14 Replies Latest reply: Dec 3, 2019 4:19 AM by Daniel RSS

    Inter-Vlan Communication

    Damij

      Hi all, I passed my CCENT in May and I just passed my CCNA October.

       

      I know that there are 3 ways to achieve this

      -Router with different interface

      -Router with a single interface

      -Layer 3 Switch

      My question is on Router -with different interfaces.

       

      I cannot seem to see a trunk connection anywhere in the configuration for  a router with different interface and i know the trunk connection carries tagged frames which includes the vlan id in the header

      Can i safely say that Access and trunk ports do the same job then since they can both carry vlan information across ;

      where access port passes its own vlan info to the router and the trunk passes its own to both switches and routers using dot1q on the router

        • 1. Re: Inter-Vlan Communication
          Ing_Percy

          Hi!

           

          In router with different interfaces, each interface of router will correspond to each vlan, as you can see in the picture

          intervlan-1.png

          The ports in the switch is configured in access mode

           

          Check: https://www.freeccnastudyguide.com/study-guides/ccna/ch7/7-6-inter-vlan-routing/

           

          Regards!

          • 2. Re: Inter-Vlan Communication
            Steven Davidson

            An access port doesn't carry VLAN information normally.  An access port would send untagged frames to the far end.  When a router doesn't use sub-interfaces connected to trunk ports then the switch port configuration on the other end is access mode and the switch is sending untagged frames to each of the router's interfaces.

            • 3. Re: Inter-Vlan Communication
              l00pback

              If you want your router to tag the frames with a Vlan then you need to configure sub interface with the corresponding Vlan ID under the physical interface.

              • 4. Re: Inter-Vlan Communication
                Damij

                Thank you Percy for the attempt to answer, I totally understand the trunk and access port concept,

                My point is we cannot say that trunk port ALONE carry vlan info(tagged) as i have been made to believe in the past

                Access port too carry vlan info because when it is connected to router with multiple interface representing multiple vlans, then the vlan information is NOT going through a trunk port and but going through an access port on the switch connected to an interface on the router and the vlan information transverse the network.

                Simple put, VLAN information can go through other sources and NOT just trunk port. Will this my position be correct ?

                • 5. Re: Inter-Vlan Communication
                  Damij

                  Thank you Steven for the attempt to answer, I totally understand the trunk and access port concept,

                  My point is we cannot say that trunk port ALONE carry vlan info(tagged) as i have been made to believe in the past

                  Access port too carry vlan info becos when it is connected to router with multiple interface representing multiple vlans, then the vlan information is NOT going through a trunk port and but going through an access port on the switch connected to an interface on the router and the vlan information transverse the network.

                  Simple put, VLAN information can go through other sources and NOT just trunk port. Will this my position be correct ?

                  • 6. Re: Inter-Vlan Communication
                    Damij

                    Thank you 100pback for the attempt to answer, I totally understand the trunk and access port concept,

                    My point is we cannot say that trunk port ALONE carry vlan info(tagged) as i have been made to believe in the past

                    Access port too carry vlan info becos when it is connected to router with multiple interface representing multiple vlans, then the vlan information is NOT going through a trunk port and but going through an access port on the switch connected to an interface on the router and the vlan information transverse the network.

                    Simple put, VLAN information can go through other sources and NOT just trunk port. Will this my position be correct ?

                    • 7. Re: Inter-Vlan Communication
                      Parvesh

                       

                      Can i safely say that Access and trunk ports do the same job then since they can both carry vlan information across ;

                       

                       

                       

                      where access port passes its own vlan info to the router and the trunk passes its own to both switches and routers using dot1q on the router


                      No access ports do not carry vlan information. Rather trunks do. Hope it helps.


                      The purpose of a tagged or "trunked" port is to pass traffic for multiple VLAN's, whereas an untagged or "access" port entertains traffic for only a single VLAN.

                      Remember, an access port may accept tagged frames and tagged frames are used to internally switch the frames (acceptance for tagged frames is specific to platforms). Traffic arriving on an access port is assumed to belong to the VLAN assigned to the port.


                      http://www.cisco.com/en/US/docs/switches/lan/catalyst2970/software/release/12.1_19_ea1/configuration/guide/swint.html

                       

                      http://www.cisco.com/en/US/docs/switches/lan/catalyst3550/software/release/12.1_19_ea1/configuration/guide/swint.html#wp1107751

                       

                       

                      An interesting read: (Experimenting with VLAN hopping)

                      https://packetlife.net/blog/2010/feb/22/experimenting-vlan-hopping/

                      • 8. Re: Inter-Vlan Communication
                        Steven Davidson

                        Damij wrote:

                         

                        Simple put, VLAN information can go through other sources and NOT just trunk port. Will this my position be correct ?

