Monday, November 29, 2010

VTP and VLAN Quiz

The last lesson presented the gory details behind inter-VLAN routing. Now, I would like you to play a little game with me. A simple quiz will check your understanding of both access and trunkports. Have fun!


Study the first topology carefully (Pic. 1) and answer the question 1.

Question1: When PC1 is sending broadcast frames (destination MAC address: FFFF.FFFF.FFFF), which computers are going to receive them?

NOTICE!
All switch-to-switch connections in Pic.1 are ACCESS ports. 

Pic. 1 - Switches are connected using ACCESS mode (NOT a trunk mode).
Icons designed by: Andrzej Szoblik - http://www.newo.pl
The answer to question 1 can be found at the bottom of this post. But try not to cheat. Check the answer after you have provided yours;).

Study the second topology carefully (Pic. 2) and answer the question 2.

Pic. 2 - Switches are connected using TRUNKING mode.
Icons designed by: Andrzej Szoblik - http://www.newo.pl

Question2: When PC1 is sending broadcast frames (destination MAC address: FFFF.FFFF.FFFF), which computers are going to receive them?

The answer to question 1 can be found at the bottom of this post. But try not to cheat. Check the answer after you have provided yours;).

Now, I can start our last lesson related to VLANs. It's about Cisco Vlan Trunking Protocol. 

Vlan Trunking Protocol (VTP)
Cisco have created this protocol to facilitate automatic VLAN distribution between switches that use trunking connection. There is similar protocol called GVRP that is industry standard solution. At first glance, it looks like it works like VTP but it has some significant differences. For more details use google to learn it.

What Does VTP Do?
VTP is turned on by default but there are some things that need to be configured for this to work. The idea is very simple: instead of typing in all the VLANs end-to-end, (on all switches individually), you can configure VLANs on one switch only, and the same configuration will be propagated to all switches in the network (VTP domain to be more accurate). By 'the same configuration', I mean that VLAN database is synchronized (exchanged) between all the switches. In other words, VLAN numbers and their names are exchanged. The port-to-VLAN assignments are NOT exchanged. Consider this example:

SW1(config)#vlan 4
SW1(config-vlan)#name IT_Dept
SW1(config-vlan)#end
SW1#

The above configuration creates 'VLAN 4' and assings the name of 'IT_Dept' to it. In a split of a second, the same VLAN 4 named IT_Dept is populated into the database of all switches in the network (VTP domain).

How Does VTP Work?
As you recall from the lesson 16, VLAN configuration typically involves three steps:
  1. Configuring VLAN numbers in the 'global config' mode. Optionally, you can also give those VLAN unique names.
  2. Assigning interfaces to VLANs (access mode). Optionally, you can map MAC addresses to VLANs (access dynamic mode). But in order to use this method VMPS server is required.
  3. Configuring trunking connections between the switches (if the same VLANs are applied on all switches - aka end-to-end VLANs).
Even though VTP is turned on by default, a few things must be configured for VLANs to be distributed among switches.
  1. Switches must belong to the same VTP domain (the same domain name must be configured on the switches to synchronize their VLAN databases).
  2. If, optionally, switches use domain password, this password must be identical on all switches in the VTP domain.
  3. The connections between switches must be in the 'trunking mode' (it is Vlan TRUNKING Protocol after all).
  4. VTP version must be the same on all switches (there are VTP 1,2 or 3 version).
VTP Modes
A Cisco switch can be configured in one of the three VTP modes:
  • VTP Server (default mode) - this mode allow you to add, remove, delete, modify VLANs to a database. All is saved in NVRAM (Non-Volatile RAM memory - the one that does not lose its content on power-down). 
  • VTP Client - in this mode you CANNOT create VLANs in the local database. The only way for the VTP client to learn VLANs is to send a request advertisement. Server respond to this, by sending information about VLANs and their names used in the domain (subset advertisement).
  • VTP Transparent - is a similar to a server mode of operation. The major difference is that, the transparent mode does NOT participate in the VTP domain. This means that the transparent mode does NOT synchronize its database with any other switch (a local database of VLANs), and it does NOT learn VLANs propagated by a VTP server. Transparent mode WILL forward VTP messages between other switches over trunk ports.
VTP server sends a special VTP frame every 5 minutes out of all trunking ports. This message is the summary advertisement. In this message, among other pieces of information, it inlcudes:
  • VTP domain name
  • MD5 digest (if password is used in VTP domain)
  • Revision number

