Hi every one i am trying to understand vlan behavior on tagged and untagged packets.i have come across these statement which sounds quite confusing to me
When a tagged packet enters a port, the default VLAN ID setting has no effect on the tag.
1. The packet proceeds to the VLAN specified by its VLAN ID tag number.
2. If the port in which the packet entered does not belong to the VLAN
specified by the packet’s VLAN ID tag, the system drops the packet.
3. If the port belongs to the VLAN specified by the packet’s VLAN ID,
the system can send the packet to other ports with the same VLAN ID.
I am so confuse in all these statements.How does these three differ. They are contradicting one an other what does packet /port belong to specific vlan ID mean as port can have only one vlan ID
Overview
I have been refraining from answering this question, since I thought it would get migrated to Server Fault; since it is lingering here, I will address the specifics of your question. It is also difficult to completely respond without more context of why the author was making those points, but I will endeavor to answer as best I can. I'm not sure why I spent so much time answering this question, other than it's Christmas and my wife is out of the country visiting her family...
Diagram
I think the concepts are best illustrated by something called a multi-layer switch, which is just an ethernet switch that also understands IP addresses. I drew a diagram to illustrate:
The switch has four physical interfaces, numbered Port 1/1, Port 1/2, Port 1/3 and Port 1/4
The switch has one virtual interface, Vlan12. The virtual interface has an ethernet mac-address and an IP address assigned to it.
Three ethernet frames are assumed to enter Port 1/1
Port 1/1 is configured to accept Vlan tags 12 and 13. Port 1/1 also has a default Vlan of 1; this means that any untagged frames are put into Vlan 1.
The first decision point an ethernet switch uses is determining what Vlan a frame belongs to.
Next the ethernet switch looks at it's database of ethernet mac-addresses that it knows
Answers
I am so confuse in all these statements.How does these three differ. They are contradicting one an other what does packet /port belong to specific vlan ID mean as port can have only one vlan ID
Actually it depends on the kind of port we are discussing. The author is very clearly describing what happens on an ethernet switch port in trunk mode.
Ethernet trunk mode ports can process than one Vlan ID, if they are in trunk mode (see Port 1/1 in the diagram). Port 1/1 can accept ethernet frames with either Vlan 12 or Vlan 13; however, those frames must have an 802.1q tag on them so the switch knows which Vlan they belong in
Ethernet Access mode ports have only one Vlan assigned.
To address the points in quoted from the text...
When a tagged packet enters a port, the default VLAN ID setting has no effect on the tag.
1. The packet proceeds to the VLAN specified by its VLAN ID tag number.
This is best illustrated by what could happen to Frame A.
Even though Port 1/1 has a default Vlan (Vlan 1), Frame A remains assigned to Vlan 12. As such, it could exit Port 1/2, 1/3 or go directly to Virtual Interface Vlan12:
If Frame A goes out Port 1/2, the 802.1q tag (12) sent into Port 1/1 remains on Frame A, because Port 1/2 is in trunk mode
If Frame A goes out Port 1/3, the 802.1q tag (12) sent into Port 1/1 is removed from Frame A, because Port 1/3 is in access mode
If Frame A is delivered to Virtual Interface Vlan12 (if Frame A's destination mac-address is 000a.dead.beef), the switch doesn't need to forward the frame anywhere else. Normally the reason that you would see an ethernet frame addressed to a virtual interface on the switch is for management purposes, such as telnet, ssh or snmp. There are other reasons, but let's not complicate things any more for now.
... 2. If the port in which the packet entered does not belong to the VLAN
specified by the packet’s VLAN ID tag, the system drops the packet.
This is best illustrated by what happens to Frame B.
Port 1/1 is not configured to accept Vlan ID 20, so when the switch sees "20" in the 802.1q tag, Frame B is discarded.
... 3. If the port belongs to the VLAN specified by the packet’s VLAN ID,
the system can send the packet to other ports with the same VLAN ID.
This again refers to Frame A; in this case the author describes what could happen if the switch does not deliver Frame A to Virtual Interface Vlan12.
Finally I included Frame C for your reference. This is to illustrate the behavior of a default Vlan on an ethernet trunk port.
Merry Christmas, and good luck with your studies.
Let's take a step back and just look at the concept here.
