Solved: Re: Why different vlan PCs ping each other without any trunk link and routing

libra_ali786 · ‎05-27-2021

Why different vlan PCs ping each other without any trunk link and routing. please see the attached picture and configuration.

Need the strong explation.

Martin L · ‎05-27-2021

it does work because there is no trunk and no tags are added. Switch adds tags on trunks based on access vlan they came in.

Internally, sw 1 add tag of 10 as frame comes in on vlan 10 access port from PC. Internally, sw1 sends frame out of all ports in vlan 10 and trunk ports that allows vlan 10 (but u do not have any trunks). Sw 2 gets frame w/o any tag on access vlan 20, Sw2 adds tag 20 internally, and sends out frame out of access vlan 20 and any trunks as well (but u do not have any trunks).

note that switches will send out unknown unicast and M-cast/B-cast frames to all ports in the same vlan except receiving port. this is switch learning and building MAC address table.

switches complains about Native VLAN mismatch; meaning this should be a trunk port.

Regards, ML
**Please Rate All Helpful Responses **

View solution in original post

Richard Burts · ‎05-27-2021

I am not clear whether there have been changes in the drawing in the original post in the course of this discussion. I can only speak to what I see currently in the drawing. The drawing shows 2 situations.

First situation has all switch ports as access ports. PC on access port in vlan 10 on SW1 and exits SW1 on an access port in vlan 10. Enters SW2 on access port in vlan 20 and arrives at PC on access port in vlan 20. One important thing that we need to keep in mind is that an Ethernet frame sent out an access port or received on an access port is just a plain Ethernet and has no information about vlan membership. So in the first situation the PC attempt to ping sends a plain Ethernet frame, SW 1 forwards the plain Ethernet ping frame (SW 1 knows that this frame is associated with vlan 10 but there is nothing in the Ethernet frame itself about that). SW 2 receives the plain Ethernet ping frame. There is nothing in the frame itself about vlan membership. SW 2 associates the frame with vlan 20 because it was received on vlan 20. SW 2 forward the ping frame to the PC in vlan 20. The second PC receives the ping request, the IP address matches, and so the PC sends a ping response which is a plain Ethernet frame with no vlan membership information. The response is forwarded back and the ping is successful.

In the second situation the switch to switch connection is a trunk. For a trunk the switch does add a vlan tag to the ethernet frame being sent over the trunk (except frames in the native vlan do not have vlan tags). So in situation 2 the PC in vlan 10 sends a ping request which is a standard Ethernet frame with no vlan information. SW 1 forwards the frame out the trunk port and adds a vlan tag identifying membership in vlan 10. The Ethernet frame is receive by SW 2 which knows from the vlan tag that the frame is associated with vlan 10 and should be forwarded only to ports in vlan 10 - and there are no ports in vlan 10 on this switch and so the frame is not forwarded and the ping fails.

So the key thing here is when going switch to switch does the frame have a vlan tag or not have a vlan tag. With no vlan tag in situation 1 there is technically a vlan mismatch, but the Ethernet frame going between the switches has no vlan membership information and so the mismatch is not a problem and the ping is successful.

HTH

Rick

View solution in original post

Martin L · ‎05-27-2021

Switch adds tags on trunks based on access vlan they came in. Switch keeps vlan to MAC table internally.

frame came in on port vl 10 so internally switch1 adds vla 10 tag. It does not work because sw1 adds a tag of vlan 10 when frame leaves trunk on trunk port. 2nd switch does not have any vlan 10, only 20. Frames are forwarded within vlan but not between vlans (u need inter-vlan routing enabled to do so). Sw 2 drops packets.

Same thing will happen in reverse, from sw 2 to sw 1

I think I saw this few years back;

Regards, ML
**Please Rate All Helpful Responses **

libra_ali786 · ‎05-27-2021

Yes I agreed it will only fulfill the Picture 2 scenario. But i am confused why Picture 1 PCs on different vlans pinging each other without trunck and any routing?

Martin L · ‎05-27-2021

I just added scenario 1 , refresh the page to see it

Regards, ML
**Please Rate All Helpful Responses **

Martin L · ‎05-27-2021

it does work because there is no trunk and no tags are added. Switch adds tags on trunks based on access vlan they came in.