If there is a topology change (VLAN added, removed, name modified etc.), VTP server sends new summary advertisement IMMEDIATELY with the revision number incremented. All other switches, upon receiving this message, will compare their own VTP domain name, protocol version, MD5 digest (if used), and the revision number. If the 'revision number' in the incoming message is HIGHER than the last seen, they send an advertisement request message towards the server. The VTP server responds with one or more subset advertisement describing all the VLANs found in its database. This new information is going to replace the old one on all other VTP client or server switches.

VTP Pruning
Vlan Trunking Protocol offers one more interesting feature called: PRUNING. It allows the switches to communicate over trunks which VLAN traffic should not be sent down from the upstream switch. Consider the Pic. 3 below:

Pic. 3 - VTP VLAN Pruning Example.
Icons designed by: Andrzej Szoblik - http://www.newo.pl

If SW1 is sending broadcast from VLAN 10, the frames will be flooded out of all active ports in VLAN 10 as well as the trunking ports. Recall, that the ports in the trunking mode are multi VLAN ports allowing ALL of them by default (VLANs 1-4094). SW2 receives the broadcast from VLAN 10, on its interface F0/13, but then realizes, that currently there are NO members of VLAN 10 connected to any of its ports.

When VTP Pruning is enabled, SW2 will inform SW1 (pic. 3), that it does not want to receive traffic from VLAN 10. Should you connect at least one host to VLAN 10 to SW2 though, it will send another request, that VLAN 10 be on longer pruned on SW1 trunk port F0/13. It happens automatically without any further configuration.

Of course, if you do not want to use VTP, you do not have to. You can configure VLANs manually on all switches of yours. Also, you can prune the traffic on trunk ports manually. The command is shown below:

SW1#conf t
SW1(config)#interface f0/13
SW1(config-if)#switchport encapsulation dot1q
SW1(config-if)#switchport mode trunk
SW1(config-if)#switchport trunk allowed vlan 10,15,22
SW1(config-if)#

The above configuration will allow only VLANs 10,15 and 22 to cross the trunk f0/13 (command in blue).

VTP Configuration
In order to illustrate configuration steps, I am going to use the same topology as in a few previous posts.

Pic. 4 - Topology Diagram
Icons designed by: Andrzej Szoblik - http://www.newo.pl

The default configuration looks like the output below: 'show vtp status'.

Pic. 4 - Default VTP settings.

Well, in my output, the only setting that is not the default is the 'Number of existing VLANs'. I have one VLAN configured (VLAN 500), which is my management VLAN allowing me access the switch remotely.

As you can notice, the VTP mode is server, and the domain name is empty (no domain name configured). So, the switch allows you to configure VLANs but the database is not going to be propagate to other switches. Below are the steps of introducing VTP protocol for the first time.
NOTICE!
The command: vtp mode transparent in the 'global config' mode will clear the revision number back to '0'.

In my topology I am going to use the secure way of introducing VTP protocol FOR THE FIRST TIME!!!

Step 1
Clear the revision number on all the switches by typing the following in the 'global config' mode:

switch(config)#vtp mode transparent
switch(config)#

Step 2
Initially, I am going to use SW1 as the VTP server, SW2 and SW3 as the VTP clients.

SW1(config)#vtp mode server
SW1(config)#

SW2(config)#vtp mode client
SW2(config)#

SW3(config)#vtp mode client
SW3(config)#

Step 3
Configure VTP domain on SW1 (here domain name = CCNA).

