Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
758
Views
3
Helpful
10
Replies

Tagging on VLan

mcardell
Cisco Employee
Cisco Employee

‎01-25-2005 10:14 AM - edited ‎03-02-2019 09:17 PM

Good morning,

Got a question about 802.1q tagging.

Got the following configuration:

(VLAN4)3550(VLAN4)--(VLAN10)3550(VLAN10)--(VLAN10)2950(VLAN10)

My hosts in VLAN 10 is connected to the 2950.

He needs to acces a 3550 server in VLAN 4 connected to the 3550.

The ports are not truncked but only configured with single "switchport access XX".

It is just a layer 2 scenario, no routing involved.

I am surprised that the host can ping the server even if it is on a different VLAN.

Why?

From my understanding the 2950 should tag the hosts packet with 802.1q vlan10 tag.

Then the 3550 will send out to the vlan 10 ports towards the other 3550.

But the other 3550 is receiving a incaoming packet tagged with VLAN 10 in a interface in VLAN 4.

I suppose he should discard it.

Instead he forward the packets.

Is a "switchport access vlan" tagging the outcoming packets?

Any explanation on the web for this?

My concern is in this way different users from different vlan can jump on different domain.

Thanks

Matteo

Labels:
0 Helpful
10 Replies 10

ehirsel
Level 6
Level 6

‎01-25-2005 10:33 AM

When you state that the ports are not trunked, are you referring to the ports on the 2950? The 2950-to-3550 connection is a layer 2 one, I understand due to the fact that the 2950 is only operating at layer 2.

Is the 3550-to-3550 connection a routed one?

Keep in mind on any trunk ports that the native vlan means that if the packet does not have an ieee 802.1q (or ISL for those trunks in ISL mode) header, than that packet is forwarded to all stations whose ports are in the native vlan. For example your topology shows vlan 4 in the left 3550 connected to vlan 10 in the other 3550. Is there another device? in the middle? If not and if the 3550 devices are not routing then you do have a native vlan mismatch which should be blocking the trunk from getting established. But if not, then one switch is not tagging the frame thinking its destined for vlan 10. The other device (the left 3550) sees a frame that is not tagged so it assumes that is is targeted for vlan 4. The server is connected to vlan 4 so it receives the frame.

What you want to do is to use, if possible the layer 3 capabilities of the 3550. I don't know if you have the EI image or not. If that is not the case, what devices are handling the routing of packets between vlans.

Let me know if this helps.

0 Helpful

mcardell
Cisco Employee
Cisco Employee
In response to ehirsel

‎01-25-2005 10:45 AM

Hi Thanks for your help.

None of the ports are trunked (no trunk command on the interface). The only command on the interface is "switchport access vlan" 4 or 10.

No routed connection at all.not even on the 3550.

No device between vlan 4 in the left 3550 connected to vlan 10 in the other 3550.

The issue is in this bit:

3550(VLAN4)--(VLAN10)3550

I have got two L2 devices connected with a single cable and at both ends of the cable configured two different VLAN (4 or 10). And it still work. The traffic pass through!

That is my concern.

matteo

0 Helpful

ehirsel
Level 6
Level 6
In response to mcardell

‎01-25-2005 11:05 AM

If the port of the left 3550 that is in vlan 4 that leads to the middle 3550 is configured as an access port and similar for the middle 3550, then no tagging will occur. Each switch assumes that the frame is destined to the vlan that the receiving port is assigned to. So the left 3550 receives a frame it will assume that it is destined for vlan 4.

So the ping request, if the target is on the same ip subnet as the requestor/client will generate an arp and that arp gets propogated across the 2950-3550-3550 connection and eventuall the server will receive it and will respond.

To reiterate, the swtiches, upon receiving an UNTAGGED frame will forward it to all ports in the native vlan (for trunking ports) or the vlan that the port is assigned to (for access/non-trunk) ports.

What you need is some layer 3 devices, or the EI image on the 3550's to prevent what is happening. Because even if you use trunk ports, only layer 3 devices can forward the frames across vlans.

Let me know if you need more help.

0 Helpful

milan.kulik
Level 10
Level 10
In response to ehirsel

‎01-26-2005 12:13 AM

Hi, just one note:

Cat3550 with Standard Image can work as L3 device (static routing and RIP).

