Sie sind auf Seite 1von 50

Application Application Note Note

LANs LANs and and VLANs VLANs

A A Simplified Simplified Tutorial Tutorial

Version 3.0 May 2002 COMPAS ID 90947

and VLANs VLANs A A Simplified Simplified Tutorial Tutorial Version 3.0 May 2002 COMPAS ID 90947

Avaya Labs

1

CompanionCompanion documentdocument

IP Addressing: A Simplified Tutorial

COMPAS ID 92962

Companion Companion document document • IP Addressing: A Simplified Tutorial COMPAS ID 92962 2

2

IntroductionIntroduction

As the name implies, the purpose of this presentation is to provide a simplified tutorial on local area networks (LANs) and virtual local area networks (VLANs).

The instructions and terminology used in this presentation attempt to comply with industry practices and written standards. They represent the generally accepted implementations of the written standards.

It is important to understand that written standards are sometimes ambiguous, and are thus implemented differently among various vendors. This tutorial seeks to balance between the two and does not rely solely on written standards or specific implementations.

All IP addresses and numbering schemes in this tutorial are hypothetical, and used for illustration purposes.

All IP addresses and numbering schemes in this tutorial are hypothetical, and used for illustration purposes.

3

First,First, thethe basicsbasics

First, First, the the basics basics 4

4

OSIOSI andand TCP/IPTCP/IP

 

OSI Reference Model

TCP/IP

Terms used in this tutorial

7

– Application

   

6

– Presentation

Application

 

5

– Session

 

4

– Transport

Host – to – Host (TCP/UDP)

 

3

– Network

Internet (IP)

router, subnet, IP address

2

– Data Link

Network Interface

switch, VLAN, MAC address, Ethernet

1

– Physical

hub

This table is presented for reference purposes.

– The first column shows the 7-layer OSI Reference Model, which is a model used to design protocols that make networking possible.

– The second column shows the TCP/IP protocol stack in reference to the OSI model. TCP/IP is the prevalent protocol stack for data networking.

– The third column shows the terms that will be used in this tutorial, in reference to both OSI and TCP/IP.

– The third column shows the terms that wi ll be used in this tuto rial,

5

HubHub (a(a collisioncollision domain)domain)

A hub is a L1 (physical layer) multi-port repeater.

– It receives a signal on one port, regenerates it, and transmits it out all ports.

– All devices connected to a hub receive any transmission on that hub, regardless of the intended recipient.

– Note: Simple hubs have a single bus that is capable of operating at either 10Mbps or 100Mbps, but not both. These are pure L1 devices, no “smarter” than the original coax Ethernet bus they replaced. The very common 10/100 hubs actually have two buses, a 10M bus and a 100M bus, which are bridged. This bridging function is a L2 function, so technically speaking 10/100 hubs are not pure L1 devices.

Two or more devices on a hub cannot transmit at the same time.

– When two or more devices simultaneously transmit, there is a collision.

– The devices must back off and re-transmit at dispersed intervals, so that only one device is transmitting at any given time.

Because of these characteristics, a hub (or a group of hubs connected together) is known as a collision domain.

Hubs operate only at half duplex; attached devices cannot transmit and receive at the same time.

Generally speaking, only four 10M hubs or two 100M hubs can be connected together.

and receive at the same time. • Generally speaking, only four 10M hubs or two 100M

6

SwitchSwitch (a(a broadcastbroadcast domain)domain)

A switch is more than just a repeater. It is a L2 (data link layer) bridge, which means that it is “aware” of L2 MAC addresses.

– MAC addresses and Ethernet frames will be discussed in more detail later.

A switch keeps track of which devices are connected to which ports by maintaining a table of the MAC-address-to-switch-port mapping.

– We’ll simply call this the MAC table. It is populated by recording the source MAC addresses of incoming Ethernet frames on each port.

– MAC table entries are designed to time out, typically after a few minutes, if no other frame from the same source is not received on that port.

Transmissions on a switch are sent only to the intended recipients, determined by the destination MAC address.

– The exception to this is if the destination MAC address is not already in the MAC table, in which case the Ethernet frame is transmitted out all ports.