If you just have a "dumb" switch, it only has one VLAN, and that VLAN is "untagged". That means each packet has a "normal" Ethernet header which does not include the 802.1q tag.
If you want to multiplex more than one network over a single physical medium, the switch has to have some way to tell the networks apart. The way it does that is by using a VLAN tag. Let's imagine you have two switches connected to each other, and you have three VLANs, 100, 200, and 300.
Imagine the two switches are connected to each other with only 1 cable to port A on each switch. You would configure port A on each switch to accept and forward tagged traffic on those three VLANs. Then you would configure the ports you wanted to be in VLAN 100, 200, and 300 as that port's default VLAN, on each port exposed to end users.
In summary, a few important points:
VLAN tags are used to multiplex multiple logical layer 2 networks over the same physical link
VLAN tags are normally used between infrastructure devices (and possibly servers) and are not seen on end users' networks
A switch is typically configured such that when a packet is switched, the appropriate tag is added as the packet traverses the network infrastructure, and then removed before an end user device sees the packet again.
Kind of hard to explain. Hope this helps.
When a tagged packet enters a port, the default VLAN ID setting has no effect on the tag.
means that when a packet enters some switch with some VLAN ID assigned to it.. it will continue travelling inside the switch with same vlan id. If the packet has no vlan id then packet will be assigned default vlan id which is generally 1.
1. The packet proceeds to the VLAN specified by its VLAN ID tag number.
because the packet has vlan id assigned, it will proceed ahead with same vlan id.
2. If the port in which the packet entered does not belong to the VLAN
specified by the packet’s VLAN ID tag, the system drops the packet.
packet will enter into some port decided by switch based on destination ip address in packet header and routing table inside switch. If that port does not have permissions to transmit packets with vlan id of that particular packet, then the port will drop the packet.
3. If the port belongs to the VLAN specified by the packet’s VLAN ID,
the system can send the packet to other ports with the same VLAN ID.
Otherwise if the port has permissions to transmit packets with that particular vlan id then it will transmit the packet ahead.
this same criteria will be followed in every switch it encounters till the packet reaches its destination.
both frames B and C would be discarded. If native vlan is not allowed in the trunk then the untagged frame wont be allowed to travel
VLAN tag is a part of a packet link header (on the 2nd ISO/OSI layer).
You have two possibilities of setting a port:
1) Port belongs to the VLAN (access mode).
This implicates two behavior:
a) Inside of switch every port has its own VLAN ID (default is normally VLAN 1). Every port in this mode rejects ingress 802.1q tagged frames and automatically assigns untagged frames to the VLAN ID of this port.
b) If a frame enters a port associated with this mode, and egresses a trunk port (below), the frame will be tagged with an 802.1q header with the appropriate VLAN ID associated with the ingress port.
As you can see, When you set a half ports on the switch to the VLAN5 and a half to the VLAN2, you will divide switch to the two parts and you will have two virtual switches.
2) Port is 'trunking port'
Through this port are going packets without modifications to other switch or PC, which can work with the tagged packets. On some switch you can use filter, where you can specify, which VLAN (or, which number of tag of VLAN) can pass through this port. But this port don't change the VLAN tags.
In this case, packets outside of switch goes exactly with the same tags, as inside of switch.
Related
I have some questions about vlan's. I know that this forum is more for programming than for networking but this is the best forum that I could think of.
So all my questions are about vlan's. Here they come:
Can one vlan have a different beginning of a ip adress as the other one's (e.g. vlan 1=192.168.2.xx, vlan 2=10.0.0.x)?
Can devices have the same ipadress when they're in different vlan's?
Can you make a "hole" between the vlan's so that a few devices (chosen by you, for example using static ip adresses) can still talk with each other (e.g. a file server on vlan 1 can still talk to the printer on vlan 2)?
Can you have different dns servers for different vlan's?
Can you have different firewall settings for different vlan's? How do you "choose" which firewall you want to change as an admin?
Can you have wifi vlan's (like a vlan for your home wifi and a vlan for your guest wifi)
Can you access the routers settings (192.168.1.1) from every vlan?
When I connect to a network, how do I get assigned to a vlan? Is there like a "If someone connects to the network, it automatically goes to vlan 1 until the admin moves them to a different vlan"?
