topic i love your explanation, but in Network Security

L2/3 switch intervlan behaviour

Halil.Zakaria — Fri, 21 Feb 2020 13:37:28 GMT

hello what happens in case of a L3 Switch that is capable of routing packets(in presence of a route entry)from an access-port(blongs to Vlan40) to a trunkport(allowed vlan 90).are we allowed to route this packet, if yes, will it keep its vlan tag 40?

hi you cant route across a

Mark Malone — Fri, 27 Nov 2015 15:15:04 GMT

hi you cant route across a trunk its layer 2 , you can encapsulate layer3 packets and switch them accros the trunk at layer 2, either way if tag 40 is not allowed on trunk switch will drop it

but if i have an interface

Halil.Zakaria — Fri, 27 Nov 2015 15:52:12 GMT

but if i have an interface vlan 40 configured with ip 192.168.2.2/24, that intercepts frames from switch interface configured with switchport access vlan 40, will theseframes be tagged?

and with a a trunk port that allows vlan 90 only and there is an interface vlan 90 with ip adress 192.168.1.2/24,and a route entry that routes a destination to a next hop: 192.168.1.3, will my traffic be routed from vlan 40 to 90? if yes will it keep its tag40.

Hello Halil,

Ganesh Hariharan — Fri, 27 Nov 2015 17:34:49 GMT

Hello Halil,

For L2 switching to work, if a fram in vlan 40 wants to communicates with same vlan 40 members then it will check the arp table of the switch and local switching will happen.

and if the host of the same vlan exists on different switch then frame will be tagged with vlan 40 and traverse over trunk port where vlan 40 is allowed to reach other switch for sucessfull communication.

For L3 routing & switching, Any traffic if it requires for different subnet packet will lad to default gateway which would be L3 SVI and if it is another SVI Vlan then it will be done as intervlan routing by L3 switch for fast switching.

Hope it Helps..

-GI

Rate if it Helps..

let s say for example in a l3

Halil.Zakaria — Sat, 28 Nov 2015 01:13:54 GMT

let s say for example in a l3 switch i configured an interface vlan 10 with an ip adress then i configured a physical switch interface as trunk port and i allowed only vlan 10,if trafic sourced from vlan20 needs to ne routed to an ip nexthop thats in the same network as vlan 10,will it be routed?

let s say for example in a l3

Ganesh Hariharan — Sat, 28 Nov 2015 01:55:07 GMT

let s say for example in a l3 switch i configured an interface vlan 10 with an ip adress then i configured a physical switch interface as trunk port and i allowed only vlan 10,if trafic sourced from vlan20 needs to ne routed to an ip nexthop thats in the same network as vlan 10,will it be routed?

Hello Halil,

Trunk link communiction is to traverse vlans between swithces is happens by VLAN Tagging, also known as Frame Tagging, is to help identify packets travelling through trunk links.

When an Ethernet frame traverses a trunk link, a special VLAN tag is added to the frame and sent across the trunk link.

As it arrives at the end of the trunk link the tag is removed and the frame is sent to the correct access link port according to the switch's table, so that the receiving end is unaware of any VLAN information

Could you clarify by what you want to convey by below

if trafic sourced from vlan20 needs to ne routed to an ip nexthop thats in the same network as vlan 10

Do you want to convey a traffic is source from vlan 20 for destination vlan 10 which are allowed over trunk then the will it route , Is this your query ? If yes , then what i have explained above for vlan trunking will normally the frame would flow.

Hope it Helps..