SW1(config)#vtp domain CCNA

NOTICE!
SW1 is going to propagate the domain name (CCNA) to all other switches. They will learn it on their trunk ports. Trunk ports were configured in my previous lab.

Step 4
Apply the same password (MD5 algorithm is used), on all switches, so if somebody plugs in a new switch, that new switch without this password is not going to change the VLANs configured so far. Here the password used is: Secret123

SW1(config)#vtp password Secret123
SW1(config)#

SW2(config)#vtp password Secret123
SW2(config)#

SW3(config)#vtp password Secret123
SW3(config)#

Step 5 (Optional)
Enable VTP pruning to save bandwidth by not transmitting the broadcast traffic towards switches that have no members of VLANs defined in their databases. If you configure this onSW1 (server), this will enable pruning on all switches in our VTP domain.

SW1(config)#vtp pruning

If you want to make other switches servers, you can change their mode of operation now.

This way we have introduced VTP domain and now you can add, remove, delete, modify VLANs on one switch (VTP server), and all these changes will be propagated to all of switches (VTP servers or clients) in your domain CCNA.

I will have two videos recorded soon. The first one will provide you with explanation to the answers of my quiz presented above. The second one will show you how VTP can cause serious problems in your network if you do not take the right precautions.
Posted by at No comments:

Spanning-Tree Cisco Enhancements

My previous two posts hopefully shed some light on IEEE 802.1d protocol (yes, it is STP). There are two more things I would like to add to that picture. The first thing, deals with situations when the topology changes and how it affects the STP time of convergence. The convergence here, means the time it takes to recompute the STP tree in order to keep the loop free paths upon failure. The second thing, I'd like to bring up is the Cisco STP enhanced the STP operation to decrease the time of convergence compared to the industry standard STP.


Before we delve into the details though, I need to explain something about BPDU frames first. It is true that it is the root bridge that originates those frames and sends them out its designated ports ( downstream, every 2 seconds by default). It is also true, that all other switches (non-root bridges), propagate them downstream out of their designated ports. This way all switches receive the information as to which switch is the root bridge in the network and if it is still functional.

However, what I withheld in previous posts was the types of BPDU frames. There are three types of those:
  • Configuration - the type of BPDU which the root bridge sends every 2 seconds, and other switches propagate those out of their Designated Ports (downstream).
  • Topology Change Notification (TCN) - the type of BPDU that a switch will send if it detects the topology change (port going down, or TCN received). This BPDU is sent out the Root Port (upstream) towards the root bridge informing it, that the tree needs to be recomputed.
  • Topology Change Acknowledgement (TCA) - the type of BPDU that is sent back to the sender of TCN BPDU, acknowledging the reception of the notification.

How do those BPDUs fit into the grand scheme of things?

The default timer of how long the entries are kept in the MAC address table is 300 seconds (5 minutes). This means, that if a host connected to a port of the switch does not speak for at least five minutes, its MAC address is removed from the CAM table. That is a way too long for the switch to re-learn computer's MAC addresses if the STP topology changes.

But why do those MAC entries have to change?

Please, consider the Pic. 1 below. By now, you should be able to tell which ports of the switches are going to learn the PC1 and PC2 MAC addresses. Go ahead, click the Pic. 1, and put down on a piece of paper the switch names and the ports that learn MAC addresses of thePC1 and PC2. That is going to be a good refresher of how switches learn MAC addresses dynamically.

Pic 1 - STP Topology.

Icons designed by: Andrzej Szoblik - http://www.newo.pl
If your answers match mine below, that means that you have mastered the lessons on bridging/switching and STP.

SW1 CAM:
F0/1 - 0000.1111.1111
F0/2 - 0000.2222.2222

SW2 CAM:
F0/1 - 0000.2222.2222
F0/2 - no mac addresses learned since the port is NDP
F0/3 - 0000.1111.1111

SW3 CAM:
F0/1 - 0000.1111.1111
F0/2 - no mac addresses learned as PC1 communicates using SW1
F0/3 - 0000.2222.2222 

SW4 CAM: 
F0/1 - no mac addresses learned as SW2's port F0/2 is NDP
F0/2 - 0000.1111.1111 
F0/2 - 0000.2222.2222 

Now, lets create a problem that causes the topology change in our network. Consider Pic. 2 which shows us why some ports must re-learn the MAC addresses of PC1 and PC2. 

Pic. 2 - STP Network Problem
Icons designed by: Andrzej Szoblik - http://www.newo.pl

Given the situation, STP needs to recalculate topology since we lose active connections between SW1 and SW2. If it were not for the STP operation in such circumstances, it would take 5 minutes (300 seconds) for the switches to re-learn MAC addresses according to the situation presented in Pic. 3. The resulting topology diagram is depicted below.

Try to put down on the paper which MAC addresses should be learned on which ports of the respective switches after failure (Pic. 3).

Pic. 3 - Topology after losing the connection between SW1 and SW2.
Icons designed by: Andrzej Szoblik - http://www.newo.pl

SW1 CAM: 
F0/1 - down 
F0/2 - 0000.1111.1111
F0/2 - 0000.2222.2222

SW2 CAM: 
F0/1 - down 
F0/2 - 0000.2222.2222
F0/3 - 0000.1111.1111

SW3 CAM: 
F0/1 - no MAC addresses learned
F0/2 - 0000.1111.1111
F0/3 - 0000.2222.2222

SW4 CAM: 
F0/1 - 0000.1111.1111
F0/2 - 0000.2222.2222

In order to decrease the time of re-learning MAC addresses, upon failure SW1 is going to sendTCN BPDU out its Root Port. Normally, the Configuration BPDU are sent out Designated Ports NOT the Root Port. But this failure prompts the switches to notify the root bridge about the topology change. That is why, they will send TCN BPDU out their Root Port. All switches, in the path of this TCN BPDU must send the TCA BPDU (acknowledgement) back to the sender and forward TCN BPDU towards the root bridge. As soon as the root bridge has been notified about the topology change, it begins to send TCN BPDUs out its Designated Ports, so other switches in the network also get notified to give them a chance to flush MAC addresses, recompute the tree and re-learn the MAC addresses according to the new topology (Pic. 3). This reduces the time of convergence from 5 minutes to about 30 - 50 seconds time, depending on the nature of the change.

You might question that and say that the default timers used here (30-50 second delay) are still inappropriate for today's networks transmitting voice, video and data. And you are quite right saying so. The mechanism is still not good enough. But remember, that those timers were designed as SAFE values (not causing the loops) given the maximum diameter of network of seven switches (hops) between the root bridge and the bottom switches. Also, remember that STP was designed when there were no multimedia transmissions being sent across the switches. Is there a solution to those timers? Of course. You may change them manually but DO NOT DO THAT unless you are very experienced with STP operation. Another option is to use some proprietary features implemented in Cisco switches.

Cisco with their STP Enhancement are able to decrease this 30-50 second timers even further allowing video, voice and data co-exist in our layer 2 networks. Keep in mind, that these enhancement are Cisco proprietary STP add-ons: 
  1. STP Portfast (now part of standard implementation as well).
  2. STP Uplinkfast.
  3. STP Backbonefast (this one is beyond the scope of this tutorial).
Let us see how the first two can change the behavior of our sample topology.

STP Portfast feature should be configured on all EDGE ports, i.e. the ones that connect devices that do not send BPDU frames and cannot create loops. These would be your computers, servers, printers etc. What STP Portfast does, it simply skips the LISTEN and LEARN states, going directly to FORWARD state if there was TCN announced or the port in question is just brought up. Think about it. It makes no sense to flush the MAC addresses on the ports that connect the computers directly, since the topology change is not going to affect them. In the topology presented in this tutorial (Pic. 1, 2, and 3), the topology change did not affect the ports F0/3 on both SW2 and SW3 where PC1 and PC2 are connected respectively. They are still connected where they were before the topology change and their addresses are mapped to the same ports as before the change. So, there is no point of flushing the MAC address table entries on SW2 port F0/3 and SW3 port F0/3. These ports are the candidates for STP Portfast. Because STP Portfast-enabled ports go FORWARD almost immediately, it is highly recommended to use this feature on ports connected to computers in order to avoid problems of getting the IP address using DHCP services.