Internally, sw 1 add tag of 10 as frame comes in on vlan 10 access port from PC. Internally, sw1 sends frame out of all ports in vlan 10 and trunk ports that allows vlan 10 (but u do not have any trunks). Sw 2 gets frame w/o any tag on access vlan 20, Sw2 adds tag 20 internally, and sends out frame out of access vlan 20 and any trunks as well (but u do not have any trunks).

note that switches will send out unknown unicast and M-cast/B-cast frames to all ports in the same vlan except receiving port. this is switch learning and building MAC address table.

switches complains about Native VLAN mismatch; meaning this should be a trunk port.

Regards, ML
**Please Rate All Helpful Responses **

libra_ali786 · ‎05-27-2021

I am agreed your explation except the Red highlited line. When SW2 get the normal ethernet frame from SW1. SW2 PC attach port is member of VLAN 20. Then how received ethernet frame get reply by VLAN 20 PC?

"Internally, sw 1 add tag of 10 as frame comes in on vlan 10 access port from PC. Internally, sw1 sends frame out of all ports in vlan 10 and trunk ports that allows vlan 10 (but u do not have any trunks). Sw 2 gets frame w/o any tag on access vlan 20, Sw2 adds tag 20 internally, and sends out frame out of access vlan 20 and any trunks as well (but u do not have any trunks)."

Richard Burts · ‎05-27-2021

I am not clear whether there have been changes in the drawing in the original post in the course of this discussion. I can only speak to what I see currently in the drawing. The drawing shows 2 situations.

First situation has all switch ports as access ports. PC on access port in vlan 10 on SW1 and exits SW1 on an access port in vlan 10. Enters SW2 on access port in vlan 20 and arrives at PC on access port in vlan 20. One important thing that we need to keep in mind is that an Ethernet frame sent out an access port or received on an access port is just a plain Ethernet and has no information about vlan membership. So in the first situation the PC attempt to ping sends a plain Ethernet frame, SW 1 forwards the plain Ethernet ping frame (SW 1 knows that this frame is associated with vlan 10 but there is nothing in the Ethernet frame itself about that). SW 2 receives the plain Ethernet ping frame. There is nothing in the frame itself about vlan membership. SW 2 associates the frame with vlan 20 because it was received on vlan 20. SW 2 forward the ping frame to the PC in vlan 20. The second PC receives the ping request, the IP address matches, and so the PC sends a ping response which is a plain Ethernet frame with no vlan membership information. The response is forwarded back and the ping is successful.

In the second situation the switch to switch connection is a trunk. For a trunk the switch does add a vlan tag to the ethernet frame being sent over the trunk (except frames in the native vlan do not have vlan tags). So in situation 2 the PC in vlan 10 sends a ping request which is a standard Ethernet frame with no vlan information. SW 1 forwards the frame out the trunk port and adds a vlan tag identifying membership in vlan 10. The Ethernet frame is receive by SW 2 which knows from the vlan tag that the frame is associated with vlan 10 and should be forwarded only to ports in vlan 10 - and there are no ports in vlan 10 on this switch and so the frame is not forwarded and the ping fails.

So the key thing here is when going switch to switch does the frame have a vlan tag or not have a vlan tag. With no vlan tag in situation 1 there is technically a vlan mismatch, but the Ethernet frame going between the switches has no vlan membership information and so the mismatch is not a problem and the ping is successful.

HTH

Rick

Richard Burts · ‎05-27-2021

I am glad that our explanations have been helpful. Thank you for marking this question as solved. This will help other participants in the community to identify discussions which have helpful information. This community is an excellent place to ask questions and to learn about networking. I hope to see you continue to be active in the community.

HTH

Rick

Martin L · ‎05-27-2021

Yes, there are no tags on access ports; only trunk will add vlan id tag. If you read Richard's reply, it should be clear now, right? His wording is better then my but result and answer are the same. To add to my explanation, Switch creates MAC address table, see it with show mac address table command. MAC table includes port id, MAC id, Vlan membership. So, when PC sends a frame on access port in vlan x, switch adds info to table internally and sends it out to all vlan x ports (except the receiving port). This is true for access vlan x and trunk ports that allow vlan x to pass over. Difference is that when frame leaves switch, trunking port will add tag vlan x but not access port. Frame leaves via access port without any tags (untagged). Now, frame gets to Sw2 via access port vlan y, Sw 2 collects info and adds it to MAC table before sending it out via access port vlan y to PC. Frame came in untagged via access port y.

Use show mac address table command before and after some traffic passes to see what and when information is added.

Is this your real home lab? If so, what is OS of PCs?

Regards, ML
**Please Rate All Helpful Responses **

libra_ali786 · ‎05-27-2021

yes it is my home lab. I am using GNS3 with built in PCs.

I checked by "show mac address table" . I got the point. Thanks