802.1Q Fundamentals and Configuration

Back

Now that we understand how different VLANs on one switch segregate broadcast domains, we need to be able to allow that VLAN to traverse multiple switches, such that VLAN 50 on my current switch can talk to VLAN 50 on an adjacent switch.

802.1Q allows for VLAN tagging, so multiple VLANs can communicate over a single link

As above, if I have my accounting pc on switch1, and another accounting pc on switch2, I need those to be able to talk to each other. Then also a marketing pc on a marketing VLAN is connected to switch1 with another on switch2, and I need to allow those to talk as well. In order to do that, while maintaining logical separation of our traffic, we need a method of tagging our traffic in that inter-switch link, such that we can differentiate between which traffic belongs on which VLAN.

The port connecting switch1 and switch2 is what's called a trunk. It uses either 802.1Q or ISL as a standard for tagging within the header of that traffic. This allows the switches to differentiate which VLAN, the purple or the green in this case, that the traffic is a member of. This way, when Accounting1 sends out a broadcast, like an ARP request for the MAC address of accounting2, the broadcast will only be forwarded out ports that are member of the green VLAN. Since it comes in on a green port, it is forwarded out the trunk between the switches tagged as the green VLAN. When switch2 receives that broadcast, tagged on the green VLAN, it forwards it out all of its ports which are members of the green VLAN.

802.1Q Ethernet header format

So, after the invention of VLANs to virtualize a single physical switch into multiple logical switches, we needed a standard for this inter-switch communication, and that's where ISL and 802.1Q came into play. ISL is a legacy Cisco proprietary protocol for tagging VLANs on a trunk link. ISL stands for Inter-Switch Link, it had a lot of problems with not being very efficient and has a much larger. It's not used anymore, you won't even have the option to use ISL as the encapsulation method on your newer switches, they will only do 802.1Q. However, on your older switches, like Cisco Catalyst 3550 or 2950, you do need to go into the trunk's interface configuration and specify that you want your encapsulation to be dot1q for 802.1Q tagging. Additionally, when we use DTP, Dynamic Trunking Protocol, some of these older switches will negotiate to ISL encapsulation by default. Since the exam topics only include 802.1Q, and not ISL, we'll only go deeply into 802.1Q here.

So the 802.1Q VLAN tag is a 2 byte header field that's in our layer 2, Ethernet header. It is often considered that the Tag Protocol ID is part of the 802.1Q header, however this field is present in a standard Ethernet frame anyway, so only 2 bytes of overhead are added to our frames. It fits after the source address. The VLAN ID portion of the 802.1Q tag is 12 bits long. The standard range uses 10 bits, from 1 to 1024, two additional bits make up the extended range, up to 4096. The standard here of course is defined in IEEE 802.1Q ,this is the standard that defines the header fields and their uses.

Example static interface trunk configuration

Now trunking is referring to a switch port that is configured to transmit and received tagged frames, here we'll only be referring to 802.1Q tagging. By default on Cisco switches, a trunk is a member of all VLANs. It will accept all VLANs which are configured on it, and it will transmit all VLANs which are configured.

Dynamic Trunking Protocol, we mentioned that very briefly earlier, this protocol allows a port to become a trunk automatically. It can negotiate and detect that the other side of the link is also a switch that has the ability to be a trunk. It sends out frames saying "I want to be a trunk" and it tries to negotiate trunking. It is considered best practice to turn off DTP anywhere and everywhere, and only use static trunking. This is configured with switchport mode trunk and switchport no negotiate in order to disable DTP and set the interface statically as a trunk. DTP poses a security hazard on your interfaces that are facing user devices. When configured, our clients out there in the office are actually receiving these DTP negotiation frames. With some clever software, you can go ahead and negotiate a trunk with the switch and be able to receive traffic to your machine that is not intended and is outside of the VLAN that you should be part of.

So with 802.1Q it tags all frames in each VLAN from 0 to 4095. This adds 2 bytes of overhead to each and every frame that is transmitted. This might not sound like much, though when a switch can transmit thousands or millions of packets per second, this overhead becomes much more substantial. To save on our overhead here, we have the ability to send certain traffic untagged, which just does not have our 802.1Q vlan tag at all. When untagged traffic is received on a trunk, it is still considered to be part of a VLAN, this VLAN is called our native vlan. Any untagged traffic is considered to be part of the native vlan. The native VLAN is a configurable item with switchport trunk native vlan #.

Example message seen when there's a native VLAN mismatch between two switches

It is possible to have mismatched native VLANs. In the event this happens, and it's between 2 Cisco switches, you'll receive a warning about the mismatched configuration. A level 4 syslog message will be generated, indicating the mismatch, which is identified via CDP.

Finally, let's take a look at a packet capture of a tagged frame to review the frame's format:

Wireshark capture of 802.1Q tagged ARP frame with the 8100 Ether Type highlighted indicating 802.1Q frame type

© Ben Jacobson.RSS