Trunks, Access Ports and VLANs

Submitted by rayc on Mon, 10/25/2021 - 09:09

Let's talk about how we connect devices to our networks and how we segment these networks. Well physically at least. This post isn't about WiFi. 

Hubs

When networks were first designed using Ethernet, I say Ethernet because I don't want to delve into coax and token ring etc, Network engineers needed a way to physically join them together. Say hello to our little friend the Hub (Again just talking about Ethernet and Hubs/Switches here). Hubs are these really ancient network devices that are essentially just multiport repeaters. A Network Hub receives data on one port and forwards a copy of said data out every other port that has a device connected. It's pretty easy to see how this just causes unnecessary traffic. It also means that Hubs can only operate in half-duplex. Half Duplex means that data can be either sent or received at the same time, not both. This also means that all devices connected to a Hub are in a single collision domain. A network that is half-duplex is prone to collisions. A Collision occurs when two (or more) network devices try to send data at the same time on a half-duplex network. CSMA/CD (Carrier Sense Multiple Access/Collision Detection) then kicks in and dictates that the device wait a random time period before trying to send data again. 

Switches

This brings us to switches. Switches are basically a really smart and fast hub (Like a multi port bridge for those that know what a bridge is) that stores information in memory (CAM/TCAM) in order to send and receive data more efficiently. Because of these smarts, they are able to send and receive data out each port at the same time making them Full Duplex devices. I'll explain a little more about how switches forward data in another post. For now just know that they are smart and full duplex. Being Full Duplex also means that switches still have collision domains, but it is reduced to a single interface, meaning that each interface on a switch is its own collision domain. 

Broadcasts

A Broadcast is a data packet that is sent to all devices inside a broadcast domain. You can think of a broadcast domain as a network that is not separated by a layer 3 device such as a router or firewall. Broadcast messages are not forwarded through a router or firewall (yes you can do it but for the purposes of this post you can't). Broadcast messages such as ARP requests are flooded throughout the network even on a switch. In fact switches will initiate ARP requests to find MAC addresses for unknown hosts. Because these messages don't get forwarded past a router or firewall device, all devices inside that network are considered in the same broadcast domain. 

VLANs

Because networks can get very big and network engineers will want to separate end users inside our network for security purposes or department or various other reasons, we can use VLANs (Virtual LANs). VLANs are a way of separating broadcast domains inside a network.  See the image below that shows 3 VLANs, VLAN 10, 20 and 30. There are hosts on each switch connected to the various VLANs. Each VLAN is inside it's own broadcast domain. 

Broadcast Domains

Physically they are connected by the same Layer 2 network devices inside the same network however they are Logically separated by VLANs configured on each Switch. A PC in VLAN 10 cannot communicate with a PC in VLAN 20 or VLAN 30 without sending data to a layer 3 device such as a router. this device is referred to as the default gateway in this instance. The default gateway is the host that all network traffic is sent to when it is outside that devices layer 3 subnet. Cisco Switches allow for up to 4096 VLANs However some are reserved. 

  • VLAN0: Reserved for 802.1P Traffic
  • VLAN 1: This is the default VLAN. Out of the box all switch ports are configured for VLAN 1
  • VLAN 2-1001: This is the normal VLAN range.
  • VLAN 1002-1005: These VLANs are reserved.
  • VLAN 1006-4094: These is the Extended VLAN range.

 

Cisco Switch ports can be configured one of two ways. As an Access Port or a Trunk Port. 

Access Ports

An Access port is a port that is assigned to a single VLAN and will only send data on that VLAN. Each PC in the topology above is connected to an access port on a switch. For the most part network devices will only need to communicate on a single VLAN so the ports will be configured as an access port. To configure an access port, use the interface subcommand switchport mode accessYou will then need to specify the VLAN the port is connected to (unless it's the Native VLAN which by default is VLAN 1) using the command switchport access vlan <id>.

SWITCH3#conf t
Enter configuration commands, one per line.  End with CNTL/Z.
SWITCH3(config)#int g1/0/10
SWITCH3(config-if)#switchport mode access
SWITCH3(config-if)#switchport access vlan 10

to Verify the status of an access port use the command show interface <int> switchport.

SWITCH3#sh int g1/0/46 switchport
Name: Gi1/0/46
Switchport: Enabled
Administrative Mode: static access
Operational Mode: static access

Administrative Trunking Encapsulation: dot1q
Operational Trunking Encapsulation: native
Negotiation of Trunking: Off
Access Mode VLAN: 20 (VLAN0020)
Trunking Native Mode VLAN: 1 (default)
Administrative Native VLAN tagging: disabled
Voice VLAN: none
Administrative private-vlan host-association: none 
Administrative private-vlan mapping: none 
Administrative private-vlan trunk native VLAN: none
Administrative private-vlan trunk Native VLAN tagging: enabled
Administrative private-vlan trunk encapsulation: dot1q
Administrative private-vlan trunk normal VLANs: none
Administrative private-vlan trunk associations: none
Administrative private-vlan trunk mappings: none
Operational private-vlan: none
Trunking VLANs Enabled: ALL
Pruning VLANs Enabled: 2-1001
Capture Mode Disabled
Capture VLANs Allowed: ALL
Protected: false
Unknown unicast blocked: disabled
Unknown multicast blocked: disabled
Vepa Enabled: false
Appliance trust: none

As you can see the port has been statically configured as an access port and is in VLAN 20. 