Regards,

Milan

0 Helpful

amikat
Spotlight
Spotlight

‎01-26-2005 03:26 AM

Hi,

The 802.1q tagging takes place basicaly in trunks only. There is no way you (and a switch or end station) can recognize which vlan the packet belongs to after leaving an access switchport. So your leftmost Cat3550 believes that the incoming packet arriving at an access port belongs to vlan4 and forwards it correctly within the vlan4 domain.

This has nothing to do with the native vlan configuration or routing.

If you configure incomming port no your leftmost Cat as switchport access vlan 10, then the incomming packet will not go in vlan 4 domain (unless routed). You can also configure the link betwee Cats 3550 as trunk and only then the tagging will be correctly recognized (and of course packets from vlan 10 will not be forwarded to vlan 4 domain unless routed.

I hope this makes sense.

Should you prefer you can contact me via mikat@intercomsys.cz.

Best regards,

Antonin

mcardell
Cisco Employee
Cisco Employee
In response to amikat

‎01-26-2005 05:41 AM

Thanks Antonin,

Have you got a CCO link explaining this?

I am wondering if this is happening, how will be possible to run Spanning tree and spanning tree for VLAN.

It basically mean that now it is not working properly and the trunk is not established.

Also can you confirm that the separation of the different VLAN traffic can be done only with the trunking?Otherwise everything will pass throug.

What is the behave of an "Access switchport" related to spanning tree?

0 Helpful

ehirsel
Level 6
Level 6
In response to mcardell

‎01-26-2005 07:16 AM

Switchport mode access means that only traffic destined to and from one vlan will flow into and out of the port - thus there is no need for tagging.

Trunking means carrying traffic for multiple vlans across the link - so the 802.1q or ISL vlan header is needed so that the receiving switch knows which vlan the packet is destined to.

With regards to STP, BPDU frames can be sent, received, and processed on access ports just like trunk ports. So if two switches are connected back-to-back with multiple links, regardless of whether the links are set to trunk or access, one link will be blocked by STP (unless all links are configured as an EtherChannel Link).

By default stp on cat switches is actually per vlan spanning tree, so there will be different stp topology info for each vlan - in the case of multiple trunk ports without ehterchannel, one switch may block one vlan on a link while forwarding other vlans across.

In summary, stp runs the same across trunk and access links. The switch firmware, not stp, processes and uses vlan tags.

Let me know if this helps.

0 Helpful

amikat
Spotlight
Spotlight
In response to mcardell

‎01-28-2005 07:43 AM

Hi Matteo,

Sorry for the delayed answer but I was away for couple of days.

Please be aware that IEEE 802.1q is an international standard and Cisco is trying to comply with implementation. As such Cisco documentation indicates the 802.1 tagging scheme in various places. The starting point for you may be either:

http://www.cisco.com/en/US/partner/tech/tk389/tk390/technologies_tech_note09186a0080094665.shtml for partner account or http://www.cisco.com/en/US/tech/tk389/tk390/technologies_tech_note09186a0080094665.shtml for guest account with the further links there. You will also find some implications to STP in the document.

Having said that I should finally comment that I have experienced some ways to run dot1.q tagged packets via ports which were not trunks on some Cisco platforms, but to my knowledge this is not the case with static access ports on your Cats 3550.

I am not sure if I understand your question about separation of different vlans (please note that English is not my native language), but if you ask the way to transport, multiplex or preserve different vlans between boxes (or perhaps between a Cisco box and end-station if it understands tagging) I say yes, the trunking is the standard (802.1q) way of doing it.

Also be aware that Cisco boxes run Dynamic Trunkig Protocol and can establish a trunk (with the default configuration of ports on most platforms) even if you run only 1 vlan through it (but I guess that when your question referred access ports you have actually put the ports in static access mode).

Access switchport supports STP (be aware that nowadays there are various versions of STP and Cisco invented PVST quite some time ago).

I hope my answer may help.

Best regards,

Antonin

0 Helpful

mcardell
Cisco Employee
Cisco Employee
In response to amikat

‎01-26-2005 05:44 AM

So,

when is a switchport access configuration required?

0 Helpful

ehirsel
Level 6
Level 6
In response to mcardell

‎01-28-2005 12:30 PM

Normally you code switchport access when connecting an end-station, such as a PC, to the switch. End-stations generally reside in only one vlan, so there is no need to configure the port as a trunk port.

Similarly router ports are normally access vlans as well, unless you need to use sub-interfaces on the router because you only have one phyiscal link.

Let me know if this helps.

0 Helpful
Customers Also Viewed These Support Documents