-GI

Rate if it Helps..

please i have another

Halil.Zakaria — Sun, 29 Nov 2015 21:30:19 GMT

please i have another question.

when an interface vlan 10 is configured,a logical mac adress is associated to it, and when a host connected to switch port (mode acces for vlan 10),and this host wants to send trafic to a destination not in his subnet,it sends framewith destination mac of the interface vlan 10.am i right?

then according to routing table ,the l3 switch rewrites source mac adress of frame to the exit interface and destination mac adress to mac adress of next hop in routing entry?

please i have another

Ganesh Hariharan — Mon, 30 Nov 2015 03:36:04 GMT

please i have another question.when an interface vlan 10 is configured,a logical mac adress is associated to it, and when a host connected to switch port (mode acces for vlan 10),and this host wants to send trafic to a destination not in his subnet,it sends framewith destination mac of the interface vlan 10.am i right?then according to routing table ,the l3 switch rewrites source mac adress of frame to the exit interface and destination mac adress to mac adress of next hop in routing entry?

Hello Halil,

Yes, You are right. If packet is destined for other subnet not for vlan 10 it will get into gateway for searching of that subnet under routing instance.

So what happen here is the host in VLAN 10 request to reach to VLAN 20 host.Now see the packet flow,Host in VLAN 10 add the destination ip of the VLAN 20 host address and source ip of the self at Layer 3 in TCP/IP stack.

As this packet is not in same broadcast domain then it search for gateway mac to send the traffic to gateway which is VLAN 10 by sending arp request for gateway mac.

Source with host VLAN 10 mac is added and destination is gateway mac of VLAN 10 is added in frame and send to physical layer in ethernet cable to switch port.

and then switch process the packet based on detination ip address and strip surce and destination mac accordingly.

Please keep in mind that layer 3 or network layer destination IP address never changes through out the path of IP packet, except from cases like NATing or VPN.

Only thing which changes is source and destination MAC addresses at data link layer.

Hope it clears your query..

-GI

Rate if it Helpss

distant site:

Halil.Zakaria — Wed, 02 Dec 2015 17:50:23 GMT

distant site(#L3 switchsite1)

interface GigabitEthernet0/24
description MAN
switchport
switchport trunk encapsulation dot1q
switchport trunk allowed vlan 99
switchport mode trunk

interface vlan 99

description Interco

ip address 10.0.253.128 255.255.255.0

ip route 192.168.1.0 255.255.255.0 10.0.253.129

Core site:

interface GigabitEthernet6/31
description INF_RTR-MAN-NATIONAL
switchport
switchport trunk encapsulation dot1q
switchport trunk allowed vlan 99
switchport mode trunk
udld port
storm-control broadcast level 10.00
storm-control multicast level 10.00

interface GigabitEthernet6/32
description to a firewall
switchport
switchport access vlan 99
switchport mode access
storm-control broadcast level 10.00
storm-control multicast level 10.00
!

------------

my question is if i have a packet (in distant site) coming from (#L3 switchsite1)switch interface fas0/20 assigned to vlan 20 and need to be routed to 10.0.253.129.will it be routed,if yes will it keep its vlan tagging 20.And if it keeps it, will it be allowed to cross the trunk.

in my opinion packets routed to vlan 99 must be tagged 99 so that they are recognized

this configuration is working well for moving trafic from routed vlans into transit vlan 99.

thank you for your time and care

Hello Halil,

Ganesh Hariharan — Thu, 03 Dec 2015 03:55:15 GMT

Hello Halil,

Yes this would work.. Let me try to explain.

Vlan 99 is a transit vlan between distant and core site which is having point to point connection over trunk and running routing.

So when packet comes from vlan 20 at distant site towards core site ip address 10.0.253.129, it will land on to his gateway at distant site and there would be a arp entry for 10.0.253.129 in distant site switch whcih will responde to vlan 20 host as a part of intervlan routing.

But if any packet on the subnet required to be reached 192.168.1.0 255.255.255.0 which is behind 10.0.253.19 then packet will land on to distant switch van 20 gateway and there would come routing decision to send the packet to core switch ip address without any vlan tag because they are communicating over routing instance between two sites.

Consider in your case trunk is tunnel over which you are running L3 point to point link , which is same as if link router to router connectivity.

Hope it clears your query..