Broadcasts are sent to all recipients, as they are intended to be.

For this reason, a switch (or a group of switches connected together) is known as a broadcast domain.

Switches can operate at full duplex; multiple attached devices can transmit and receive at the same time.

domain . • Switches can operate at full duplex; multiple attached devices can transmit and receive

7

AnAn overviewoverview ofof LANsLANs

An An overview overview of of LANs LANs 8

8

A single hub or switch is a physical LAN segment.

– “Ethernet segment” is more precise, but we’ll use the general term.

An IP endpoint (PC, server, IP phone, etc.) is a host and has an IP address.

– In this diagram the hub or switch itself is also a host, with an IP address.

hub or switch itself is also a host, with an IP address. • A LAN segment

A LAN segment typically contains one IP network or sub-network. There is a difference between the two, but the term “subnet” is generally used.

– We will not address in detail the case of two or more subnets residing on one LAN segment, which is a valid but uncommon case.

This subnet is 10.1.1.0 with subnet mask 255.255.255.0, which implies…

– Host addresses are 10.1.1.1 through 10.1.1.254.

– Broadcast address is 10.1.1.255, which is the IP address used to transmit to all hosts on the subnet.

All hosts are “aware” of their individual subnet and mask, and what that implies.

to all hosts on the subnet. • All hosts are “aware” of their individual subnet and

9

• Two or more hubs or switches connected together still constitute one physical LAN segment.

Two or more hubs or switches connected together still constitute one physical LAN segment.

The only differences between this diagram and the previous are…

– Having two hubs or switches increases the port density.

– The up-link between the two devices may be a bottleneck.

Note: It is not required that a hub or switch have an IP address. However, the device is very likely to have an IP address if it is remotely manageable (ie, configure, troubleshoot, view statistics, upgrade firmware, etc). Otherwise, the device must be managed via a console port or not at all.

view statistics, upgrade firmware, etc) . Otherwise, the device must be managed via a console port

1

0

• Now we’ve added a second LAN segment, which contains a different IP subnet. •

Now we’ve added a second LAN segment, which contains a different IP subnet.

All hosts on the second subnet have addresses pertaining to that subnet.

Hosts on one subnet cannot communicate with hosts on the other subnet.

– The obvious reason is that the two LAN segments are physically separated.

– However…

on the other subnet. – The obvious reason is that the two LAN segments are physically

1

1

BreakBreak forfor anan explanationexplanation ofof ARPARP

Break Break for for an an explanation explanation of of ARP ARP 1 2

1

2

IPIP addressesaddresses andand MACMAC addressesaddresses

An IP address is a 32-bit Network Layer (L3) address on the OSI model. It is configured on each IP host.

A MAC address is a 48-bit Data Link Layer (L2) address on the OSI model. It is typically “burned in” to the network interface card or equivalent, and is a combination of the manufacturer ID and the board ID (serial number).

An IP packet, with source and destination IP addresses, is encapsulated in an Ethernet frame, with source and destination MAC addresses. The Ethernet frame is then transmitted on the LAN segment.

The Ethernet frame is then transmitted on the LAN segment. • On a LAN segment, hosts

On a LAN segment, hosts communicate with one another using MAC addresses, even though applications use IP addresses.

– Therefore, each IP host must resolve the destination IP address to the destination MAC address before sending an IP packet.

– This is done using the Address Resolution Protocol (ARP).

destination MAC address before sending an IP packet. – This is done using the Address Resolution

1

3

HowHow ARPARP worksworks

Host X needs to send an IP packet to host Y but only knows Y’s IP address.

X sends an ARP Request message containing Y’s IP address, which is broadcast to all the hosts on the LAN segment.

– Remember that hosts communicate with each other using MAC addresses.

– This broadcast is a MAC broadcast, which means that the destination MAC address is a L2 broadcast address (all 48 address bits are ones).

– The source MAC address of this ARP Request message is X’s MAC address.

All hosts on the LAN segment receive the ARP Request message, but only Y recognizes the request as pertaining to its IP address.

– The ARP Request message contains X’s MAC and IP addresses.

– All hosts make an entry with this mapping in their respective ARP caches.

