Professional Documents
Culture Documents
Fundamentals of VLAN's - Router On A Stick
Fundamentals of VLAN's - Router On A Stick
Fundamentals of VLAN's - Router On A Stick
Actions
One important factor that needs consideration in all the scenarios, is that,
before a ping request can be generated by the end device,
it needs to find out the mac address of its gateway, using address resolution protocol.
Accordingly, for a lab setup, where the configuration on an already configured router may be altered to check the
impact of the change, there are certain factors that merit consideration.
These considerations relate to address resolution protocol - ARP query & cache, and the following discussion
covers them to a certain extent.
https://learningnetwork.cisco.com/thread/119282
Reference Layout
*Click on the image to enlarge
Points to consider
Switch
The switch has three Vlan's configured on it
Vlan 1 has a PC attached to it with an ip address 1.1.1.1
Vlan 2 has a PC attached to it with an ip address 2.1.1.1
Vlan 3 has a PC attached to it with an ip address 3.1.1.1
Router
The router has its main interface FastEthernet 0/0 subdivided into three virtual interfaces
FastEthernet 0/0.1 with an IP address - 1.1.1.251
FastEthernet 0/0.2 with an IP address - 2.1.1.251
FastEthernet 0/0.3 with an IP address - 3.1.1.251
Section 1
Sample configuration
Switch
We are going to create three Vlan's on the switch
We are going to assign ports numbers from FastEthernet 0/1 to 0/12 to Vlan 1
We are going to assign ports numbers from FastEthernet 0/13 to 0/24 to Vlan 2
We are going to assign ports numbers from FastEthernet 0/25 to 0/36 to Vlan 3
We are going to connect the router to port numbered GigabitEthernet 0/5 on the switch
We are going to configure this port on the switch to work as a trunk port
Commands
configure terminal
interface range FastEthernet 0/1 - 12
! The following command is a macro
! The result is as follows
! switchport mode is set to access
! spanning-tree portfast is enabled
! channel group is disabled
switchport host
switchport access vlan 1
exit
Router
We will connect one of routers FastEthernet interfaces, FastEthernet 0/0, to the switch's trunk port GigabitEthernet 0/5
Further, we will sub-divide this single FastEthernet 0/0 interface, virtually, in to three sub-interfaces
On a router, if an Ethernet interface is subdivided, it can route traffic only if it is configured to work with a trunking protocol, like ISL or
802.1q
We will associate the first sub-interface, FastEthernet 0/0.1, to Vlan numbered 1 and assign it an Ip address 1.1.1.251
We will associate the second sub-interface, FastEthernet 0/0.2, to Vlan numbered 2 and assign it an Ip address 2.1.1.251
We will associate the third sub-interface, FastEthernet 0/0.3, to Vlan numbered 3 and assign it an Ip address 3.1.1.251
Commands
configure terminal
interface FastEthernet 0/0
no shutdown
exit
Section 2
The inter-linking of Vlan numbers and the sub-interfaces
Point 1
This association between the Vlan number and the interface,, helps the router
To decide, where to send the incoming frame for further processing, by checking its Vlan tag
If an incoming frame has an "Vlan Id 2" "clipped on" to it, then that frame will be "sent" to the sub-interface that has been associated
with Vlan-2
Logic
The interface to which an incoming frame will go to, is decided by the Vlan-Id-Tag attached on to it
If there is no Vlan-Id-Tag attached to the frame
The frame will be sent to the interface that has been configured as "native" interface using the command - Router(config-
subif)#encapsulation dot1Q vlan number native
As a default, any interface, associated with Vlan-1, is automatically configured with the native command in the running
configuration
Point 2
This association between the Vlan number and the interface, helps the router
To decide, which "Vlan Id Number" to attach, to the outgoing frames
If the frame is going out of interface numbered FastEthernet 0/0.3, then attach Vlan-3 tag on to it
Logic
The Vlan-Id-Tag that needs to be attached to a frame that leaves the router, is decided by the frames destination Ip address /
network
Note
A subdivided FastEthernet interface is different from an interface that has multiple IP addresses configured on to it
An interface with multiple Ip's still works like a single interface and cannot read data that has been encapsulated with any one of the
trunking protocols
Section 3
Situation 1: Standard operation
Two points of configuration
One at the switch
Second at the router
Commands
configure terminal
interface GigabitEthernet 0/5
switchport trunk native vlan 1
end
Logic
For frames being ejected out
If the frame is from ports in Vlan-1 - Transmit it without any modification, i.e. un-tagged
If the frame is from ports in Vlan-2 to 4094 - Transmit it after attaching an identifying tag, i.e. tagged
Commands
configure terminal
interface fastethernet 0/0.1
encapsulation dot1q 1 native
end
Analysis
The PC attached to Vlan-1 with an IP 1.1.1.1 pings PC - 3.1.1.1, that is in Vlan-3
Step 1
A frame is sent from PC - 1.1.1.1 to its gateway at 1.1.1.251.
