Solved: Re: VLAN Related Brain Fart

PrimeYeti · ‎04-12-2023

Got a bit of brain fog here so if someone could clarify it would be appreciated.

So if I have an access port for VLAN 10, any traffing egressing will be stripped of it's VLAN tag provided it is already tagged with VLAN 10, this I am aware of. However, how does this work for ingressing traffic? When traffic ingresses, the switch will only send traffic to other devices within VLAN 10, but since access ports don't add VLAN tags, how does the switch know that the traffic ingressed from a VLAN 10 access port?

From what I have read, my theory is just that since the switch would keep a MAC address table per VLAN, it does a lookup on the MAC address table, see's that the interface the traffic ingressed on is access for VLAN 10, so then if it needs to be tagged when it reaches a trunk (tagged) port it knows it needs to be tagged for VLAN 10.

Richard Burts · ‎04-12-2023

The original poster has asked several interesting questions. Let me try to provide some answers.

"how does the switch know that the traffic ingressed from a VLAN 10 access port?" The switch does not KNOW but ASSUMES that traffic ingressing on vlan 10 port belongs in vlan 10. Let me suggest an example. Assume that we have SW1 with port FA0/0 configured with access vlan 5. SW1 FA0/0 connects to SW2 FA0/0. SW2 FA0/0 is configured with access vlan 10. When SW2 receives a frame on FA0/0 it will forward that frame only to ports that belong to vlan 10 (or to a trunk that carries vlan 10). Humans looking at this (and CDP) recognize that a mistake has been made. But as far as SW2 is concerned everything is fine and any frame received on FA0/0 belongs in vlan 10.

Sort of a 2 part question "So any frames that come from VLAN 10 access port will be untagged" If FA0/0 is configured as an access port the assumption is that any frame received will be untagged and will belong to vlan 10. If FA0/0 receives a frame that is tagged (and the tag is not vlan 10) the switch will treat this as invalid. And "once it reaches the trunk port with VLAN 10 allowed the trunk will tag the frame with VLAN 10" Very correct.

And finally "how the switch knows what traffic needs tagging with what VLANs when it goes over a trunk" This is fairly straightforward and depends on the switch knowing what vlan the frame belongs to (this could be determined by whether the frame arrived on an access port (in which case the frame belongs to the vlan of the access port) or the frame arrived on a trunk port (in which case the tag of the frame determines which vlan the frame belongs to)). As it prepares to transmit the frame the trunk port will determine whether the frame belongs in the native vlan, in which case it is transmitted with no tag, or belongs in some other vlan, in which case it is transmitted with a tag for the vlan to which it belongs.

HTH

Rick

View solution in original post

balaji.bandi · ‎04-12-2023

Some of your understanding correct.

but since access ports don't add VLAN tags - If the port not configured, this will be default VLAN 1

how does the switch know that the traffic ingressed from a VLAN 10 access port? ( when you configured access port as access vlan 10 ) - or ingressed from other switch ?.

In case of port configured as Trunk that is different case.

i would suggest start from here :

https://www.youtube.com/watch?v=wr0g95w727k&list=RDCMUCrCh8p6p2UZC18vqSBhN_sA&index=2

More you need to do wireshak you get more information part of learing steps.

BB

***** Rate All Helpful Responses *****

How to Ask The Cisco Community for Help

MHM Cisco World · ‎04-12-2023

how does the switch know that the traffic ingressed from a VLAN 10 access port? any L2 SW port must config with specific VLAN as access port or config as trunk with specific native vlan

SW
Case1
any frame untag receive from access port the SW check the VLAN assign to that port

Case2
the frame untag receive from trunk port the SW check the native VLAN of that trunk (native vlan must be same in all trunk connect to one SW)

so Sure SW with above know which VLAN this untag frame belong to

PrimeYeti · ‎04-12-2023

Hi There,

So any frames that come from VLAN 10 access port will be untagged (native VLAN) but once it reaches the trunk port with VLAN 10 allowed the trunk will tag the frame with VLAN 10?

MHM Cisco World · ‎04-12-2023

If the native VLAN of trunk not VLAN 10, Yes you are correct

PrimeYeti · ‎04-12-2023

Hi MHM,

Sorry, yes I should have specified, in this situation VLAN 10 would be a new VLAN and let's say VLAN 1 would be native. OK this helps, thank you!

I think my main confusion came from not knowing how the switch knows what traffic needs tagging with what VLANs when it goes over a trunk.

MHM Cisco World · ‎04-12-2023

You are So welcome

Joseph W. Doherty · ‎04-12-2023

". . . but since access ports don't add VLAN tags, how does the switch know that the traffic ingressed from a VLAN 10 access port?"

Tags are needed when you're mixing VLAN frames on the same link (like a trunk), entering the switch, so switch "knows" what VLAN the frame is for. (VLAN for untagged frames on an access port or on a trunk port is via VLAN configuration [which might be implicit - i.e. the default] for such frames on such ports.) Once the frame is in the switch, switch no longer needs a VLAN frame tag because it can keep track of the frame, with information associated with that frame, such as the VLAN it belong to, or its ingress port, or whatever it deems it should keep track of.

As to your theory, possible it might be done that way, but what's actually done on the switch depends on its architecture, and its specific implementation might very well be proprietary and/or trade secret. (Consider, all switches need to effectively provide the same results, but how those results are done might impact switch's forwarding latency and/or capacity and/or impact manufacturing cost.

Richard Burts · ‎04-12-2023

The original poster has asked several interesting questions. Let me try to provide some answers.

"how does the switch know that the traffic ingressed from a VLAN 10 access port?" The switch does not KNOW but ASSUMES that traffic ingressing on vlan 10 port belongs in vlan 10. Let me suggest an example. Assume that we have SW1 with port FA0/0 configured with access vlan 5. SW1 FA0/0 connects to SW2 FA0/0. SW2 FA0/0 is configured with access vlan 10. When SW2 receives a frame on FA0/0 it will forward that frame only to ports that belong to vlan 10 (or to a trunk that carries vlan 10). Humans looking at this (and CDP) recognize that a mistake has been made. But as far as SW2 is concerned everything is fine and any frame received on FA0/0 belongs in vlan 10.

Sort of a 2 part question "So any frames that come from VLAN 10 access port will be untagged" If FA0/0 is configured as an access port the assumption is that any frame received will be untagged and will belong to vlan 10. If FA0/0 receives a frame that is tagged (and the tag is not vlan 10) the switch will treat this as invalid. And "once it reaches the trunk port with VLAN 10 allowed the trunk will tag the frame with VLAN 10" Very correct.

And finally "how the switch knows what traffic needs tagging with what VLANs when it goes over a trunk" This is fairly straightforward and depends on the switch knowing what vlan the frame belongs to (this could be determined by whether the frame arrived on an access port (in which case the frame belongs to the vlan of the access port) or the frame arrived on a trunk port (in which case the tag of the frame determines which vlan the frame belongs to)). As it prepares to transmit the frame the trunk port will determine whether the frame belongs in the native vlan, in which case it is transmitted with no tag, or belongs in some other vlan, in which case it is transmitted with a tag for the vlan to which it belongs.

HTH

Rick

Joseph W. Doherty · ‎04-12-2023

Rick makes a good point, i.e. that untagged frames, on access or trunk ports are assumed they should be in whatever VLAN untagged frames the port is configured for. He also mentions CDP can flag VLAN mismatches, this requires devices on each end of the link to support CDP and that's it's enabled. He also correctly notes CDP doesn't block mismatched untagged operation.

Lastly, he mentions an access port will also accept tagged frames for it's assigned VLAN. This, might be dependent on the individual switch, but I'm unsure, because I recall (???) recently rereading an old @Peter Paluch posting about that (cannot find it). BTW, an access port configured with a (additional) voice VLAN will generate and expect its frames to be correctly tagged.

Lastly, I believe trunk ports will also accept it's native VLAN frames (correctly) tagged.

PrimeYeti · ‎04-13-2023

Hi Richard,

Edit: Thought I would leave this here as someone in the future may make the same mistake as me. I understand my mistake though. A tagged frame received on an access port needs to be the same tag as that access port or it will be dropped. An untagged frame received on an access port will be assumed to be part of the same VLAN as that access port and allowed through. A tagged frame received on a trunk port will be sent to the relevant access port(s) and have the tag removed. Finally, an untagged frame received on a trunk port will be assumed to be part of the native VLAN and sent to the access port(s) of the native VLAN.

Thanks for the response here breaking it down! To make sure I have understood you correctly, the 'mistake' in your first paragraph, this is referring to the fact that a frame leaving SW1 fa0/0 will be seen as part of VLAN 5 but then as soon as it crosses the link and enters SW2 fa0/0, SW2 will see it as being part of VLAN 10 thereby causing a VLAN mismatch/VLAN hopping, correct? Would SW2 fa0/0 not reject the frame though since I was under the impression that access ports would only allow (and untag) traffic tagged with its respective VLAN. Or would the native VLAN come into play here? I was also under the impression that native is only defined on trunk ports.

Richard Burts · ‎04-13-2023

I am glad that my explanation was helpful. Your points in your first paragraph are spot on. Your comments in the second paragraph are mostly ok but not quite 100 per cent. So let me say a bit more about it. in particular this is not an example of vlan hopping. it really is an example of vlan combining. Let me start from the basic definition that a vlan is a broadcast domain. In my example a frame could be received on some interface in vlan 5 of SW1, travel through FA0/0 to FA0/0 of SW2 and forwarded to some interface in vlan 10. That is a single broadcast domain. What we really have is one vlan with 2 names.

HTH

Rick

MHM Cisco World · ‎04-13-2023

first +50 point to @Richard Burts
"" not know but assume"" that excellent answer
Now time to lab
IOU1 connect to IOU2 via link
IOU1 use VLAN5
IOU2 use VLAN10
are this normal config ??NOO keep away from doing that, even if CDP detect mismatch SW not do anything, the ONLY point the SW reject the frame in this case when you run STP, STP will BLK (or other un0normal behave) the port.

so IOU1 use VLAN5 and IOU2 use VLAN10 but still R1 can ping to R2
IOU2 receive untag frame (check capture) and ASSUME it from VLAN 10
it forward to all VLAN10
IOU2-IOU3 there is trunk with native vlan 10
and you can see also in capture the frame is untag also.