Y sends a unicast ARP Reply message containing its MAC and IP addresses directly to X.

– X now knows Y’s MAC and IP addresses, and makes a corresponding entry in its ARP cache.

Entries in ARP caches are designed to time out, typically after a few minutes. When this happens, the ARP process is repeated.

in ARP caches are designed to time out, typically after a few minutes. When this happens,

1

4

BackBack toto LANsLANs

Back Back to to LANs LANs 1 5

1

5

• Take the previous diagram and connect the two segments together to make one physical

Take the previous diagram and connect the two segments together to make one physical LAN segment (not recommended).

Hosts on one subnet still could not communicate with hosts on the other subnet because…

– Hosts are “aware” of their subnet and will only ARP for addresses in their subnet. For example, 10.1.1.11 will not ARP for 10.1.2.11.

– To get to hosts on another subnet, an IP gateway is required.

But broadcasts (including ARPs) would be seen by all hosts because…

– The broadcast is at the MAC layer (L2) and is seen by all hosts on the same physical LAN segment.

because… – The broadcast is at the MAC layer (L2) and is seen by all hosts

1

6

But wait. We said that each IP subnet had a broadcast IP address, so why doesn’t that limit the broadcast to just one subnet?

Yes, the broadcast address for subnet 10.1.1.0 with mask 255.255.255.0 is 10.1.1.255. And the broadcast address for subnet 10.1.2.0 with mask 255.255.255.0 is 10.1.2.255.

But hosts can’t communicate using IP addresses, so these IP broadcasts are converted to MAC broadcasts.

The sequence is as follows…

– Host 10.1.1.11 sends a broadcast packet to 10.1.1.255.

– The IP packet with destination broadcast IP address 10.1.1.255 is encapsulated in an Ethernet frame with destination broadcast MAC address FFFFFFFFFFFF (hex for 48 binary ones).

– Every host on the LAN segment sees the MAC broadcast.

– Only hosts on subnet 10.1.1.0 dig deeper into the IP packet.

– Hosts on subnet 10.1.2.0 must examine the MAC broadcast, but ignore the IP broadcast because it pertains to a different subnet.

10.1.2.0 must examine the MAC broadc ast, but ignore the IP broadcast because it pertain s

1

7

Now it should be more clear why a LAN segment typically has only one associated IP subnet.

Why broadcast messages to hosts that don’t need to see them?

In most cases it is preferable to maintain a 1-to-1 mapping of a L2 broadcast domain (physical LAN segment) to a L3 broadcast domain (logical IP subnet).

Note: Having two different routers with different subnets on one LAN segment can also cause serious problems with routing in rare configurations, which will not be discussed in detail here.

can also cause serious problems with routing in rare configurations, which will not be discussed in

1

8

• Enter the router - the IP gateway. This is a L3 (network layer) device.

Enter the router - the IP gateway. This is a L3 (network layer) device.

Now when host 10.1.1.11 wants to send an IP packet to host 10.1.2.11, host 1.11 forwards the packet to the gateway (1.254 in this diagram).

This router forwards the packet directly to the 2.11 host because the 10.1.2.0 subnet is directly connected. Otherwise, the packet would be forwarded to the next hop router en route to that subnet.

The router, which is a L3 boundary, is a broadcast barrier.

– Broadcasts on one subnet are not transmitted across the router to the other subnet, unless specifically configured to do so.

on one subnet ar e not transmitted across t he router to the other subnet, unless

1

9

• What if we were to connect the two LAN segments together? (again, not recommended,

What if we were to connect the two LAN segments together? (again, not recommended, and might produce an error condition on the router)…

– Hosts on one subnet would still require the router to communicate with hosts on the other subnet.

– But now the broadcasts would “leak” from one subnet to the other, because we’ve created one LAN segment.

– We have one L2 broadcast domain (LAN segment) with two L3 broadcast domains (IP subnet) :-(

one LAN segment. – We have one L2 broadcast domain (LAN segment) with two L3 broadcast

2

0

TransitionTransition toto VLANsVLANs

Transition Transition to to VLANs VLANs 2 1

2

1

A “smart” L2 switch is required to implement VLANs, which are specified in the IEEE 802.1Q standard.