This is an initial arp request sent from PC - 1.1.1.1 to find the mac address of the gateway 1.1.1.251
Step 2
When this frame is "ejected" out of trunk port on the switch, it is sent unmodified
Because it is coming from a port
Which belongs to native vlan specified on the switch's trunk port
Step 3 - Part I
When this frame is received by the router, the router can "see" that the frame is unmodified
So, it directs the frame to "FastEthernet 0/0.1" which has been configured to accept unmodified frames
With the help of the command - Router(config-subif)#encapsulation dot1q 1 native earlier
Step 3 - Routing
When this ping frame arrives at routers interface FastEthernet 0/0.1
The destination IP is checked
The destination network is attached to interface "FastEthernet 0/0.3"
Step 4
So, the frame is modified and a tag is attached to it that says Vlan-3 - "the Vlan that FastEthernet 0/0.3 is part of"
And the frame is ejected towards the switch
Step 5
The switch receives the frame on its trunk port GigabitEthernet 0/5
It checks the tag that reads Vlan-3
So, the switch sends the frame, out of the ports in Vlan-3
Step 2
When this frame is "ejected" out of trunk port on the switch, a tag - "Vlan-3" - is attached to this frame
Because the frame is coming from a port
Which does not belong to the native vlan specified on the switch's trunk port
Step 3 - Part I
When this frame is received by the router, the router can "see" that the frame has a tag that reads - "Vlan-3"
So, it directs the frame to "FastEthernet 0/0.3" which has been configured to accept frames having the tag - "Vlan-3"
This was done by issuing the command - Router(config-subif)#encapsulation dot1Q 3 - on this sub-interface earlier
Step 4
The VLAN tag of the frame is removed and it is ejected towards the switch,
Because the interface from which this frame will be "ejected" - FastEthernet 0/0.1 - is configured as a "dot1Q native" interface on the
router
Step 5
The switch receives this frame on its trunk port GigabitEthernet 0/5
It analyzes the frame and can "see" that the frame does not have any tag attached to it
So, the switch sends the frame, out of the ports in Vlan-1
Because, the native vlan configured on this switch's trunk port, GigabitEthernet 0/5, is Vlan-1
Result
The ping is successful
Consider the above topology. When R1 tries to ping 1.2.1.2, it sends an arp request out of its interface because it
considers 1.2.1.2 to be in the local network - 1.0.0.0 because of the mask of 255.0.0.0.
However, when this arp resolution request reaches R2, after reading the contents - not the address field, R2 considers
the reply to be directed for a network 1.0.0.0 that is not attached on the interface -{ Network 1.2.0.0 with a mask of
255.255.0.0 }- on which this request was received.
Therefore, R2 drops the reply.
R2#debug arp
*Mar 1 00:01:33.539: IP ARP req filtered src 1.1.1.1 c001.2ce8.0000, dst 1.2.1.2 0000.0000.0000 wrong cable,
interface FastEthernet0/0
Conclusion
That is the reason I consider ARP to operate at Layer 2.5 of the OSI model.
Although its scope is limited to the directly connected network - Layer 2,
it is still influenced by the IP networks - Layer 3, included in the contents, while replying.
Commands
configure terminal
interface GigabitEthernet 0/5
switchport trunk native vlan 1
end
Logic
For frames being ejected out
If the frame is from ports in Vlan-1 - Transmit it without any modification, i.e. un-tagged
If the frame is from ports in Vlan-2 to 4094 - Transmit it after attaching an identifying tag, i.e. tagged
Commands
configure terminal
interface fastethernet 0/0.2
encapsulation dot1q 2 native
end
Analysis
The PC attached to Vlan-1 with an IP 1.1.1.1 pings PC - 3.1.1.1, that is in Vlan-3
Step 1
A frame is sent from PC - 1.1.1.1 to its gateway at 1.1.1.251.