Happy to help you till you are clear with your concept..:)

-GI

But how the core switch knows

Halil.Zakaria — Thu, 03 Dec 2015 13:45:32 GMT

But how the core switch trunk interface knows without tagging about packets that belong to vlan 99 and dispatch them to GigabitEthernet6/32(to firewall).

in core switch,please note that no interface vlan 99 exits in core switch:

Core switch:

interface vlan 99

no ip address

shutdown

So where is 10.0.253.129 ip

Ganesh Hariharan — Fri, 04 Dec 2015 04:43:21 GMT

So where is 10.0.253.129 ip is configured ???, As distant site is having routing pointing towards this ip .

-GI

this ip is configured in the

Halil.Zakaria — Fri, 04 Dec 2015 08:14:59 GMT

this ip is configured in the interface of the firewall connected to interface GigabitEthernet6/32 of core switch

Halil,

Ganesh Hariharan — Sat, 05 Dec 2015 06:34:45 GMT

Halil,

As per your earlier post, you have clearly shown core site is having two interface configuration, which clearly states that vlan 99 is been trunked from distant site and access vlan configured on port whcih is connected to firewall end.

VLAN interface is not required becasue firewall port is l3 and having vlan in 99 with same subnet which is extended over trunk.

Core site:
interface GigabitEthernet6/31
 description INF_RTR-MAN-NATIONAL
 switchport
 switchport trunk encapsulation dot1q
 switchport trunk allowed vlan 99 -- VLAN 99 is been trunked to core site with dot1q encap.
 switchport mode trunk
 udld port
 storm-control broadcast level 10.00
 storm-control multicast level 10.00

interface GigabitEthernet6/32
description to a firewall
 switchport
 switchport access vlan 99 --- VLAN 99 is configred on your core switch
 switchport mode access
 storm-control broadcast level 10.00
 storm-control multicast level 10.00
!

Please re-check your port and come back if any further query you have.

Do you still having query after seeing your configuration which you have pasted.

-GI

i love your explanation, but

Halil.Zakaria — Mon, 07 Dec 2015 14:12:26 GMT

i love your explanation, but with all that said, In distant site, is all my routed trafic into vlan 99 going to change its vlan tagging to vlan 99 ?

i love your explanation, but

Ganesh Hariharan — Mon, 07 Dec 2015 16:45:06 GMT

i love your explanation, but with all that said, In distant site, is all my routed trafic into vlan 99 going to change its vlan tagging to vlan 99 ?

Hello Halil,

Ok ..Now got that what is your query is ..:)

Let me try to explain. Taking your example of Access Port VLAN 40 and trunk vlan 99 between switches.

PC1 ---(Vlan 40 Access VLAN)-- SWA -----(Trunk 99) --- SWB --- (VLAN 99) --Access Port of Firewall.

When packet leaves from PC NIC it lands on SWA ( Access Port over VLAN 40 ) which is untagged and you know that switch maintains Forwarding DataBase which comprised of tuples of three elements: (MAC, port, VLAN).

So it has full detail of vlan 40 PC1 mac address and port it is connected with vlan id in FDB of SW1.

So , In order to reach subnet behind vlan 99 traffic lands on VLAN 40 gateway which would SVI configured on SW1 and there happens inter vlan routing to VLAN 99 for destination subnet as per routing configured.

Once it lands on trunk port which encapusalted with 802.1q trunk which means vlan tagging is happening with VLAN 99 and packet reaches at SW B with destination and src ip.

Once Frame lands on SWB over the trunk with tagged , SW B checks FDB based on MAC which is been identify on packet destination ip. Which would be firewall interface on access port vlan 99 and packet goes to firewall interface untagged.

I Hope the above explanation would be helpful.

-GI

i got the answer i want,

Halil.Zakaria — Wed, 09 Dec 2015 11:58:27 GMT

You cleared my doubts, Thnak you for helping