VLANs, which are specified in the IEEE 802.1Q standard. – Hubs no longer apply, because they

– Hubs no longer apply, because they are simply dumb repeaters that operate at L1.

– Simple switches with no 802.1Q intelligence also do not apply.

A filtering database resident on the switch keeps track of which ports belong on which VLAN.

Every port belongs to at least one VLAN, which is the port/native VLAN.

– The 802.1Q standard and most Cajun switches call this the port VLAN, with an associated port VLAN ID (PVID).

– Cisco switches call this the native VLAN.

– Although VLAN1 is the default port/native VLAN, this can be changed on a per port basis by configuration.

What was once a physical LAN segment is now a logical VLAN.

be changed on a per port basis by configuration. • What was once a physical LAN

2

2

• If we want to add a second VLAN, we don’t need a second switch.

If we want to add a second VLAN, we don’t need a second switch.

– We simply create another VLAN on the same switch and assign the desired ports to that VLAN (we change the port/native VLAN on the desired ports).

– The switch’s filtering database maintains the port-to-VLAN mapping.

– This diagram is analogous to having two separate switches or LAN segments.

By default a host pertains to the port/native VLAN of the connected port, and must be configured with the proper IP address for that VLAN.

– In this diagram hosts on VLAN1 are on one IP subnet, and hosts on VLAN2 are on a different IP subnet, which is the correct implementation.

– In this diagram the switch itself is configured to be a host on VLAN1.

whic h is the correct implementation. – In this diagram the switch itself is configured to

2

3

Continuing with the same diagram • What was before two separate LAN segments is now

Continuing with the same diagram

What was before two separate LAN segments is now two VLANs, and all the same conditions apply.

– Hosts on VLAN1 cannot communicate with hosts on VLAN2 without an IP gateway. This would be true even if we physically connected the two VLANs together with a cross-over cable.

– Broadcasts on VLAN1 do not “leak” onto VLAN2, but they would if we were to connect the two VLANs together with a cross-over cable.

What if we did connect the two VLANs together with a cross-over cable?

– In effect, this results in one VLAN (one L2 broadcast domain) with two subnets (two L3 broadcast domains), which is not desired.

– No different than connecting two physical LAN segments together.

L3 broadcast doma ins), which is not desired. – No different than connecting two physical LAN

2

4

• So how do we get the two subnets to talk to each other? •

So how do we get the two subnets to talk to each other?

Again, an IP gateway is required. And as before with two LAN segments, an external router could be used to provide the gateway function.

However, this is not how it is typically accomplished.

– This diagram is here mainly so that the reader can make a connection between an external router servicing two LAN segments, and one servicing two VLANs.

– There is no difference.

between an external router servici ng two LAN segments, and one servicing two VLANs. – There

2

5

• Today it is more common to see switches with both L2 and L3 functions

Today it is more common to see switches with both L2 and L3 functions (Avaya Cajun, Cisco Catalyst, and many others).

The switching function (L2) continues to maintain a filtering database to keep track of VLANs and ports, just as before.

The routing function (L3) resident on the switch fills the gateway role previously filled by an external router, and performs many of the other functions previously performed by an external router.

– Instead of physical router interfaces, we now have virtual router interfaces.

– Instead of physical connections between the router and the switch(es), we now have logical connections.

– Instead of physical connections betw een the router and t he switch(es), we now have

2

6

Continuing with the same diagram • One major difference is the mapping between L2 and

Continuing with the same diagram

One major difference is the mapping between L2 and L3 domains.

Remember before that it was possible for one LAN segment to have two connections from an external router to service two IP subnets, which was not recommended.

In this case, we could not create another virtual router interface (L3) for VLAN1 or VLAN2 (L2), nor would we want to.

– Each L2 entity (VLAN) can have only one L3 (virtual router) interface with only one IP subnet.

– This maintains the 1-to-1 mapping between L2 and L3 broadcast domains.

