Host A and Host B can NOT communicate with each other
Diagram in TP-Link's Example 1 [1].
Configuration Scheme:
Create VLAN 2, and add ports 1 & 2 to VLAN 2.
Create VLAN 3, and add ports 1 & 3 to VLAN 3.
Keep ports 1, 2 & 3 in VLAN 1 (By default all ports are in VLAN1).
VAN
Ergess Rule
PVID
Port 1
VLANs 1,2,3
Untagged
1
Port 2
VLANs 1,2
untagged
2
Port 3
VLANs 1,3
Untagged
3
VLAN Configurations on the Switch
Errors
VLAN 2 is not Host A (nor Port 2) as depicted in the diagram. VLAN 2 is the set of ports,
{1,2}.
Ditto for VLAN 3. It is the set of Ports, {1.3}.
Lack of Clarity
There are no groups in this example, just Host A and Host B.
When VLAN numbers overlaping port numbers, there can be confusion.
Since switches can have two digit port numbers, many people
give VLAN numbers three digits. Unfornately, many vendors
have a default VLAN 1 that includes all ports, and
you can not delete it.
Host A and Host B can NOT communicate with each other
Diagram for Refined Example 1.
Port #
1
2
3
4
5
VLAN 1
U
U
U
U
U
VLAN 200
U
U
VLAN 300
U
U
PVID
1
200
300
1
1
Switch Table for Refined Example 1.
In the above table, the rows show which ports are in each VLAN and whether the port is
tagged (T) or untagged (U).
The last row, Port VLAN ID (PVID), is read by columns e.g. Port 1's PVID is 1 (VLAN 1),
Port 2's PVID is 200 (VLAN 200), etc. Every Port has one and only one PVID. It defines
and limits, which other ports it can communicate with. For example, Port 2 can only
communicate with ports that are members of VLAN 200 (Ports 1 & 2).
Introduction to Groups
This is an expansion of Example 1. It adds Host A2 to form Group A.
Critera:
All hosts can connect to Internet.
Host in Group A can NOT communicate with Host B.
Diagram for A Simple VLAN Group.
Port #
1
2
3
4
5
VLAN 1
U
U
U
U
U
VLAN 200
U
U
U
VLAN 300
U
U
PVID
1
200
300
200
1
Switch Table for a Simple VLAN Group
Observations
The mumber of VLANs did not increase. Port 4 was simply added to VLAN 200.
Port 4's PVID is 200 (VLAN 2).
TP-Link's Example 2 in Reference [1]
Critera:
All host can communicate with the Internet.
Hosts in Group A can communicate with other hosts in Group A but NOT those in Group B.
Hosts in Group B can communicate with other hosts in Group B but NOT those in Group A.
Diagram in TP-Link's Example 2 [1].
VLAN 1
VLAN 2
VLAN 3
Switch A
Ports 2-4
Ports 2,4
Ports 3,4
Swtich B
Ports 1-4
1,2,4
Port 1,3,4
VLAN Configuration on Switch A and Switch B
Switch
Switch A
Switch B
Port
2
3
4
1
2
3
4
Egress Rule
Untagged
Untagged
Tagged
Untagged
Untagged
Untagged
Tagged
PVID
2
3
1
1
2
3
1
Egress Rules and PVID Settings on Switch A and Switch B.
Errors
VLAN 2 is not Host A1 and Host A2. It is a set of Ports.
Ditto for VLAN 3.
Lack of Clarity
Again, when VLAN numbers overlap port numbers, there can be confusion.
In TP-Link's diagram, the trunk is not labled.
VLAN Tags and their purpose is not even mentioned. This is suppose to be
a tutorial.
The tables are difficult to read for multiple reasons:
The heading are not emphasized. It is not obvious that
in the second table, all of the second row is a heading.
In the first table, you have to pay attendion to dashes and commas
to determine which Ports are members of which VLANs.
In TP-Link's Example 1, Egress Rules and PVID are column headings.
In TP-Link's Example 2, Egress Rules and PVID are row heading.
You should be consitant in a tutorial.
You have the look in two tables to determine if a port is a member of VLAN.
and whether the port is tagged or untagged.
The two switches are going to be set up one at a time. Yet, the parameters
for the two switches are merged into one table. clearly, the data
should be organized so there is one table for Switch A and another
table for Switch B.
They prioritized conciseness over clarity.
A Refined (TP-Link) Example 2
Critera:
All host can communicate with the Internet.
Hosts in Group A can communicate with other hosts in Group A but NOT those in Group B.
Hosts in Group B can communicate with other hosts in Group B but NOT those in Group A.
Diagram for Refined Example 2.
Port #
1
2
3
4
5
VLAN 1
U
U
U
T
U
VLAN 200
U
T
VLAN 300
U
T
PVID
1
200
300
1
1
Switch A - Table for Refined Example 2.
Port #
1
2
3
4
5
VLAN 1
U
U
U
T
U
VLAN 200
U
U
T
VLAN 300
U
U
T
PVID
1
200
300
1
1
Switch B - Table for Refined Example 2.
Trunks and VLAN Tags
Trunks are used to eliminate multiple cables. On one end, packets, from multiple
sources, are merged, and on the other end, the packets are seperated according to the
source that generated them. To accomplish this, on the transmitting side, a VLAN Tag
that specifies the source is added to the packet. On the recieving end, the VLAN Tag is
removed from the packet.