Trunk Ports

But how does traffic from VLAN 10 on SWITCH2 get to VLAN 10 on SWITCH1? This is where Trunk ports come in. A Trunk port is a switch port that is a member of all VLANs, at least the ones permitted on the interface (more about that later). Many moons ago there were 2 trunking technologies. ISL (Inter Switch Link) and 802.1Q Trunking. ISL was a Cisco proprietary Trunking protocol and has long been removed and is no longer supported. 802.1Q is the standard trunking protocol on all modern switches. Since a Trunk port is a member of all VLANs, the Switch needs a way to identify which VLAN the traffic is coming from when it sends it to another Switch. This is accomplished by adding a 32 bit 802.1Q header to the frame. An 802.1Q header contains the following information

  • Tag Priority ID (TPID): This is a 16 bit field set to 0x8100 to identify that it is an 802.1Q packet.
  • Priority Code Point (PCP): This is a 3 bit field to indicate the frame CoS (Class of Service) value. CoS is basically layer 2 QoS.
  • Drop Eligible Indicator (DEI): This is a 1 bit field to indicate if the packet can be dropped during bandwidth contention.
  • VLAN ID: This is a 12 bit field to indicate the VLAN ID the frame is allocated to. 

 

802.1Q Header

When the switch receives an 802.1Q packet, it strips the 802.1Q header off and continues to forward the frame. Below is a packet capture of a frame that has been encapsulated with an 802.1Q header. As you can see the PCP is 0, DEI is 0 and the VLAN ID is 10. Also note that the 802.1Q header is not added to any traffic sent over the native VLAN. The Native VLAN is the default VLAN configured on the trunk port.

802.1Q PCAP Header

To configure a port as a trunk port, use the interface configuration subcommand switchport mode trunk

SWITCH1#conf t
Enter configuration commands, one per line.  End with CNTL/Z.
SWITCH1(config)#int g1/0/2
SWITCH1(config-if)#switchport mode trunk

By default, Trunk ports are considered to be part of all VLANs and have the default Native VLAN Configured as VLAN 1 (You should note that all control plane traffic is sent over the Native VLAN). A Trunk port can be configured to only send traffic from specific VLANs. This is called VLAN Pruning. You can also change the Native VLAN for a trunk port. The Native VLAN should be changed for security purposes to a VLAN that is not in use by anything else. To prune VLANs from a trunk port, use the interface subcommand switchport trunk allowed vlan {add|remove|except|all|none} <vlan>.

SWITCH3(config-if)#switchport trunk allowed vlan 10,20

One thing to note that when you are adding VLANs to a Trunk port, it is a common mistake to forgot the add keyword. When you do this all the previously specified VLANs are removed and the ones specified in the command are added. To change the Native VLAN, use the interface subcommand switchport trunk native vlan <id>.

SWITCH3(config-if)#switchport trunk native vlan 99

To verify your trunk port configuration use the command show interface trunk.

SWITCH3#sh int trunk

Port        Mode             Encapsulation  Status        Native vlan  
Gi1/0/1     auto             802.1q         trunking      1
Gi1/0/2     auto             802.1q         trunking      1

Port        Vlans allowed on trunk
Gi1/0/1     1-4094
Gi1/0/2     1-4094

Port        Vlans allowed and active in management domain
Gi1/0/1     1,10,20,30
Gi1/0/2     1,10,20,30

Port        Vlans in spanning tree forwarding state and not pruned
Gi1/0/1     1,10,20,30
Gi1/0/2     none

Note that interface G1/0/10 which i configured as a Trunk is not in this output as it is not currently in an UP/IP state. For a more detailed view of a specific port use the command show interface <int> switchport.

SWITCH3#sh int g1/0/10 switchport 
Name: Gi1/0/10
Switchport: Enabled
Administrative Mode: trunk
Operational Mode: down
Administrative Trunking Encapsulation: dot1q
Negotiation of Trunking: On
Access Mode VLAN: 10 (VLAN0010)
Trunking Native Mode VLAN: 99 (Inactive)
Administrative Native VLAN tagging: disabled

Voice VLAN: none
Administrative private-vlan host-association: none 
Administrative private-vlan mapping: none 
Administrative private-vlan trunk native VLAN: none
Administrative private-vlan trunk Native VLAN tagging: enabled
Administrative private-vlan trunk encapsulation: dot1q
Administrative private-vlan trunk normal VLANs: none
Administrative private-vlan trunk associations: none
Administrative private-vlan trunk mappings: none
Operational private-vlan: none
Trunking VLANs Enabled: 10,20
Pruning VLANs Enabled: 2-1001
Capture Mode Disabled
Capture VLANs Allowed: ALL
Protected: false
Unknown unicast blocked: disabled
Unknown multicast blocked: disabled
Vepa Enabled: false
Appliance trust: none