– The only way to add a second IP subnet to a VLAN (not recommended) would be to use an external router.

domains. – The only way to add a second IP subnet to a VLAN (not recommended)

2

7

Let’sLet’s recaprecap beforebefore movingmoving on on

A hub is a L1 device, a switch a L2 device, and a router a L3 device.

A hub is a collision domain (all devices see all transmissions), so by default it has the characteristics of a broadcast domain (all devices see broadcast transmissions).

A physical LAN segment (with at least one switch, let’s say, to avoid argument) is a L2 broadcast domain, and so is a VLAN.

– Hence a VLAN is the logical equivalent of a physical LAN segment…

– with the caveat that a VLAN is always switched, whereas a LAN segment may contains switches and hubs.

An IP subnet is a L3 broadcast domain.

Under most circumstances, we prefer to maintain a 1-to-1 mapping of a L2 broadcast domain to a L3 broadcast domain. Therefore…

– A physical LAN segment contains one IP subnet.

– A VLAN contains one IP subnet.

Each upper layer device/function is a boundary for the lower layer device/function.

– A router is a boundary between broadcast domains.

– A switch is a boundary between collision domains.

– A router is a boundary between broadcast domains. – A switch is a boundary between

2

8

MoveMove forwardforward toto 802.1Q802.1Q trunkingtrunking

Move Move forward forward to to 802.1Q 802.1Q trunking trunking 2 9

2

9

How How do do we we interconnect interconnect two two or or more more of of these these smart smart L2 L2

switches switches together? together?

Physically connecting the VLANs together is one way, but it is not the recommended way.

This slide and the following are primarily for illustration purposes! Do not try this in your enterprise :-)

purposes! Do not try this in your enterprise :-) • This creates two VLANs that traverse

This creates two VLANs that traverse multiple switches.

Note: This scenario requires multiple instances of the Spanning Tree Protocol - one instance per VLAN on each switch. Otherwise, a single Spanning Tree process running on each switch would cause them to block one of these links to prevent a Spanning Tree loop. Most advanced switches implement per-VLAN Spanning Tree in a proprietary implementation, as it is not yet standard.

Most advanced switc hes implement per-VLAN Spanning Tree in a proprietary implem entation, as it is

3

0

But we don’t want to have to do this

• But we don’t want to have to do this • This creates five VLANs that

This creates five VLANs that traverse multiple switches.

BUT

A simple wiring error through the closets could end up in this.

– This is a technically valid configuration.

VLANs are local to the Ethernet switch and do not have to match across switches.

– But probably no one would intentionally do something like this.

and do not have to match across switches. – But probably no one would intentionally do
and do not have to match across switches. – But probably no one would intentionally do
and do not have to match across switches. – But probably no one would intentionally do

3

1

So So how how do do we we connect connect two two or or more more smart smart L2 L2 switches switches

together together and and maintain maintain VLAN VLAN numbering numbering consistency? consistency?

VLAN VLAN numbering numbering consistency? consistency? • We trunk the VLANs. – On each switch we

We trunk the VLANs.

– On each switch we configure a trunk port (can be any Ethernet port) that is logically connected to multiple VLANs.

– Then we connect the trunk ports together.

The numbering is kept consistent through the use of 802.1Q tags.

– Then we connect the trunk ports together. • The numbering is kept consistent through the

3

2

TerminologyTerminology checkcheck

access port / link - 802.1Q terms to define a port with one or more untagged VLANs, and a link connecting two such ports.

trunk port / link - 802.1Q term to define a port with multiple VLANs that are all tagged, and a link connecting two such ports.

hybrid port / link - 802.1Q term to define a port with both untagged and tagged VLANs, and a link connecting two such ports.

VID - 802.1Q acronym for VLAN ID

PVID - 802.1Q acronym for port VLAN ID

tagged frame - An Ethernet or 802.3 frame with the 802.1Q tag.

clear frame - An Ethernet or 802.3 frame with no tag.

VLAN trunking - a generic networking vernacular term to describe the process of forwarding multiple VLANs across a single link, whether via 802.1Q or proprietary protocols like Cisco’s ISL.

of forwarding multiple VLANs across a single link, whether via 802.1Q or proprietary protocols like Cisco’s

3

3

802.1Q802.1Q tagtag

802.1Q 802.1Q tag tag 3 4
802.1Q 802.1Q tag tag 3 4

3

4

802.1Q802.1Q tagtag continuedcontinued

The preceding diagram shows the IEEE 802.1Q tag and its insertion point within the Ethernet and 802.3 frames. (The term “Ethernet” is commonly used

to describe both types of frames, although the two are different.)

The 802.1Q tag contains 3 priority bits and 12 VLAN ID bits.

– The priority bits are the reason why 802.1Q is often referred to as 802.1p/Q.

– The VID bits make trunking possible.

Ethernet switches and endpoints must be capable of interpreting the 802.1Q tag to make use of the tag.

If an Ethernet switch or an endpoint cannot interpret the 802.1Q tag, the presence of the tag may cause problems.

If an Ethernet switch or an endpoint cannot interpret the 802.1Q tag, the presence of the

3

5

HowHow VLANVLAN trunkingtrunking worksworks w/w/ 802.1Q802.1Q

Continuing with the previous trunking diagram

802.1Q Continuing with the previous trunking diagram • When one switch sends an Ethernet frame to

When one switch sends an Ethernet frame to the other, the transmitting switch inserts the 802.1Q tag with the appropriate VID (with the exception of the PVID/native VID in some cases).

The receiving switch reads the VID and forwards the Ethernet frame to the appropriate VLAN.

VID in some cases) . • The receiving switch reads the VID and forwards the Ethernet

3

6

VLANVLAN trunkingtrunking isis notnot thethe samesame asas VLANVLAN configuration.configuration.

The VLANs must be configured independently on each switch, using any of the following methods.

… manually via the CLI or web interface.

… with a VLAN management tool provided by the vendor.

… automatically with a standard protocol like GVRP (GARP VLAN Registration Protocol), which works in conjunction with 802.1Q.

… automatically with a proprietary protocol like Cisco’s VTP (Virtual Trunking Protocol), which works in conjunction with Cisco’s proprietary ISL (Inter- Switch Link) trunking protocol.

802.1Q trunking simply matches VIDs across switches. It does not help if the VIDs cannot be matched…

• 802.1Q trunking simply matches VIDs across switches. It does not help if the VIDs cannot
• 802.1Q trunking simply matches VIDs across switches. It does not help if the VIDs cannot

3

7

DefaultDefault taggingtagging behaviorbehavior onon mostmost CatalystCatalyst switchesswitches

Every port, including hybrid/trunk ports, has a native VLAN.

By default, enabling 802.1Q trunking on most Catalyst switches results in a hybrid configuration.

– The transmitting switch does not tag frames originating from the native VLAN of the egress port, but tags all other VLANs.

– The receiving switch forwards all clear frames to the native VLAN of the ingress port, and all tagged frames to the appropriate VLAN.

Because the native VLAN is not tagged, the native VIDs do not have to match. Both of the following scenarios are technically valid, but probably no one would intentionally implement the second scenario.

the following scenarios are technically valid, but probably no one would intentionally implement the second scenario.
the following scenarios are technically valid, but probably no one would intentionally implement the second scenario.

3

8

DefaultDefault taggingtagging behaviorbehavior onon Avaya’sAvaya’s CajunCajun switchesswitches

Every port, including trunk ports, has a port VLAN.

Other VLANs are added to a port via the “bind-to-xxxx” commands.

In terms of egress…

– There is no hybrid scenario on Cajun switches.

– An access port with just the port VLAN sends the port-VLAN frames clear.

– An access port bound to multiple VLANs sends all frames clear, including port-VLAN frames.

– A trunk port sends all frames tagged, including port-VLAN frames.

– Note: Whether in a single-VLAN or multi-VLAN configuration, 802.1Q trunking must not be enabled on Cajun switches when connecting to an Avaya TM IP phone with an attached PC, because the PC cannot interpret the tag.

In terms of ingress…

– An access port with just the port VLAN accepts clear frames and priority- tagged frames (frames with VID zero - discussed in the next slide).

– An access port bound to multiple VLANs accepts clear frames or priority- tagged frames on the port VLAN, and VLAN-tagged frames on the other VLANs.

– A trunk port behaves exactly like an access port in terms of ingress traffic.

frames on the other VLANs. – A trunk port behaves exactly like an access port in

3

9

VLANVLAN IDID zerozero (0)(0)

VID 0 is the null VID.

– It is used when the 802.1Q tag contains only priority information.

– The VID field cannot be removed from the tag, so zero is used to indicate that there is no VID.

– Because there is no VID, it is treated like a clear frame and associated with the port/native VLAN of the ingress port.

– 802.1Q trunking may or may not be enabled when using the null VID, provided the receiving switch is capable of interpreting the tag.

The null VID should be used to associate priority-tagged frames to the port/native VLAN of the ingress port.

– The point of the null VID is that the frame belongs on the port/native VLAN, regardless of what it may be.

– It should not be necessary to tag a frame with the PVID/native VID; the switch should associate VID zero with the port/native VLAN.

• This becomes critical for PCs with NICs that are capable of tagging the priority value but not the VID, and thus leave the field as zero.

– Although zero should be used, tagging with the PVID/native VID instead of zero typically does not hinder operation. Some Cisco switches actually require this because they don’t understand VID zero.

Note: There is no null priority. Priority zero is a priority with value zero.

they don’t understand VID zero. • Note: There is no null priority. Priority zero is a

4

0

Sample Sample of of how how Cisco Cisco handles handles VLAN VLAN ID ID zero zero

(results (results from from lab lab testing) testing)

Catalyst 6509 w/ CatOS 6.1(2): Accepted VID zero for the native VLAN when 802.1Q trunking was enabled on the port. In this case, all but the native VLAN should be cleared off the trunk.

Catalyst 4000 w/ CatOS 6.3(3): Would not accept VID zero for the native VLAN. Opened a case with Cisco TAC, and TAC engineer said it was a hardware problem in the 4000. Bug ID is CSCdr06231. Workaround is to enable 802.1Q trunking and tag with native VID instead of zero. Again, clear all but the native VLAN off the trunk.

Catalyst 3500XL w/ IOS 12.0(5)WC2: Accepted VID zero for the native VLAN when 802.1Q trunking was disabled on the port.

Conclusion: Note the hardware platform and OS version and consult Cisco’s documentation, or call TAC.

port. • Conclusion : Note the hardware platform and OS version and consult Cisco’s documentation, or

4

1

HowHow CajunCajun handleshandles VLANVLAN IDID zerozero

All Cajun switches accept VID 0 as pertaining to the port VLAN, regardless of how the Cajun is configured.

zero • All Cajun switches accept VID 0 as pertaining to the port VLAN, regardless of

4

2

ToTo tagtag oror notnot toto tagtag

To tag…

– Tag with the proper VID and desired priority when transmitting to a hybrid port and the frame belongs on a VLAN other than the port/native VLAN.

– Tag with VID 0 and the desired priority when transmitting to a hybrid port and the frame belongs on the port/native VLAN.

– Tag with VID 0 and the desired priority when transmitting to an access port.

• The switch should accept this and forward the frame to the port/native VLAN.

• This would only be done if the priority value is significant (non-zero). Otherwise, there should be no tag at all.

– On hybrid ports, a Catalyst switch tags the non-native-VLAN egress traffic with the proper VID and priority.

– On hybrid ports, a Catalyst switch tags the non-native-VLAN egress traffic with the proper VID

4

3

ToTo tagtag oror notnot toto tagtag

Not to tag…

– Do not tag when transmitting to a hybrid port and the frame belongs on the port/native VLAN and has no special priority requirement.

– Do not tag when transmitting to an access port and the frame has no special priority requirement.

– By default, Catalyst switches do not tag native-VLAN egress traffic at all, even if the frame has a non-zero priority. Cajun switches do not tag port-VLAN egress traffic unless 802.1Q trunking is enabled.

• This is to accommodate devices that do not understand the tag, and would thus misinterpret or discard the tagged frame.

• To forward priority information from the port/native VLAN to another switch, the link must be a trunk link, meaning that the port/native VLAN must also be tagged.

