it sees it.)
It's also not difficult to use mdns (aka bonjour), which allows a network device to assign itself a local hostname. So you can name one ESP ("myserver") which allows the ESP running the client code to connect to "http://myserver.local"
I have some questions about vlan's. I know that this forum is more for programming than for networking but this is the best forum that I could think of.
So all my questions are about vlan's. Here they come:
Can one vlan have a different beginning of a ip adress as the other one's (e.g. vlan 1=192.168.2.xx, vlan 2=10.0.0.x)?
Can devices have the same ipadress when they're in different vlan's?
Can you make a "hole" between the vlan's so that a few devices (chosen by you, for example using static ip adresses) can still talk with each other (e.g. a file server on vlan 1 can still talk to the printer on vlan 2)?
Can you have different dns servers for different vlan's?
Can you have different firewall settings for different vlan's? How do you "choose" which firewall you want to change as an admin?
Can you have wifi vlan's (like a vlan for your home wifi and a vlan for your guest wifi)
Can you access the routers settings (192.168.1.1) from every vlan?
When I connect to a network, how do I get assigned to a vlan? Is there like a "If someone connects to the network, it automatically goes to vlan 1 until the admin moves them to a different vlan"?
Can you put a password on a vlan so that you have to put in a password to change vlan's?
Can a user (so not a network admin) choose to change from vlan's (because then question 8 would be relevant)?
How does portforwarding work with vlan's?
If you access the network from outside (e.g. a hacker or just someone else), do you automatically get "redirected" to the standard vlan (1) or do you end up in a "intersection" where you first have to choose the vlan you want to go to?
Can you make a port on a switch that has special access to every vlan at the same time (Only for the network admin)(So for that ethernet port, the network is just one big network instead of divided vlan's)(This would contradict question 2 as then you would have two devices with the same ip adress)?
Can you have a network port with a device attached to it, that will be accessable to every vlan (e.g. a printer)? Is that dangerous because than a hacker could probably access that device and use it to jump between vlan's?
That's it. I know that there are alot of questions but I hope you can help with a few at least. The thing is, youtube video's always just explain that vlan's are separate networks, but I want to know: "How separate are they?" You see that almost every question is about "How separate are they exactly?"
I hope you can help!
Thanks
hopefully this will answer your questions
VLANs are like separated cables inside cable and they do not mix or intefer between themselfs
Answers:
Yes. As mentioned above
Yes but it's not good practice because you can make mistake durring VLANs settings causing sec flaws or IP collisions
Not directly but this can be done via gateway/router between VLANs and all traffic have to go thru GW (easy way)
Yes and usually you do. For example you have:
VLAN 10: Subnet 192.168.10.0/24; GW 192.168.10.1; DNS 192.168.10.1
VLAN 20: Subnet 192.168.20.0/24; GW 192.168.20.1; DNS 192.168.20.1
Yes it is common/required behavior. It is done by filtering firewall rule by incoming interface (eg vnet7), incoming subnet or incoming IP
Yes. But there are two ways setting VLANs:
ACCESS (untag): VLAN is ended at output interface thus client device dont have to support/setup VLAN. Actualy client device even don't know that there is some VLAN
TRUNK (tag): VLAN (or multiple VLANs) are routed thru access point and client device has to be configured same way on incoming interface
Access is what you need in this case
Yes if you setup firewall that way (routing between subnes)
As explained in point 6
No. VLAN is just number. To protect your vlans you have to setup network devices in way that every port (unless needed - eg switches bond interconnection) is set in ACCESS mode so only admin with access to network device can change VLAN for client device. Or implement NAC such as packetfence
As points 6. and 8. Only when your setup allows
Inside VLAN no portforward is needed because all devices in same VLAN are at same L2 network
No simple answer here, it all depends on your VLAN and firewall settings
Can not be done with VLANs only. Common practice is to setup specific VLAN (lets call it management VLAN) which is ended in ACCESS mode on some physicaly secured switch ethernet port and then using firewall and routings on GW to setup access across all VLANS (well .. not all but required ones)
Yes you can as mentioned above but again using firewall and routing settings on gateway
This one is long :) ... fell free to continue in chat
I understand that it's different than a hub in that instead of packets being broadcasted to all devices connected to the device, it knows exactly who requested the packet by looking at the MAC layer.
However, is it still possible to use a packet sniffer like Wireshark to intercept packets meant for other users of the switch? Or is this only a problem with ethernet hubs that doesn't affect switches due to the nature of how a switch works?
On a slightly off topic side note, what exactly is classified as a LAN? For example, imagine two separate ethernet switches are hooked up to a router. Would each switch be considered a separate LAN? What is the significance of having multiple LAN's within the same network?
it knows exactly who requested the packet by looking at the MAC layer.
More exactly, the switch uses the MAC destination address to forward a frame to the port associated with that address. Addresses are automatically learned by looking at the MAC source address on received frames.
A switch is stateless, ie. is has no memory who requested which data. A layer-2 switch also has no understanding of IP packets, addresses or protocols. All a basic switch does is learn source addresses and forward by destination address.
is it still possible to use a packet sniffer like Wireshark to intercept packets meant for other users of the switch?
Yes. You'll need a managed switch supporting port mirroring or SPANning. This doesn't intercept frames, it just copies them to the mirror port. If you need to actually intercept frames you have to put your interceptor in between the nodes (physically or logically).
With a repeater hub, every bit is repeated to every node in the collision domain, making monitoring effortless.
what exactly is classified as a LAN?
This depends on who you ask and on the context. A LAN can be a layer-1 segment/bus aka collision domain (obsolete), a layer-2 segment (broadcast domain), a layer-3 subnet (mostly identical with an L2 segment) or a complete local network installation (when contrasted with SAN or WAN).