Can you put a password on a vlan so that you have to put in a password to change vlan's?
Can a user (so not a network admin) choose to change from vlan's (because then question 8 would be relevant)?
How does portforwarding work with vlan's?
If you access the network from outside (e.g. a hacker or just someone else), do you automatically get "redirected" to the standard vlan (1) or do you end up in a "intersection" where you first have to choose the vlan you want to go to?
Can you make a port on a switch that has special access to every vlan at the same time (Only for the network admin)(So for that ethernet port, the network is just one big network instead of divided vlan's)(This would contradict question 2 as then you would have two devices with the same ip adress)?
Can you have a network port with a device attached to it, that will be accessable to every vlan (e.g. a printer)? Is that dangerous because than a hacker could probably access that device and use it to jump between vlan's?
That's it. I know that there are alot of questions but I hope you can help with a few at least. The thing is, youtube video's always just explain that vlan's are separate networks, but I want to know: "How separate are they?" You see that almost every question is about "How separate are they exactly?"
I hope you can help!
Thanks
hopefully this will answer your questions
VLANs are like separated cables inside cable and they do not mix or intefer between themselfs
Answers:
Yes. As mentioned above
Yes but it's not good practice because you can make mistake durring VLANs settings causing sec flaws or IP collisions
Not directly but this can be done via gateway/router between VLANs and all traffic have to go thru GW (easy way)
Yes and usually you do. For example you have:
VLAN 10: Subnet 192.168.10.0/24; GW 192.168.10.1; DNS 192.168.10.1
VLAN 20: Subnet 192.168.20.0/24; GW 192.168.20.1; DNS 192.168.20.1
Yes it is common/required behavior. It is done by filtering firewall rule by incoming interface (eg vnet7), incoming subnet or incoming IP
Yes. But there are two ways setting VLANs:
ACCESS (untag): VLAN is ended at output interface thus client device dont have to support/setup VLAN. Actualy client device even don't know that there is some VLAN
TRUNK (tag): VLAN (or multiple VLANs) are routed thru access point and client device has to be configured same way on incoming interface
Access is what you need in this case
Yes if you setup firewall that way (routing between subnes)
As explained in point 6
No. VLAN is just number. To protect your vlans you have to setup network devices in way that every port (unless needed - eg switches bond interconnection) is set in ACCESS mode so only admin with access to network device can change VLAN for client device. Or implement NAC such as packetfence
As points 6. and 8. Only when your setup allows
Inside VLAN no portforward is needed because all devices in same VLAN are at same L2 network
No simple answer here, it all depends on your VLAN and firewall settings
Can not be done with VLANs only. Common practice is to setup specific VLAN (lets call it management VLAN) which is ended in ACCESS mode on some physicaly secured switch ethernet port and then using firewall and routings on GW to setup access across all VLANS (well .. not all but required ones)
Yes you can as mentioned above but again using firewall and routing settings on gateway
This one is long :) ... fell free to continue in chat
I think at L2 it will be ether type and destination MAC address.
at L3 it can be protocol field and Destination IP Address.
I want to know what are the other fields by which we can differentiate between control and data packet.
#Anupam Thakur: In pure L2 infrastructure, on receiving frame, node does the bridge-table/l2-table/cam lookup based on destination mac address. For different BPDUs (almost always reserved multicast mac dst addresses, few exceptions beyond the scope of this question) wherever required cam table is programmed with punt path to control-plane module (/also). Note, punt path doesn't distinguish between different protocols. It's job is to just push the packet in Q towards control-plane module. When cp module receives such packet, based on ethertype or LLC content it determines the further protocol processing of the packet.
"Router Alert Option" in IP header can also force packet to be punted to Control Plane, even though it is not destined for recipient device. (i.e. transit node)
Hi I've been learning networks for a while now and I can't seem to find a solution for this doubt online.
I learnt that if you are sending a packet to a class B network's destination 141.49.255.255, it means you are broadcasting the packet to the whole class B network of 141.49.0.0; I also learnt that if you are sending a packet to a class A network's destination address like 10.255.255.255, you are again broadcasting the packet in the network ID 10.0.0.0
My question is, what am I doing when I'm sending a packet to class B 141.255.255.255 ? Am I sending it to a single host or a network?