There are two ways of enabling STP Portfast feature.

Method 1
In the global configuration mode, type in this command:

SW1(config)#spanning-tree portfast default

All ports that are discovered as EDGE ports (more on that in my next post about Rapid STP), will have STP portfast enabled by default. You can check that using a detailed STP output regarding a port (here F0/1):

SW1#show spanning-tree interface f0/1 detail 

The output shows that STP  portfast has been enabled on this port (look at BPDU received = 0, candidate for portfast):

Pic. 4 - STP F0/1 Detailed Output.

Method 2 
Another method is to type in the following command directly on the chosen port:

SW1(config)#interface f0/1

SW1(config-if)#spanning-tree portfast

This way, we turn on STP Portfast unconditionally (whether port does or does not receive BPDUs).

The second STP enhancement is STP Uplinkfast. This one should be configured on all ACCESS switches (the leaf switches in our topology NOT distribution ones). The feature that is enabled in the global config mode, shortens the time it takes to transition NDP port into RP role upon losing the current Root Port.

In our topology, consider SW2 that has lost its Root Port (F0/1, Pic. 2). Normally, that is without STP Uplinkfast enabled, it would take 30 seconds for the F0/2 port to transition to an RP role. Keep in mind that F0/2 does not have go to blocking state since it keeps receiving superior BPDUs with the Root Bridge ID. Thus, only 30 seconds are required by default (LISTEN+LEARN states). With STP Uplinkfast enabled, Cisco guarantee that the transition of F0/2 to forwarding state (RP role) is going to happen in under 5 seconds.
The configuration of STP Uplinkfast is done in the global config mode as shown below:

SW1(config)#spanning-tree uplinkfast

Similar, in functionality, is STP Backbonefast that could be implemented on distribution switches. However, the details of this feature are beyond the scope of this tutorial.

In my next post, I'm going to briefly present Rapid Spanning-Tree Protocol (IEEE 802.1w) and how it differs from a regular STP (IEEE 802.1d).

If you want to see the enhancement in action please, watch the video below:
more videos available at:

http://youtube.com/jrComputerLabs
Posted by at No comments:

VLANs Overview

At this stage you should be familiar with the concepts related to TCP/IP traffic flow and switch operation. You should also feel confident about how to diagnose basic layer 2 connectivity issues. For the details please review my previous posts. In this one, I am going to extend your understanding of layer 2 technologies by introducing Virtual LANs (VLANs).

Before I introduce our main topic let's define the problem which VLANS address first. This way, it's going to be easier to understand them.

Problem With Switching
As you remember from previous lessons, each port of a switch creates its own collision domain (for details look at lesson 9 in this tutorial). In addition to that a switch can use FULL DUPLEX connectivity when connecting other devices to its ports (computers, printers, switches, routers). That allows the ports to SEND and RECEIVE streams of bits at the SAME time. This is due to the special design of a switch. Thus, the efficiency of transmission is radically increased when compared to its older cousin a hub using half-duplex connections (sending or receiving but not both at the same time).

