Re: Inter-VLAN operation on two switches using a Access Port

er.abhi82 · ‎07-23-2019

Hi All,

Here is a setup.

SW1: VLAN 10 - E0/0, E0/3

SW2: VLAN 20 - E0/0, E0/3

Observation: Ping is working from R1 to R2 in GNS3.

Here is the questions:

1. How is ping working in this setup? E0/3 interface at both the switches are in different VLANs.

2. If tag is stripped off at egress of access port, why is it said that only single VLAN will allow on access port?

Iaroslav · ‎07-23-2019

It might be that your inter-switch link is an access port. Traffic going out access port is not tagged, it is assumed to belong to the VLAN the port is in, in your case VLAN10 for SW1 and VLAN10 for SW2. Since you're using GNS3 you could get the traffic dump between the switches with Wireshark. If the inter-switch link is trunk, check native VLAN setting on both ends. The command to check is 'show interfaces trunk'.

As for your second question, you do not really extend several VLANs over access ports, you just stitch several VLANs at SW1-SW2 point.

Discovering the Why
https://braonle.wordpress.com/

Seb Rupik · ‎07-23-2019

Hi there,

The frame passing between the switches is un-tagged.

The purpose of specifying 'switchport access vlan x' is to configure the switchport to place an un-tagged frame on ingress into the specified VLAN.

cheers,

Seb.

Giuseppe Larosa · ‎07-23-2019

Hello er.abhi82,

you have joined two broadcast domains by connecting two ports in access mode in different Vlans.

Even if they are in different Vlans:

frames are sent untagged and each receiving side associates them to the configured Vlan as noted by Sep.

Because the ports are in access mode the cisco switches use standard IEEE STP BPDU frames and they do not carry vlan-id info inside the BPDU so there is not issue caused by STP (no consistency check failed with access ports.).

This is not a recommended configuration, but it can be a temporary fix for some cases where you need to join two broadcast domains.

Hope to help

Giuseppe

Joseph W. Doherty · ‎07-23-2019

"1. How is ping working in this setup? E0/3 interface at both the switches are in different VLANs."

Yes, but the packets, being untagged, don't know that. I.e. you've bridged the two VLANs into one. However, if CDP is enabled, you'll likely find it is generating messages the VLANs on the two ports are different.

"2. If tag is stripped off at egress of access port, why is it said that only single VLAN will allow on access port?"

Because each switch will only allow traffic for that VLAN to egress that switch (which is happening). The fact that the switch is receiving untagged packets means it assumes all those packets (received) should be for the switch port's defined VLAN.

Change the port on both sides to be a trunk, and your VLANs won't intermix (unless you set them to use VLAN 10 and 20 as native - which untags them, again).

er.abhi82 · ‎07-23-2019

Thank you All,
I have one more questios.
As my understanding, BPDUs have different vlan id(10 and 20) in Bridge ID.
RSTP algo would not allow to elect root port and designated port. They will
be in disable state and would not transmit packeks. Please correct me if I
am wrong.

Giuseppe Larosa · ‎07-23-2019

Hello er.abhi82,

the Cisco proprietary format is used only on trunk ports and only for non native Vlans (tagged)

The consistency check that is performed is:

compare the external 802.1Q Vlan-id value with the Vlan-id carried inside the Cisco PVST or Rapid PVST BPDU, if they are the same the consistency check is passed if they are not it is failed. In that case the whole port is put in an inconsistent state not only for the affected Vlan.

For backward compatibility on the native Vlan Cisco switches send the untagged IEEE STP BPDU that hasn't a Vlan-id field.

They may send also the proprietary BPDU untagged but they do not perform consistency here as there is no external 802.1Q tag to compare with.

This is why a native vlan mismatch is possible on 802.1Q trunks without causing the STP consistency check to be triggered.

Hope to help

Giuseppe