Forget classes. Everything is being done in CIDR for the last two decades.
Sending to 141.255.255.255/16 is a subnet broadcast to 141.255.0.0/16. The same address may also be
141.255.255.255/8 - subnet broadcast to 141.0.0.0/8
141.255.255.255/6 - unicast(!) to the node 141.255.255.255
Most often, broadcasts are sent to 255.255.255.255. Routers (usually) don't forward broadcasts, so it's limited to the segment anyway.
However, there are some subtle differences: running e.g. 192.168.1.0/24 and 10.1.0.0/16 inside the very same Ethernet segment, a broadcast to 192.168.1.255/24 is physically sent to all nodes (Ethernet broadcast), even the ones with a 10.1.0.0/16 address. These however will the drop and ignore the packet since it doesn't address them.
In contrast, a broadcast to 255.255.255.255 will be sent to all nodes and processed by all nodes.
Consider the scenario where i have a switch which is connected to multiple end devices say X, Y, Z where X is in Vlan_X and Y is in Vlan_Y and Z is in Vlan_Z.
This switch is connected to external network via a Router for routing the data. Also here each Vlan is designated with a unique IP as each Vlan represents a subnet.
Now both X and Y sends a TCP/UDP request over the network, which is routed through Router.
My question is how does the router identify the MAC address of X and Y when routing back replies for them ?
Since the line between the Router and Switch is Trunk enabled, how does Router add the correct Vlan ID in the 802.1q corresponding to X or Y ?
Thanks
Charan
Ignore the existence of the vlan's for a moment - assume you have three separate devices
switch_VX , switch_VY and switch_VZ with the hosts X,Y,Z connected to them.
Now assume that your router has a distinct ethernet cable to each switch.
On your router you are going to have three different ethernet ports.
eth_VX , eth_VY, eth_VZ
In this setup it should be obvious how it works .
Each switch has it's own Layer 3 protocol address subnet for any protocols you are using (IPv4, IPv6, AppleTalk, IPX etc)
The router needs a configuration on each interface that has an address from the same address range that the switch is using.
Then the router gets to the host by looking at it's protocol address , looks for the interface that matches, and then uses the right protocol->mac translation mechanism to talk to the end host.
For IPv4, that means the router looks in its routing table, finds eth_??, and then goes looking in the ARP table for the MAC address of the host it's looking for.
Each host is configured with an address from the subnet that's on the switch it's using, and each host is configured to use the address of the router as its default gateway.
Logically that's exactly how it works - always.
However, confining people to use separate sets of switches for each subnet is not efficient. Requiring a separate ethernet cable, and port on the router for each switch isn't efficient. It gets even more costly when you want to do a proper service and add redundant cables and routers etc..
So the manufacturers changed the physical topology a bit, and moved some of the physical stuff to software configured instead. However the devices are still doing exactly the same job.
So instead of separate switches you have separate vlans on the device (or set of devices).
In the explanation above replace switch_VX with switch_vlan_X. The VLAN configuration on the switch creates effectively a completely seperate switch. It runs its own MAC Address Table, it's got its own copy of spanning-tree running. Internally inside the switch it has to record the VLANID inside each ethernet frame - so that it makes sure that it never gets sent out the wrong ports. The switch adds the VLANID when it receives a frame, and strips it off before it sends it out. So the end hosts have no idea that it's happening. It's all hidden.
So that removes the multiple switches, and we can configure our vlans on one switch.
But we still have multiple cables to our router. So let's fix that by configuring the switch engine to treat the port connected to the router as special. Instead of stripping off the VLANID for all frames - let's instead send the frames up to the router with the VLANID still on them. We'll need to agree on a common format for the frames, so the routers know where to look. 802.1Q is the industry standard, but there are some other options out there. Most vendors call the port a ''trunk'' port when it is configured to leave the VLANID in place.
Now the router is getting a stream of frames on a single interface but they have VLAN identifiers in there that need to be removed. Let's get the router to do that in software.
So in the description above, instead of different ethernet interfaces ; we'll have a software interface that understands VLANs. Replace all mentions of eth_VX with eth_vlan_X .
Now the router knows when it gets a frame that is part of VLAN X, that it is associated with the interface eth_vlan_x , and it can remove the VLANID and process it appropriately.