However, switches still maintain ONE BROADCAST DOMAIN. This means that in some situations they flood frames out of all active interfaces except the one that receives the frame. The flooding occurs if either of these are true:
  1. The destination MAC address of the arriving frame is unknown.
  2. The destination MAC address of the arriving frame is broadcast.
  3. The destination MAC address of the arriving frame is multicast.
  4. A switch reaches its limit of MAC addresses learned on a port. Then all other MAC addresses can no longer be learned.
Pic. 1 - Switches maintain one broadcast domain (bottom left computer sends broadcast).
Icons designed by: Andrzej Szoblik - http://www.newo.pl
In a flat network like the one depicted above (Pic. 1), imagine a thousand computers sending broadcast traffic (e.g. ARP requests). They will be propagated everywhere as per rules described earlier. Imagine another situation in which a broken NIC (Network Interface Card =  Network Adapter) sends thousands of broadcast frames per second. Those will be flooded to all hosts interrupting them as they need to process broadcast frames. In those situations not only do we interrupt all hosts by sending frames to them, but also saturate links with garbage data unnecessarily. Why would my computer have to listen to broadcast traffic sent by HR server if I work in IT department? I do not use HR server's resources at all. Exactly!

VLANs Are Broadcast Domains
Virtual LANs are the method of creating multiple broadcast domains of smaller size in a switching infrastructure. They are commonly used solution to the above mentioned problems. By configuring VLANs on the switches you create multiple broadcast domains which are treated as separate, isolated LANs which CANNOT communicate with one another by default. This allows us to contain the broadcast/multicast/unicast traffic WITHIN a boundary of a given VLAN. 

Pic. 2 - VLANs Are Broadcast Domains
Icons designed by: Andrzej Szoblik - http://www.newo.pl
If you consider traffic in the Pic. 2, the computers in red transmit their bits onto the wire, switches will send those only to computers that are in the same VLAN, that is red in this case. For instance, if the bottom right red computer sends layer 2 broadcast (destination MAC address = FFFF.FFFF.FFFF), only computers in red VLAN are going to receive this transmission. Computers located in turquoise VLAN will NOT receive those frames anymore. This way we can segment the traffic between different hosts based on criteria such as groups of interests (workgroups), type of traffic (e.g. VoIP), type of the application used, user location, etc. So, the major benefits of using VLANs are: 
  1. Broadcast/multicast traffic propagation is limited to a given VLAN (broadcast domain) where it originated.
  2. Security is increased, as hosts located in different VLANs CANNOT communicate at all. The only way for them to communicate is to allocate different network/subnet addresses for VLANs and use a layer 3 device (router) to move the packets between them. The routers offer some control as to who can transmit to whom (ACLs, firewalls etc.). How to accomplish routing between VLANs I will explain in my next post.
I hope the above description sheds enough light on what VLANs are used for. Now, is the time to look at some details regarding their configuration.

VLAN Port Types
In order to segment the traffic, the hosts generating it must be assigned to the appropriate VLAN since all ports of the switch are members of VLAN 1 by default. The process of configuring that usually involves three major steps:
  1. Configuring VLAN number in the switch database (optionally name of the VLAN and/or other parameters).
  2. Assigning hosts to VLANs defined in step 1. There are two ways of doing that: either MAC address can be assigned to a VLAN (dynamic method), or port of the switch can be assigned to a VLAN (manual method).
  3. Configuring VLAN Trunk connections between the switches. Even though, this step is optional, the majority of designs out there will need it.
The above mentioned configuration steps define two different port types VLANs can use:
  1. Access Port - this type of port can be member of ONE VLAN ONLY. If a static port-to-vlan configuration is used, the port interprets all incoming frames as belonging to this specific VLAN. In case of using mac-address-to-vlan configuration the port will determine VLAN number (ID) for transmission based on the MAC address which is mapped to a specific VLAN.
  2. Trunk Port - which by default belongs to ALL VLANS (1-4094). In other words, this port is capable of sending and receiving a traffic coming from different VLANs.
When is the trunk (multi VLAN) port required?

The below picture (Pic. 3) illustrates the need for it.