Adding to #Zac67:
Regarding this question:
is it still possible to use a packet sniffer like Wireshark to
intercept packets meant for other users of the switch?
There are also active ways in which you can trick the Switch into sending you data that is meant for other machines. By exploiting the Switch's mechanism, one can send a frame with a spoofed source MAC, and then the Switch will transfer frames destined to this MAC - to the sender's port (until someone else sends a frame with that MAC address).
This video discusses this in detail:
https://www.youtube.com/watch?v=YVcBShtWFmo&list=PL9lx0DXCC4BMS7dB7vsrKI5wzFyVIk2Kg&index=18
In general, I recommend the following video that explains this in detail and in a visual way:
https://www.youtube.com/watch?v=Youk8eUjkgQ&list=PL9lx0DXCC4BMS7dB7vsrKI5wzFyVIk2Kg&index=17
what exactly is classified as a LAN?
So indeed this is one of the least-well-defined terms in Computer Networks. With regards to the Data Link Layer, a LAN can be defined as a segment, that is - a broadcast domain. In this case, two devices are regarded as part of the same segment iff they are one hop away from one another - that is, they can switch frames in the second layer.
Hello Networking Gurus,
I have a question about IP duplication and how this impact the associated switches (layer 2). Sorry, I don't have any resources available to test this. It would be great if someone can shed some lights of their experience on this.
If I have two servers (Linux), say A & B, serving exactly same contents and for some reason they both are assigned same IP address. To be more specific, if A already has an address IP.100 and B has another address IP.200. Now at this point everything seems working and the switch has proper MAC addresses stored. If, later, B also gets the address IP.100, how would this affect the switch's ARP cache? When B gets the new address I assume it broadcasts ARP? to inform the associated switch.
So the question is, Does the switch stores both machines' entries? or overwrites the existing with new? Is there any standard behaviour or proprietary switches reacts differently?
If a client, with no ARP cache, tries to connect to IP.100, which machine would it be forwarded to? A or B or none? If A OR B, can I say from client point-of-view, that there's no outage? (Assume this is a static website, with no login sessions etc)
Feel free to point any relevant documentation.
Thank you in advance.
In theory, you shouldn’t have two hosts talking on the same IP, unless they are participating in routing. Eg any-cast. As things will break.
Each host will have its own MAC address. If the switch is only doing layer two forwarding, then the switch only keeps track of MAC addresses. It is the end hosts or routers that track ARP entries.
If you move IP 100 to B, then the hosts will update their own ARP table.
But if A and B have 100 at the same time, this will cause issues.
Switch will not see any IP's and do not have arp cache for forwarding packets , it will had only mac address table map macs to ports and macs in your case will be unique
I actually think this is how multicast works.
Hosts obtain a multicast address and all of the devices share that same multicast address.
A switch will gather collections of Mac addresses to that same multicast in it's mac table.
I could be wrong though....Still learning.
2 computers are in different subnets.
Both are Windows machines.
There are 2-5 IGMP-ready routers between them.
They can connect each other over multicast protocol (they have joined the same multicast group and they know about each other's existance).
How to establish a reliable TCP connection between them without any public server?
Programming language: C++, WinAPI
(I need a TCP connection to send some big critical data, which I can not entrust to UDP)
You haven't specified a programming language, so this whole question may be off-topic.
Subnets are not the problem. Routability is the problem. Either there is routing set up or there isn't. If they are, for example, both behind NAT boxes, then you're at the mercy of the configuration of the nat boxes. If they are merely on two different subnets of a routed network, it's the job of the network admin to have set up routing. So, each has an IP address, and either can address the other.
On one machine, you are going to create a socket, bind it to some port of your choice, and listen. On the other, you will connect to the first machine's IP + the selected port.
edit
I'm going to try again, but I feel like there's a giant conceptual gap here.
Once upon a time, the TCP/IP was invented. In the original conception, every item on the network has an IPV4 address, and every machine could reach every other machine, via routing, except for machines in the 'private' address space (10.x, etc).
In the very early days, the only 'subnets' were 'class A, class B, class C'. Later the idea of subdividing a network via bitmasks was added. The concept of 'subnet' is just a way of describing a piece of network in which all the hosts can deliver packets to each other by one hop over some transport or another. In a properly configured network, this is only of concern to operating system drivers. Ordinary programs just address packets over the network and they arrive.
The implementation of this connectivity was always via routing protocol. If you have a (physical) ethernet A over here, and a (physical) ethernet B over there, connected by some sort of point-to-point link, the machines on A need to know where to send packets for B. Or, to be exact, they need to know where to send 'not-A' packets, and whatever they send them needs to know where to send 'B' packets. In simple cases, this is arranged via explicit configuration: routing rules stuffed into router boxes or even computers with multiple physical interfaces. In more complex cases, routing boxes intercommunicate via protocols like EGP or BGP or IGMP to learn the network topology.
If you use the Windows 'route' command, you will see the 'default route' that the system uses to send packets that need to leave the local subnet. It is generally the address of the router box responsible for moving information from the local subnet to everywhere else.
The whole goal of this routing is to arrange that a packet sent from a.b.c.d to e.f.g.h will get there. TCP is no different than UDP, except that you can't get there by multicast or broadcast: you need to know the exact address of your correspondent.
DNS was invented to allow hosts to learn each other's IP addresses without having human being send them around in email messages.
All this stops working when people start using NAT and firewalls to turn off routing. The whole idea of NAT is that the computers behind the NAT box are not addressable at all. They all appear to have one IP address. They can send stuff out, but they can only receive stuff if the NAT box has gone to extra trouble to map them a port.
From your original message, I sort of doubt that NAT is in use here. I just don't understand your comment 'I don't have access to the network.' You say that you've sent UDP packets here and there. So how did you do that? What addresses did you use?