                        No.   A true access port is a port that is not operating any encapsulation mode for trunking and, therefore, does not tag frames with VLAN information on frames that it sends onto the wire.  A trunk port can be made to behave like an access port if you make only one VLAN allowed on that port and you make that port native.  In that case, the trunk port would not tag any frames either.  As long as you keep saying "VLAN information" then the answer you're going to keep getting is that only trunk ports will do that.  You might be trying to say "frames from different VLANs" but that isn't the same as "VLAN information".  To everybody here "VLAN information" means an 802.1Q tag.

                        • 9. Re: Inter-Vlan Communication
                          Ing_Percy

                          Hi!

                          Damij escribió:

                          My point is we cannot say that trunk port ALONE carry vlan info(tagged) as i have been made to believe in the past

                          Access port too carry vlan info because when it is connected to router with multiple interface representing multiple vlans, then the vlan information is NOT going through a trunk port and but going through an access port on the switch connected to an interface on the router and the vlan information transverse the network.

                          Simple put, VLAN information can go through other sources and NOT just trunk port. Will this my position be correct ?

                          The trunk port can carry tagged frames (all vlans, "except one") and only untagged frame (one native vlan, "the except one")

                          The access port doesn't carry tagged frames.

                           

                          Now, if you connect a router configured with subinterfaces (ROAS) with a port of switch configured as access (any vlan number), the frame through the network, but untagged. The router will receive the untagged frame and only can process the information configured in:

                          - Physical interface configured

                          - Subinterface with the keyword "native" in the encapsulation command.

                           

                          Here is a case in CLN where I implement a lab in GNS3 about Native Vlan in ROAS and the switch configured as access port

                          ROAS, using native vlan

                           

                          Regards!

                          • 10. Re: Inter-Vlan Communication
                            Damij

                            Thanks Parvesh, i think you hit the nail on the head here, "The purpose of a tagged or "trunked" port is to pass traffic for multiple VLAN's, whereas an untagged or "access" port entertains traffic for only a single VLAN." I knew this but just forgot that the trunk is really for passing multiple vlans whereas access port is for single vlan either defauly or native.

                             

                            But all the same both access and trunk port pass vlan info/frames, its just that one passes for just a single vlan while the other in this case passes for multiple.

                             

                            Thanks again.

                            • 11. Re: Inter-Vlan Communication
                              Damij

                              Thanks percy, i am refreshed. lol

                              • 12. Re: Inter-Vlan Communication
                                Damij

                                Thanks Steven, i fully understand your point, my choice of word. I appreciate you guys. thanks.

                                • 13. Re: Inter-Vlan Communication
                                  WillieB

                                  Damij wrote:

                                   

                                  I cannot seem to see a trunk connection anywhere in the configuration for  a router with different interface and i know the trunk connection carries tagged frames which includes the vlan id in the header

                                   

                                  This is because on a router, the port is a routed port. Only a switch port has "access" or "trunk" modes. There is no VLAN configuration on a routed port.

                                   

                                  Damij wrote:

                                   

                                  Can i safely say that Access and trunk ports do the same job then since they can both carry vlan information across ;

                                  where access port passes its own vlan info to the router and the trunk passes its own to both switches and routers using dot1q on the router

                                   

                                  No, they are very different. As others have stated already, access ports don't "pass" any VLAN info to another port. An access port strips the tap off before sending the frame out of the port.

                                  • 14. Re: Inter-Vlan Communication
                                    Daniel

                                    Hi Damij,

                                     

                                    Already been some nice answers above. But you seem to be struggling with the concepts of the so called "tagged ports" which cisco calls "trunk-ports". Technically, they carry 802.1Q-tags and carry these via the trunk-ports. Please note that Trunk-ports is a cisco-terminology and most other vendors will call these ports "tagged ports".

                                     

                                    As far as where the tag actually belong, that's up for debate. But to get back to your original question, without giving any configuration, yes it's possible to generate 802.1Q-tagged frames and transport them across other switchport-types. What happens when those switchports receive 802.1Q-tags but are not configured for it - that's also platform and configuration dependent.

                                     

                                    I will not go into that theory because it's complex. But i'll try to answer/give you some tips about your initial question.

                                     

                                    Damij wrote:

                                     

                                    Hi all, I passed my CCENT in May and I just passed my CCNA October.

                                     

                                    I know that there are 3 ways to achieve this

                                    -Router with different interface

                                    -Router with a single interface

                                    -Layer 3 Switch

                                    My question is on Router -with different interfaces.