This requires that for each packet traveling accross the trunk, there has to be
a VLAN on the other side with the same ID to receive the packet. However, the two VLANs
can have diffent memembers. For example, at Switch A, VLAN 200 members are Ports 2 and 4,
and on Switch B VLAN 200 members are Ports 1,2 and 4. Thus, in Switch A, Ports 2 and 4
can only communicate with each other, but in Switch B Ports 1,2 and 4 can communicate with
other.
The Native VLAN
Now that we know about Trunks and VLAN Tags, there is one exception.
Since all of the other VLANs have VLAN Tags, one of VLANs does
not have to have a VLAN tag. This is referred to as the Native VLAN.
On Cisco fully monitored switches, you can specify which VLAN is the
Native VLAN. On switches with less features, you can not specify
which VLAN is the Native VLAN.
For good illustrative explinations of Trunks, VLAN Tags, and
the Native VLAN, see the references in this section. However,
the first reference, assumes the router is an Enterprize-grade
with VLAN capability. Consumer-grade router, do not have VLAN
capability.
For diagnostic purposes, most VLAN switches include a port mirroring feature that
allows, you to mirror and monitor one or more ports. This feature does require
an unused port and software such as Wireshark. This feature does not require any
changes to the table for Switch A nor Switch B.
For TP-Link's Example 2, I used Port 1 on Switch A as the monitoring port. See
the diagram below.
Diagram for Monitoring Ports in Example 2.
All of my devices including the switches are in the same subnet. The numbers in blue beside
each device is last octet of the IPv4 address. This arragement allowed me to access both switch's
web interfaces (and make changes) from the Wireshark Host.
I monitored the trunk (Port 4), and pinged each host: re
Source
Destination
Request2
Response
xxx.xxx.xxx.78
xxx.xxx.xxx.56
200
200
xxx.xxx.xxx.56
xxx.xxx.xxx.78
200
200
xxx.xxx.xxx.52
xxx.xxx.xxx.54
300
300
xxx.xxx.xxx.54
xxx.xxx.xxx.52
300
300
xxx.xxx.xxx.78
xxx.xxx.xxx.1
200
xxx.xxx.xxx.56
xxx.xxx.xxx.1
200
xxx.xxx.xxx.52
xxx.xxx.xxx.1
300
xxx.xxx.xxx.54
xxx.xxx.xxx.1
300
Ping Requests and Ping Responces.
This shows that VLAN 1 is the Native VLAN. The only thing suprising is that ping xxx.xxx.xxx.52
to xxx.xxx.xxx.1 (router) is traversing accross the trunk. Ditto for ping xxx.xxx.xxx.56 to
xxx.xxx.xxx.1, it too is traversing accross the trunk. It is my believed that this is because
VLAN Tag IDs are the same for the requst and respone. Thus, Switch B is
unable to determine where the response came from.
Lessons Learned
The Wireshark Host can also ping the router. However, the results were not what I was
expecting.
Port Mirroring attemps to supress duplicate entries. That is, it
mergers what the port would normal see with the mirrored port, and
it tries not to duplicate entries.
However, when port 1 on Switch A pings the router, you will see the same
ping request twice.
You will see the ping request generated at port 1,
and you will see the same ping request going across the trunk.
But, the ping response will not be duplicated. When the ping response
goes across the trunk, it has a VLAN tag. When the ping response, is
recieved at Port 1, it does not have a VLAN tag. The mergered response,
will never shows the VLAN tag.
SSHing into All Host
By going through the router, you can SSH into any host without modifying either switch table.
That is, connect to the router through one of its ethernet ports or wirelessly. This will allow
you to ping from any host. Howver, if the SSH traffic goes through the trunk, you will also
see the SSH traffic.
Adding a Shared Network Printer
A shared Network Printer is added to the previous example.
Critera:
All hosts can communicate with the Internet.
Hosts in Group A can communicate with other hosts in Group A but NOT those in Group B.
Hosts in Group B can communicate with other hosts in Group B but NOT those in Group A.
All hosts can communicate with the Printer.
See the diagram and tables below.
Diagram for Adding a Network Printer.
Adding a Network Printer to Switch B, Port 5, requires making two changes to the Switch B Table:
Port #
1
2
3
4
5
VLAN 1
U
U
U
T
U
VLAN 200
U
U
T
VLAN 300
U
U
T
PVID
1
200
300
1
1
Switch A - Adding a Network Printer.
Port #
1
2
3
4
5
VLAN 1
U
U
U
T
U
VLAN 200
U
U
T
U
VLAN 300
U
U
T
U
PVID
1
200
300
1
1
Switch B - Adding a Network Printer.
After troubleshooting, you can remove the Wireshark Host at Port 1 on Switch A.
Forcing a Router VLAN Tag
This is the same as TP-Link's Example 2, but we are going to force the router to use a VLAN
Tag.
Critera:
All hosts can communicate with the Internet.
Hosts in Group A can communicate with other hosts in Group A but NOT those in Group B.
Hosts in Group B can communicate with other hosts in Group B but NOT those in Group A.
Force the Router to use a VLAN Tag when traversing the trunk.
The diagram is the Same as for Monitoring Ports.
You will need to create a new VLAN for this.
On Switch B, add a new VLAN for the Router (Port 1), and make the new VLAN the PVID
for Port 1.
Since Port 1 must communicate with Ports 2,3 and 4, all of them must be members of
the new VLAN. I chose an ID of 88 for the new VLAN. For the Netgear GS105Ev2 Switch
that I used, it did not complain when I made made VLAN 88 the same as VLAN 1
(and it also worked).
To recieve a response at Switch A, there must be a corresponding VLAN 88.
The trunk must be in this VLAN and Ports 2 and 3.
Now, whenever you ping the router, if the response going across the trunk it
a VLAN 88 Tag.
