VLAN Tag – Where It Changes in the Data Path

switchvlan

Suppose we have a switch we two hosts in VLAN 10 and VLAN 20.
Now if the two hosts try to ping each other using layer 2 connectivity then the ping will not be successful.

consider when H1 (VLAN 10) pings H2 (VLAN 20):

Now, if we add a router in the scene, the switch will broadcast the received traffic. The traffic will go the router, and the router will use the L3 forwarding table and send the packet back to the switch.

The switch will now send the packet to the host in VLAN 20.

If we take a Wireshark capture at H1, we get VLAN tag 10, and if we take a Wireshark capture at H2, obviously the VLAN tag is 20.

So where exactly in this data path does the addition of the new tag take place.

Assume we are not using SVIs

Topology is something like:

Best Answer

There are a few things wrong with what you wrote.

If you capture at the hosts, there will not be a VLAN tag on the frame. VLAN tags are used on trunks where there are multiple VLANs so that the network devices can tell which frames belong to which VLAN.

The switch does not broadcast unless the frame is a broadcast frame. A switch will have a MAC address table that has the MAC addresses from the frames' source addresses, and from which switch interfaces the source addresses were seen coming into the switch. The switch will look up a frame destination MAC address in the MAC address table and send the frame to the corresponding interface. If the switch doesn't find the destination MAC address in the table, it will flood the frame to all other switch interfaces in the same broadcast domain (VLAN).

A host will compare the destination IP address to the hosts's IP address and mask to see if it is in the same network. If the destination MAC address is in the same network, it will use ARP to discover the the destination host's MAC address, and use that as the destination MAC address for the frame.

If the destination host's IP address is in a different network, the host will use the MAC address of the configured gateway as the destination MAC address for the frame.

If the connection between the switch and the router is a trunk, both the switch and the router will tag any frames for non-native VLANs. The switch will not include a VLAN tag on the access ports.

Edit:

A router will have separate logical interfaces, on the same physical interface, for each VLAN. For a Cisco router, it looks something like this:

interface GigabitEthernet0/0
 description Physical Interface
 no shutdown
!
interface GigabitEthernet0/0.10
 description VLAN 10 Interface
 encapsulation dot1Q 10
 ip address 10.10.10.1 255.255.255.0
 no ip redirects
 no ip unreachables
 no ip proxy-arp
 no shutdown
!
interface GigabitEthernet0/0.20
 description VLAN 20 Interface
 encapsulation dot1Q 20
 ip address 10.20.20.1 255.255.255.0
 no ip redirects
 no ip unreachables
 no ip proxy-arp
 no shutdown
!

The encapsulation command on the interface will direct incoming frames on the physical interface to the correct logical interface, and it will add the VLAN tag to any frame exiting the logical interface outbound through the physical interface.

A router will strip off and discard the layer-2 frame to get to the layer-3 packet. After switching the packet to the new interface, a router needs to build a new frame for the new interface.

The VLAN tag added to the frame by the switch on the trunk to the router will be lost when the frame is stripped. The router will add a tag for the new VLAN when it builds the new frame for the new interface. That is where the VLAN tag is changed.

Related Solutions

Vlan – How to reliably see VLAN tags on a client

Windows has no built-in support mechanisms for VLANs. There aren't separate physical and VLAN interfaces you can capture from, unless a specialized driver that adds such support is present.

So whether you see VLAN tags in Wireshark or not will depend on the network adapter you have and on what it and its driver do with VLAN tags.

Most "simple" network adapters (e.g. widely used Realtek RTL 8139) and their drivers will simply pass VLAN tags to the upper layer to handle these. In that case, Wireshark will see VLAN tags and can handle and show them.

Some more sophisticated adapters will handle VLAN tags in the adapter and/or the driver. This includes some Intel adapters and, as far as i know, Broadcom gigabit chipsets (NetXtreme / 57XX based chips). Moreover, it is likely that cards that have specialized drivers will follow this path as well, to prevent interference from the "real" driver.

source

On a cisco switches diffrent models needs diffrent config. for example at destination interface encapsulation dot1q needs to be added this will allow switch copy vlan tags to output port.

VLAN Tagging – How to Tag All Traffic from One Port

VLAN tags are used to mark which ethernet frames belong to which VLAN on a trunk link, usually between switches. Setting an access port to VLAN 201 does not add VLAN tags to the frames because most end-devices do not understand VLAN tags in an ethernet frame. By setting a native VLAN on a trunk, you are saying that that particular VLAN will not have a VLAN tag.

All you need to do to tag frames is to set the interface to trunk. For any VLAN which you want tagged, do not set that VLAN to native. Something like:

interface GigabitEthernet1/1/1
 description Trunk to CenturyLink
 switchport trunk encapsulation dot1q
 switchport trunk allowed vlan <VLAN Range>
 switchport mode trunk
 switchport nonegotiate
 no shutdown
!

Best Answer

Related Solutions

Vlan – How to reliably see VLAN tags on a client

VLAN Tagging – How to Tag All Traffic from One Port

Related Topic