Pure speculation: The 802.1Q tag came after the Ethernet frame to facilitate VLAN trunking and L2 priority tagging. The tag is not integrated into the Ethernet frame but is added to it when necessary. As VLAN trunking and priority tagging become commonplace with the proliferation of 802.1Q-capable NICs and network devices, we may see the 802.1Q tag become integrated into the Ethernet frame.

of 802.1Q-capable NICs and network devices, we may see the 802.1Q tag become in tegrated into

4

4

Finally,Finally, somesome scenariosscenarios

Finally, Finally, some some scenarios scenarios 4 5

4

5

Here are two variations of a common scenario.

Routing between VLANs is performed by the L2/L3 switch.

– This is the distribution switch.

Users connect to L2 switches.

– These are access switches that may or may not be VLAN-capable.

This can be expanded out to many more VLANs than shown.

access switches that may or may not be VLAN-capable. • This can be expanded out to
access switches that may or may not be VLAN-capable. • This can be expanded out to

4

6

• Here is another variation of the same scenario. • Routing between VLANs is still

Here is another variation of the same scenario.

Routing between VLANs is still performed by the L2/L3 distribution switch.

But now the access switches have multiple VLANs, and the uplinks to the distribution switch are hybrid or trunk links.

VLAN1 is the management VLAN in this setup.

– The access switches are hosts on VLAN1.

– Management stations, such as an SNMP server, are connected to VLAN1.

VLANs 2-5 are user VLANs for devices such as user PCs.

stations, such as an SNMP server, are connected to VLAN1. • VLANs 2-5 are user VLANs

4

7

• Here is a different scenario. • Now the access switches are also L2/L3 switches.

Here is a different scenario.

Now the access switches are also L2/L3 switches.

Each access switch routes its own user VLANs (101-104).

The distribution switch routes between access switches and other external networks.

VLANs 1-5 are uplink VLANs; there are no users on these VLANs.

– Each uplink VLAN connects a group of access switches to the distr switch.

VLANs 101-104 are user VLANs.

– These VLANs are local to their respective access switches.

Broadcasts from these VLANs are not transmitted across the uplinks.

In the previous scenario the user VLANs traverse the access and distribution switches, which results in broadcasts across the uplinks.

scenario the user VLANs traverse the access and distribution switches, which results in broadcasts across the

4

8

Here we’ve added an IP telephony twist.

The even-numbered user VLANs are “data” VLANs.

The odd-numbered user VLANs are “voice” VLANs.

PCs are connected into the even VLANs and IP phones are connected into the odd VLANs.

But some of the PCs must “piggyback” on the phones to share a common port.

So we make the shared ports hybrid or multi-VLAN ports, make the even VLAN the port/native VLAN, and tag the phone traffic with the odd VID.

– The clear PC traffic is forwarded to the port/native VLAN, and the tagged phone traffic is forwarded to the appropriate VLAN.

PC traffic is forwarded to the port/native VLAN, and the tagged phone traffic is forwarded to

4

9

ConclusionConclusion

At first the Ethernet LAN was a shared coax bus (thick-net, thin-net).

The hub replaced the coax bus, but there were still collisions on the hub.

The switch replaced the hub and removed the collisions, but the switch itself was one L2 broadcast domain.

Then smart L2 switches came along that could create multiple VLANs (multiple L2 broadcast domains) on a single switch. IEEE 802.1Q is the standard that brought this about.

– The 802.1Q tag facilitates VLAN trunking between these switches.

– At some point L3 (routing) functionality was added to these switches to remove the need for an external router in many cases.

Real-time applications, such as IP telephony, have increased the practice of using the 802.1Q tag for priority tagging as well as VLAN trunking.

NICs with priority-tagging capability already exist. It’s probably only a matter of time before PCs are able to assign different priority values to different applications and tag them accordingly.

Is it a stretch to speculate that one day endpoints will have the capability to tag different applications to different VLANs and source them from different IP addresses?

different VLANs and source them from different IP addresses? © 2002 Avaya Inc. All Rights Reserved.

© 2002 Avaya Inc. All Rights Reserved. DA/LHP 7/8/02

5

0