If the router wants to send a frame out the interface eth_vlan_x, it knows that it needs to insert the VLANID X into every fraame.
So we started with a logical setup, and changed the physical layout to be more flexible and more efficient. However, logically it is absolutely no different to the setup that uses independent separate devices.
I am familiar with the basic OSI model but I always get confused how does a packet travel from one machine to another over the Internet and what OSI layers do come into picture? For example, for the following topology:
Machine A<----->Switch<---->Router<---->Router<---->Router<---->Switch<---->Machine B
where the multiple routers are shown to represent the Internet, what happens at the OSI layer level, when Machine A send a packet (say a simple "ls" command over FTP) to Machine B.
The above is just a suggested example, but if any one can explain with any other network topology, that is fine too. All I am looking a very basic explanation of how the packet gets transformed to different OSI layers at each nodes (Machine, Switch, Router, etc.).
Routers use the IP layer (layer 3) and switches use the data-link layer (layer 2). Layer 1 is the physical 1s and 0s that go over a wire, Layer 2 is the data-link layer, which is protocols like Ethernet and Point-To-Point Protocol (PPP), which carries information between adjacent nodes about MAC address from and to and allows for error detection and retransmission. Layer 3 is the IP layer, which carries information about where in the whole network the packet is from and to, not just the current hop.
The transmission would go like this:
Machine A wants to send a packet to Machine B. Machine A knows Machine B's IP address, so it places that in the layer 3 packet. Machine A needs to place the MAC Address of the next hop in the layer 2 packet, however. If it does not know, then it will send something called an ARP request (Address Resolution Protocol, read here: http://www.tildefrugal.net/tech/arp.php ) to the network, with the destination IP. One of a few things will happen here:
The IP is local. The machine with that IP will reply back to the sender with its MAC address.
The IP is non-local. The gateway router will detect this and send its MAC address.
The IP is non-local and Machine A's default gateway and subnet mask are set. Using this information Machine A can determine the non-locality of the IP address and send it to the router's MAC address (ARPing if not known yet).
(If Machine A found this out earlier, it will be in the ARP cache and Machine A will just use that.) Now that the MAC address is sent, the packet can be transferred (the physical layer 1 performing the actual transfer of data on the wire). The next stop will be the switch. The switch knows which outbound port the MAC address listed as the layer 2 destination is on, because it tracks every MAC address it's seen a packet come from and which port it came on - if it does not know, then it will flood it out every single port, guaranteeing it'll arrive.
As such, the packet arrives at the router. The cool thing about the IP model is that it divides every single IP address in the network/world into a hierarchy - Subnets by definition cannot overlap subnets partially, they either wholly contain them or are wholly contained by them. So as long as subnets follow this hierarchy, the router can unambiguously determine where each of the 4 billion possible IP addresses are on the network just by looking at what subnet the IP will fall under in its table! The packet is then sent out that port.
As the packet travels through interconnected ISPs' routers, backbone infrastructure and so on, it arrives at Machine B's router, where the opposite process happens - router B sees that its destined for Machine B and sends it inbound. (Similarly, Router B will have to use a process like ARP to find Machine B's MAC address if not known.) The rest should be trivial from here.
good references:
https://web.archive.org/web/20120129120350/http://www.tildefrugal.net/tech/arp.php
http://en.wikipedia.org/wiki/Data_link_layer
http://en.wikipedia.org/wiki/Network_switch
http://en.wikipedia.org/wiki/Network_layer
http://en.wikipedia.org/wiki/Routing
http://en.wikipedia.org/wiki/Router_(computing)
http://en.wikipedia.org/wiki/Address_Resolution_Protocol
The only thing that can travel over a copper wire are pulses of electricity.
The binary number 1 is represented by a pulse of electricity or no pulse of electricity for 0.
Just keep in mind that real data of any kind cannot be sent over copper wire, fibre optic, or through the air ...only a representation of the data which has previously been converted to a 1 or a 0 and then is reconverted back at the receiving end.
Network layer protocol supervises the transmission of packets from a source machine to a destination. Data is broken down into packets, or datagrams, up to 64 kb long before it is transmitted, with a stamp of destination IP address, and forwarded to the network gateway. A gateway can be router to interconnect networks.