06-21-2018 07:04 AM - edited 03-08-2019 03:26 PM
I saw from a article about the vlan cross.
https://www.pluralsight.com/blog/it-ops/5-big-misconceptions-about-virtual-lans-
''Connecting together two access ports that are in different VLANs. Suppose SW1 has port Ethernet0/1 configured as an access port in VLAN 3, and SW2 has port Ethernet0/2 configured as an access port in VLAN 4. If you connect these two ports together, traffic can cross seamlessly between VLANs 3 and 4.''
This happen to me where I couldn't isolate or separate the traffic for different VLAN.
I don't have any router.
Switch A trunk port connect to tester A that could Tx or Rx packet for different stream of packet.
Switch B trunk port connect to tester B that could Tx or Rx packet for different stream of packet.
in between the switch is access port with VLAN 10 , 20, 30
by Connecting together two access ports that are in different VLANs they can communicate.
I don't understand why. could someone please explain to me?
Solved! Go to Solution.
06-22-2018 03:36 AM
Hello,
under normal conditions , on L2 switch, traffic from one VLAN can't pass to other VLAN.
On L3 switch, when you create switch virtual interfaces for VLANs, traffic will be routed between VLANs and if you don't want this to happen, simpe way is usage of access-lists.
There are cases how to overcome this normal behavior, but this means to do dirty things with cabling or configuration, or so calld double encapsulation attack.
When traffic enters switch via access port in VLAN 10, it is internally marked and it still separated from another VLANs traffic. When this traffic leaves switch via trunk port with VLANs 10, 20, 30, it is encapsulated by 802.1q tag, which separates it from traffic in other VLANS.
The article you mention is totally true, but I understand that you are confused, because this article is not meant as introduction into VLANS and trunking. I would encourage you to start with less complicated information sources and then proceed to more complex level. Good luck!
Stepan
06-21-2018 02:51 PM
Hello,
I am not sure If I understand what confuses you. When data frames leave switch interface, their VLAN tag is stripped, they are sent without encapsulation , so you can perfectly receive them on another interface in different VLAN. Internally in switch, this traffic will be received into VLAN, which is configured as access VLAN on this receiving port. So this communication will work. Anyway, I don't anyone encourage to do such things as this is ... dirty practice. You can benefit from such interconnection only when hosts in these two VLANS share the same address space, so they can communicate. I wouldn't recommend to have two VLANS in the same domain with the same or overlapping address space.
Again, I am not sure If I addressed your question properly :-)
Regards
Stepan
06-22-2018 03:14 AM
Thanks for your reply Stepan.
I just want to make sure the traffic is totally isolated between VLAN. so I try to cross the link between VLAN, who knows it is actually sending the traffic which I am very confuse.
As you said, the VLAN tag will be stripped off when it is leaving the access port. What about when it is enter the access port and out of the trunk port again to tester B?
thank you again.
I am using 2960 switch.
06-22-2018 03:36 AM
Hello,
under normal conditions , on L2 switch, traffic from one VLAN can't pass to other VLAN.
On L3 switch, when you create switch virtual interfaces for VLANs, traffic will be routed between VLANs and if you don't want this to happen, simpe way is usage of access-lists.
There are cases how to overcome this normal behavior, but this means to do dirty things with cabling or configuration, or so calld double encapsulation attack.
When traffic enters switch via access port in VLAN 10, it is internally marked and it still separated from another VLANs traffic. When this traffic leaves switch via trunk port with VLANs 10, 20, 30, it is encapsulated by 802.1q tag, which separates it from traffic in other VLANS.
The article you mention is totally true, but I understand that you are confused, because this article is not meant as introduction into VLANS and trunking. I would encourage you to start with less complicated information sources and then proceed to more complex level. Good luck!
Stepan
06-25-2018 02:25 AM
thanks for the mention Double tagging/ double encapsulation problem. Awesome!
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide