![]() To handle this, tagged ports have a special VLAN configured on them called the untagged VLAN. In some cases, an untagged frame will arrive on a tagged port. Since port 2 is an untagged port, it strips the tag from the frame, and then sends it.Switch 2 determines that port 2 should send the frame This switch also determines if VLAN 10 is allowed on this port, and drops it if it is not. Switch 2 receives the frame on tagged port 1.If VLAN 10 is not allowed, it drops the frame If it is, it leaves the tag intact, and sends the frame. This is a tagged port, so it checks that VLAN 10 is allowed on this port. Switch 1 determines that port 2 should send this frame to switch 2.The switch adds the VLAN tag to the frame The frame enters an untagged port on switch 1, configured with VLAN 10 in this case.Here, you can see this process in action: In this case, the switch will flood the frame to all other ports configured with VLAN 10. For example, a broadcast may be received on VLAN 10. The receiving switch will see the VLAN tag, and if the VLAN is allowed, it will forward the frame as required. The sender will send a frame with a VLAN tag. Cisco switches use the term ‘trunk’ to refer to a tagged port. An example of this is when two switches are connected, and pass tagged traffic. Host B receives the untagged frame as normalĪ port is a ‘tagged port’ when the interface is expecting frames containing VLAN tags.This is also an untagged port, so The VLAN tag is stripped from the frame The switch determines that the frame needs to be forwarded out of port 2.The switch then inserts the VLAN tag into the frame This is an untagged port, configured with VLAN ID 10. The frame is received on port 1 of the switch.The following diagram shows this process: When a frame leaves an untagged port, the switch strips the VLAN tag from the frame. Most switch ports will use this mode by default, with VLAN ID 1. The switch port is configured with a VLAN ID that it will put into the tag. When the frame reaches the switch port, the switch will add the VLAN tag. The connected host sends its traffic without any VLAN tag on the frames. The host is unaware of any VLAN configuration. An untagged port, or access port on a Cisco switch, connects to hosts (such as a server). Switches can to pass VLAN traffic between each other, so hosts on a VLAN do not have to be on the same switch.Ī switchport may be a ‘tagged’ or ‘untagged’ port. Server-to-server communication could use a ‘secured’ VLAN.Īssigning a host to a VLAN allows it to communicate with another host on the same VLAN. A mitigation strategy could be to create a ‘guest’ VLAN for anyone visiting the premises. Separating these out will prevent this from happening (at layer 2).Īnother security case would be if an attacker uses a packet sniffer to capture network data. In a multitenant data centre, it is important that one customer’s data is not visible to another. Separating these hosts will limit how far these broadcasts will go.Īnother reason to separate hosts would be for security. IPv4, for example, relies upon broadcasts. One reason to put hosts in separate VLANs would be to limit the amount of broadcasts across the network. The VLAN is like a virtual switch in concept. Unfortunately, this gets cost prohibitive, which is why VLANs are often preferred. This is sometimes done for management traffic. Of course, one way of achieving these goals would be to connect each group of hosts to their own switch. An example service is a router to pass packets between the VLANs. Hosts in one VLAN cannot communicate with hosts in another VLAN without extra services. The primary function of a VLAN is to separate layer 2 traffic.
0 Comments
Leave a Reply. |