Pic. 3 - VLAN Port Types
Icons designed by: Andrzej Szoblik - http://www.newo.pl
The grey rectangles symbolize two switches. The colors, represents different ports assigned to different VLANs. Of course, VLANs in practice use numbers, not colors, to distinguish between themselves. When any bottom computer sends broadcast (or unicast towards another computer in the same VLAN/color connected to the upper switch), the port connecting the two switches must be trunk (multi-vlan port). In such situation w must allow all VLAN members to communicate with their peers in the same VLAN, irrespective where they are located. Both switches have yellow, red and blue members here! And according to the rules, red computers must be able to talk to all red computers located on the same and all other switches as well (yellow-to-yellow, and blue-to-blue).They are members of the same Virtual LAN after all.

In such design, in which members of the same logical network (VLAN) or broadcast domain are connected to different physical switches, the connection between them must be a trunk. Trunk ports run a special protocol called IEEE 802.1q (Cisco have also their own protocol called ISL, details of which are beyond the scope of this tutorial). This protocol is responsible for 'tagging' the frames (injecting extra information into their headers), while sending them out the trunk port.

Why?

Let me explain. Look carefully at the Pic. 3 and imagine that the computer connected  to yellow VLAN is sending broadcast towards all computers that are in the same, yellow, VLAN. The port between the switches is trunk, and as such allows ALL VLANs in and out. But the problem is that the receiving port on the upper switch gets the Ethernet frame on the port working as trunk as well. So, this port is also a MULTI-VLAN port! How does this upper, receiving, switch know which VLAN the frame is coming from? Well, it does NOT know whether the VLAN sending this broadcast was yellow, red or blue. This is where the sending (bottom) switch, using the trunk as outbound port, is going to inject extra 4 bytes into the Ethernet frame while transmitting it out. The tag will contain VLAN ID (number) of the sender. This way, the broadcast frame will have an extra information allowing the receiving switch (upper one) to recognize which VLAN it is coming from and forward this broadcast to ALL computers in the same VLAN (here yellow VLAN).

NOTICE!
The TAG  is stripped off on the outbound ports configured as ACCESS ones. The tag is useful only on trunk ports.

Before we finish this VLAN overview lesson, let me show you what information this TAG contains.

Pic. 4 - 802.1q TAG

The 802.1q tag is injected between the source MAC address and the type field in the Ethernet II header (pic. 4). It consist of two fields taking two bytes each:
  1. First two byte field contains a signature of 802.1q protocol using value of 0x8100.
  2. Second two byte field  contains:
  • PRI - Class of Service 3 bits used by QoS, 
  • Canonical bit for token ring support, 
  • VLAN ID value that takes up 12 the least significant bits in the tag.
    802.1q Native VLAN
    There is one more thing I need to touch upon that is related to the 802.1q trunk port. That is the concept of Native Vlan. The designers of the protocol decided to send frames coming from so called 'native VLAN' out the trunk as UNTAGGED. In other words this frame does not have any tag inserted into the Ethernet header. So, frame coming from 'native VLAN' is a regular Ethernet frame. As long as the switches agree on the trunk link which VLAN is their 'native VLAN' for this trunk, a frame arriving on the trunk port without the tag is assumed to be coming from the same native VLAN the sender was transmitting. The default  'native VLAN' is VLAN 1, since this one cannot be removed from the switch. Probably the reason VLAN 1 is the 'native VLAN' by default is becuase switches originate frames such CDP, VTP, STP from this VLAN and there is no need to tag them as they are switch-to-switch communication only.

    NOTICE!
    As of the time of writing this tutorial, all ports of Cisco switches belong to VLAN 1 by default which is also the (untagged) 'native vlan'. That VLAN is not going to tag frames on trunk-to-trunk connections.

    I am sure you realize what can happen if the two ports connecting switches use different VLAN ID for their 'native VLAN'. Yes, that can cause leaking frames between VLANs. And this is a serious security issue. So keep the same 'native VLAN' on trunk paired ports between switches.

    In my next post we will look at the same concepts from the command line perspective. I will also introduce VTP protocol as well as Inter-VLAN routing. 
    Posted by at No comments:
    Subscribe to: Comments (Atom)