4

I have few questions regarding the functioning of VLANs:

1) Do end hosts (e.g my laptop) would ever see a VLAN ID when it is connected to a trunked or Access port ?

2) As a follow-up to 1, in the normal VLAN setup do endhosts tag the packet or is tagging done by the switches only?

3) Finally, do access ports ever use VLAN tags or are the tags required only when sending traffic through trunked links. If access ports don't use VLAN tags then why how does it handles packets?

Thanks!

user1126425
  • 143
  • 1
  • 5

3 Answers3

5

1) Yes, when it's connected to a trunk port, and no when it's connected to an access port. Access port is a "normal" port, so it's meant for untagged traffic to go through. Trunk port is for tagged traffic, and usually acts as an "uplink". It is also possible to send untagged data via trunk port, and it will be trated as "default vlan" data.

2) In a "normal" setup, the switches do the tagging. So the PC sends an untagged packet, and the switch adds the tag. But since you usually have the router connected to a trunk port, the router has to do the tagging too. But end-user pc's (connected to access ports) only use untagged traffic. Also some servers are connected to trunk ports, and send tagged packets (usually virtualization servers, or simmilar)

3) Access port is meant for end-devices. For example, you set the port to vlan100, and connect a pc. Computer sends a packet to the switch, and the switch knows the port is in vlan100, and tags the packet accordingly, and sends it where needed. When a packet is going to the pc, the switch knows it's an access port, and strips the vlan tag from the packet.

mulaz
  • 10,682
  • 1
  • 31
  • 37
  • Ok, that clears up my confusion regarding access ports. Thanks! But how do servers use multiple LANS, do they tag/untag traffic within Linux kernel or is it somewhat hardware assisted ? – user1126425 May 24 '12 at 23:50
  • On linux the kernel does it. It's not really that cpu-intensive that it would need any hardware-assistance. It's just adding a few bits after one of the headers. – mulaz May 25 '12 at 01:11
4

1.) An access port by definition has no tags applied to packets. Trunk ports have tags. If your laptop is connected to a trunk port then it will be able to see packets with VLAN tags applied.

2.) Under normal circumstances the switch does the tagging.

3.) Again, definition of access port = no VLAN tagging, definition of trunk port = VLAN tagging present. The idea is that the switch will apply a VLAN tag on ingress based on its configuration (i.e. port x/y is on VLAN 5). The tagged frame is then switched according to that tag - potentially across trunks. When it arrives at its destination the egress port strips the tag off. The hosts on the VLAN simply see a common broadcast domain.

It is reasonably common that certain servers (especially virtualization servers) can be configured to apply and strip VLAN tags, effectively giving them the ability to run a larger number of virtual interfaces on top of a single physical NIC.

rnxrx
  • 8,143
  • 3
  • 22
  • 31
  • Thank you for the quick reply. I am little confused about 3. In that you say that access ports don't support tag and then you say that tags are applied at the inport and stripped off at the egress port. I would interpret it as: 1)access ports don't take in tagged packets from the ingress port 2) if the packet is untagged, they tag it and this tag is stripped off at the egress access port... right? Moreover, in the interesting server scenario does the server use VLAN-MAC mapping in the kernel to avail this feature ? Little detail in this regard would be much appreciated. – user1126425 May 24 '12 at 23:48
  • To clarify - an access port should not accept a frame with a tag on it and, similarly, should never send a frame with a tag. In the case of a trunked port an untagged VLAN can be allowed but is generally mapped to a particular VLAN. This is what's called a native VLAN. In the server scenario each VLAN tag is usually associated with a virtual NIC. Just as in the case of a physical NIC independent ARP tables are maintained for each interface. The application and removal of VLAN tags takes place below this level (often at the interface driver level). – rnxrx May 24 '12 at 23:55
  • Ok. One more question. When configuring a switch can I add an access/untagged port to two VLANs ? I want a host connected to a access port to be a part of two different VLANs ... – user1126425 May 25 '12 at 00:30
  • No - not on a single port of a switch. You can join two VLAN's together via some sort of external connection to create a single broadcast domain, of course, but to map a single port into two VLAN's kind of breaks the entire model. There used to be mechanisms for dynamically mapping certain kinds of traffic from a given port into multiple VLAN's (i.e. put all IP in VLAN A and all IPX in VLAN B) but I haven't heard of that in years. If you want to simultaneously connect to two VLAN's you need either a second interface or to set up trunking on your existing one. – rnxrx May 25 '12 at 00:40
3

  1. while your laptop is unlikely to have an interface that will do vlan tagging, some servers can. vlan tagging just adding some info to the ethernet frame so presumably you can do it with programming, but usually it is done by switches to send them through trunk lines where frames from all vlans are mixed together.

  2. yes, generally switches, but other devices can do tagging as well.

  3. the end devices should only see untagged ethernet frames, as the vlan tags are stripped before handing it to the end devices, unless the end devices have interfaces that does the stripping.

johnshen64
  • 5,865
  • 24
  • 17
  • If a router or switch has a port configured as an access port, my understanding is that any device connected to the port send and received non-tagged ethernet frames. For example, a laptop, PC or printer. If a router or switch has a port that is configured to be a trunk port, a device connected to it such as a laptop would have its ethernet frames tagged so that traffic is communicated with the appropriate VLAN associated with the tag. Is my understanding correct? Is it safe to assume that if a trunk port is associated with an untagged VLAN, there are to tags inserted into the ethernet frame? – Motivated Oct 27 '19 at 02:56