                                     

                                    I cannot seem to see a trunk connection anywhere in the configuration for  a router with different interface and i know the trunk connection carries tagged frames which includes the vlan id in the header

                                    Can i safely say that Access and trunk ports do the same job then since they can both carry vlan information across ;

                                    where access port passes its own vlan info to the router and the trunk passes its own to both switches and routers using dot1q on the router

                                     

                                    No.

                                     

                                    Here is where we are threading on thin lines and I think you just haven't figured out (yet) entirely how the access-port actually works. The reason other vendors call "trunk-ports" for "tagged-ports" is because that's exactly what that port will do. It will figure out from which port the original frame came from and when it NEEDS to cross the Trunk-port...then it adds the 802.1Q-tag. The same concept applies when a trunk-port receives a frame...it reads the 802.1Q-tag and removes it and then forward this to the correct access-vlan.

                                     

                                    Routes work in exactly the same way, as been given an example of above....the configuration itself usually requires subinterfaces...but there are differencies between the IOS-version and the platforms.

                                     

                                    The router itself has a function. Take packets form Subnets A and forward them towards Subnet B based on the routing-table. To do so it also requires to build L2-information (ethernet-frames). So after a packet is routed, then it needs to also encapsulate something onto the new L2-domain. This is where 802.1Q comes into play.

                                     

                                    In general there are three different methods to do inter-vlan routing like you mention. When using the "router with a single interface" option, then you need to use the subinterface configuration provided above. This is actually the "trunk-port" of a router, remember that a 802.1Q-port is a Trunk-port per Cisco-Terminology (tagged port other vendors). That specific configuration creates those 802.1Q-tags.

                                     

                                    At the same time it tells the router that if it receives a frame with Tag X it belongs to this VLAN.

                                     

                                    The actual 802.1Q-trunk port per Cisco Switch Terminology is created on the downstream switch. Maybe this is where the confusion is?

                                     

                                    So SWA1 --> configured as a trunk port towards Router1

                                    Router1 --> configured to tag packets using 801.Q towards SWA1.

                                     

                                    Only the "switch" uses a "trunk-port" per cisco-terminology, but they both perform 802.1Q-tagging.

                                     

                                    Access port too carry vlan info becos when it is connected to router with multiple interface representing multiple vlans, then the vlan information is NOT going through a trunk port and but going through an access port on the switch connected to an interface on the router and the vlan information transverse the network.

                                    Simple put, VLAN information can go through other sources and NOT just trunk port. Will this my position be correct ?

                                     

                                    No, this is incorrect as far as CCNA-goes....but you would be correct if we talk about complex virtualization technologies such as VXLAN or MPLS etc.

                                     

                                    However to keep this at CCNA-grounds, then no...it's incorrect.

                                     

                                    In this topology, the router itself is completely unaware of the VLANs used in the switched infrastructure. The router only knows that it's connected to a device at the other end that is most likely speaking "ethernet". It's completely unaware of which VLAN it's connected to.

                                     

                                    The router itself is connected TO a switchport. The SWITCHPORT itself belongs to a specific VLAN. The route has ZERO information about this concept from the perspective of the router. When the router needs to communicate it will simply generate a L2 Ethernet frame with no special information crafted into it. The switchport itself will forward this frame based on the destination MAC-address ... that's it.

                                     

                                    At the same time the router itself will receive frames that have the destination MAC-address of their own Source MAC-addresses per interface. So in practice, the router is competely transparent to the network....the switch does all the magic based on Source/Destination MAC-addresses.

                                     

                                    The SWITCH tags/untags frames based on the trunk-port configuration, which may or may not be towards another router.

                                    If the switch sends a 802.1Q-tagged packet towards a router (or any other device) then that router needs to be configured to support 802.1Q-tags (as provided above).

                                     

                                    Of course the access-switch itself needs to keep track of which switchports the original frame came from in order to place the 802.1Q tag in the correct VLAN. But suppose you do the following, your statement could become true:

                                    -SWA1 port 1: configured as trunk port

                                    -SWA2 port 1: configured as access port

                                    -SWA2 port 2: configured as access port

                                    -SWA3 port 1: configured as trunk-port

                                     

                                    SWA1 port 1 -> SWA2 port 1

                                    SWA2 port 2 -> SWA3 port 1

                                     

                                    What happens when SWA1 generates a 802.1Q-tag that's using the access-ports of SWA2? Will they reach SWA3 port 1 or not?

                                    It's not as easy as it looks .

                                     

                                    -HTH

                                    Daniel