This is an initial arp request sent from PC - 1.1.1.1 to find the mac address of the gateway 1.1.1.251
Step 2
When this frame is "ejected" out of trunk port on the switch, it is sent unmodified
Because it is coming from a port
Which belongs to native vlan specified on the switch's trunk port
Result
The ping is un-successful
Note
This can be modified by forcing the switch to attach a tag to all the VLANs by issuing the following command
Switch(config)#vlan dot1Q native tag
By issuing this command all the outgoing frames from a switch will be tagged and now the frame from Vlan-1 will reach
routers interface configured with Vlan-1, which in turn will be able to resolve the arp query for PC-1.1.1.1.
configure terminal
interface GigabitEthernet 0/5
switchport trunk native vlan 1
end
Switch#
show interface GigabitEthernet 0/5 switchport
Name: Gi0/5
---output omitted---
Negotiation of Trunking: On
Access Mode VLAN: 1 (default)
Trunking Native Mode VLAN: 1 (VLAN0001)
Voice VLAN: none
---output omitted---
Logic
For frames being ejected out
If the frame is from ports in Vlan-1 - Transmit it without any modification, i.e. un-tagged
If the frame is from ports in Vlan-2 to 4094 - Transmit it after attaching an identifying tag, i.e. tagged
Caveat
Commands
configure terminal
interface FastEthernet 0/0.2
encapsulation dot1q 2 native
exit
Analysis
The PC attached to Vlan-1 with an IP 1.1.1.1 pings PC - 3.1.1.1, that is in Vlan-3
Step 1
A frame is sent from PC - 1.1.1.1 to its gateway at 1.1.1.251.
This is an initial arp request sent from PC - 1.1.1.1 to find the mac address of the gateway 1.1.1.251
Step 2
When this frame is "ejected" out of trunk port on the switch, it is sent unmodified
Because it is coming from a port
Which belongs to native vlan specified on the switch's trunk port
Step 3 - Part I
When this frame is received by the router, the router can "see" that the frame is unmodified
So, it directs the frame to "FastEthernet 0/0.2" which has been configured to accept unmodified frames
With the help of the command - Router(config-subif)#encapsulation dot1q 2 native
Step 3 - Routing
When this ping frame arrives at routers interface FastEthernet 0/0.2
The destination IP is checked
The destination network is attached to interface "FastEthernet 0/0.3"
Step 4
So, the frame is modified and a tag is attached to it that says Vlan-3 - "the Vlan that FastEthernet 0/0.3 is part of"
And the frame is ejected towards the switch
Step 5
The switch receives the frame on its trunk port GigabitEthernet 0/5
It checks the tag that reads Vlan-3
So, the switch sends the frame, out of the ports in Vlan-3
Step 2
When this frame is "ejected" out of trunk port on the switch, a tag - "Vlan-3" - is attached to this frame
Because it is coming from a port
Which does not belong to the native vlan specified on the switch's trunk port
Step 3 - Part I
When this frame is received by the router, the router can "see" that the frame has a tag that reads - "Vlan-3"
So, it directs the frame to "FastEthernet 0/0.3" which has been configured to accept frames having the tag - "Vlan-3"
This was done by issuing the command - Router(config-subif)#encapsulation dot1Q 3 - on this sub-interface earlier
Step 4
The VLAN tag of the frame is removed and it is ejected towards the switch,
Because the interface from which this frame will be "ejected" - FastEthernet 0/0.2 - is configured as a "dot1Q native" interface
Step 5
The switch receives the frame on its trunk port GigabitEthernet 0/5
It analyzes the frame and can "see" that the frame does not have any tag attached to it
So, the switch sends the frame, out of the ports in Vlan-1
Because, the native vlan configured on this switch's trunk port, GigabitEthernet 0/5, is Vlan-1
Result
The ping is successful
Final Notes
Note One
The concept of native Vlan states that any frame belonging to the native Vlan will be sent without any modifications, i.e. un-tagged
Native Vlan is specific to each trunk port separately
This means that when frames are ejected out of trunk port 1, if the frames originated in Vlan-1, they will remain untagged
This means that when frames are ejected out of trunk port 20, if the frames originated in Vlan-20, they will remain untagged
Also
If any unmodified frame enters trunk port 1, that frame will be sent to the ports on Vlan-1
If any unmodified frame enters trunk port 20, that frame will be sent to the ports on Vlan-20
Therefore, the native Vlan is specific to a given port
However, as a default, whenever a port operates as a trunk, Vlan-1 is automatically selected to be the native vlan for that port
This can always be modified
Note Two
Even though the switch sends frames from the native vlan without any modification, it can be forced to avoid this behavior
By issuing the command, Switch(config)#vlan dot1Q native tag , a switch can be configured to tag all the frames, even if the frames
come from native vlan configured on that trunk interface
However, this command is not available on all the switches
-------------------------
The End
(23 ratings)
MOST LIKED
7
Comments
Actions
Actions
Milan.
1. Thank you !
Fabiola.
Actions
You are very welcome Navneet, thanks for sharing the content you produce :)
Actions
Great Work Naveet............again your your grapical illusrations integrated with your knowledge base helps to enchance my
understanding of the logical process of packet forwarding !
Alvin
Actions
Actions
Hi Alvin.
Lee,
It is a pleasure !
Take care,
Navneet.
Actions
Terms & Conditions Privacy Statement Cookie Policy Trademarks Languages Follow us: