Solved: VLAN tagging and isolation question

yosefshai · ‎12-15-2014

Hello,

I've read a lot about VLANs and tagging on Cisco.com and understood the general concept.

One thing which is still unclear to me is how traffic is isolated between different VLANs and also what kind of traffic.

1. Could you please explain to me when tagging is done and when removed from frames?

2. How can I completely isolate interVLAN traffic (when a layer 3 device is used and routing does exist)? maybe using ACLs?

Thanks a lot

Jon Marshall · ‎12-15-2014

Can you point me to where you have read that ?

The "switchport access vlan <num>" command is for a port that is only in a specific vlan ie. not a trunk port so the switch doesn't need a tag for those ports.

Jon

View solution in original post

Jon Marshall · ‎12-15-2014

Tagging is done when vlan traffic is sent on a trunk link. A tag is needed otherwise the receiving switch would not know which vlan the traffic was meant to be in.

So the sending switch would add a vlan tag when transmitting on the trunk port and the receiving switch would remove the vlan tag.

Note that there is the native vlan on a trunk link and this vlan is not tagged. That is why per trunk link either end of the trunk must agree on the native vlan because there is no tag to tell the switch which vlan it is in.

Depends what you mean by completely isolate. If you have a vlan that you do not want to be able to communicate with devices outside the vlan then the simplest solution is to not create a L3 vlan interface (SVI) for it. Without an SVI clients in the vlan can only communicate with other clients in the same vlan.

If you need some level of communication acls applied to SVI would work.

Another possible solution would be to use VRFs but it does depend on exactly what level of communication you want.

Jon

yosefshai · ‎12-15-2014

Thanks for your reply,

According to what I've read VLAN tagging is applied to traffic when the traffic hits (ingress) a switch port which is assigned to a VLAN using the 'switchport access vlan vlan_num' command, isn't it right?

Jon Marshall · ‎12-15-2014

Can you point me to where you have read that ?

The "switchport access vlan <num>" command is for a port that is only in a specific vlan ie. not a trunk port so the switch doesn't need a tag for those ports.

Jon

yosefshai · ‎12-16-2014

Hi,

After reading again some VLAN materials let me emphasize my question please.

You said that VLAN tagging is done on a switch once frames hit a trunk port and not once they hit an access port (which is assigned to a VLAN).

Now, if there are 2 L2 switchs connected to each other using trunk ports.

Each L2 switch has 2 VLANs, 100 and 200 and 2 endpoints connected to them.

Now, an endpoint from VLAN100 on one switch sends traffic to the other endpoint from VLAN100 on the other switch.

How does the trunk interface know what VLAN tag it should add to the frame (100 or 200) if the frame was not tagged when it first ENTERED the access port connected to the endpoint?

TIA

Joseph W. Doherty · ‎12-16-2014

Disclaimer

The Author of this posting offers the information contained within this posting without consideration and with the reader's understanding that there's no implied or expressed suitability or fitness for any purpose. Information provided is for informational purposes only and should not be construed as rendering professional advice of any kind. Usage of this posting's information is solely at reader's own risk.

Liability Disclaimer

In no event shall Author be liable for any damages whatsoever (including, without limitation, damages for loss of use, data or profit) arising out of the use or inability to use the posting's information even if Author has been advised of the possibility of such damage.

Posting

A switch "knows" what VLAN a frame should be when entering an access switchport because an access switchport is assigned a VLAN. (NB: access switchports not explicitly assigned a VLAN are assigned to VLAN 1.)