802.1q VLAN tagging

Video Statistics and Information

Video
Captions Word Cloud
Reddit Comments
Captions
good morning everybody and welcome back to Next Door netadmin some of my co-workers seem to be having some difficulty with vlans lately so let's talk about vlans just going to jump right into it first question you might have is what is a VLAN a VLAN is a virtual landan or a virtual local area network you can think of it as the same kind of result as if you had several different switched networks all in the same area you could have if you wanted to keep them completely separate you could have them going through different sets of equipment so that the traffic never mixed with a VLAN you can do the same thing on the same equipment so the way that this works is when you have a VLAN it has a particular ID say VLAN 6 VLAN 6's traffic will be kept separate through through the network and only allowed to interact with other VLAN 6 traffic and if a device like a router has multiple vlans available on the same line it will break it into multiple sub interfaces so that VLAN 6 has its own address and that's only going to interact with VLAN 6 all the other vlans are kept completely separate so that's the general idea of a VLAN how is this act actually implemented the most common standard that you'll see for vlans is called 802.1q 802 is the i e standard uh for okay hold up hold up hold up hi this is the next door net admin coming to you from in editing because what I'm about to say is completely wrong oh the things you find out when you go back and do your actual research later no well um 802 is the i e standard for local area networks personal area networks and the like um what I was about to say here was completely wrong 802.1 specifically deals with other higher layer land protocols which is what I'm about to talk about 802.3 deals with ethernet and 802.11 deals with wireless there's a lot of groups we're not going to get into all of them I am going to return you to your regularly scheduled hopefully error free broadcast so you can have some security protocols like 802.1x the VLAN protocol is 802.1q because of this network admins and other networking literature also tend to just refer to this as oneq we leave the 802 part out everybody understands it's there but it's just1 Q so in a1q Network Regular traffic without oneq being in play has a set format in the layer 2 ethernet frame when1 Q is in play you get an additional tag added it's just four bytes 32 bits of those 32 bits 12 of them are set aside for the VLAN ID I won't go into what all the others do right now because quite honestly that's more than we need for today but these 12 bits allow you to specify a VLAN ID anywhere from zero up until 4,095 you can't actually use Z or 4,000 95 those are reserved by the spec So functionally speaking your VLAN identifier can be anything from VLAN 1 to VLAN 4,094 and you can use whatever numbers you want as a network admin obviously provided it doesn't collide with what somebody else is trying to use if you're working at an ISP or at another very very large Network it's also possible under a extension to the standard to have q and Q where you have two VLAN tags one right before the other that allows you to network VLAN traffic over another Network that is itself using vlans but again that is much more complicated than we need to get into for the purposes of this discussion so when normal traffic is sent from a printer or another device that has no concept of vlans doesn't know that they're in use and it doesn't have to know that they're in use it just sends standard ethernet frame no VLAN tag whatsoever no one Q tag when the switch receives that the switch looks at at its configuration and says this is an access port meaning it's only assigned to a single VLAN and that VLAN is this number and so it will take the traffic on that port and if it needs to send it elsewhere in the network it will add the VLAN tag so that it's tagged with the correct information and then sends it off and the rest of the network can interpret that and deal with that how they need to you can also have a trunk Port if you have a trunk port this is designed to carry a lot of different vlans all the vlans in fact you can optionally restrict which vlans a trunk will carry you can say this trunk Port I only want it to carry vlans 10 20 and 55 you can do that and then that trunk will only carry vlans 10 20 and 55 fine it won't carry anything else to the other vlans on the network it's as if that Port doesn't even exist the traffic has nowhere to go unless there's another trunk that allows it to flow outbound or there are other local ports you can have a VLAN configured just on a single switch and then the traffic will only stay on that switch and it won't go anywhere else if it's not permitted to so that can be useful for some cases but when you have a trunk it's important to know that there is still an untagged VLAN and this is called the native VLAN it's very important that you understand that the native VLAN is set per Port it's not a global setting across the network there is no Global setting across equipment it is set per port and it is set per the admin VLAN 1 tends to be the default VLAN it's the one that's always there if you set up new vlans VLAN one is just what all the equipment starts at so a lot of networks use that as the default VLAN you shouldn't use this as your default VLAN if you have a lot of equipment already set up yes it can be a bit of a pain to move it to a new VLAN say I'm going to take everything that didn't have a VLAN before and I'm going to make it VLAN 5 okay now I need to set up a VLAN 5 on the router and I need to configure the interface and I can't configure the interface on the router for VLAN 5 with the same address as on VLAN one that causes problems so then you have to remove the address from VLAN one and add it to VLAN 5 and you have to make sure that you can still reach all of your switches while you're doing this so that you can put it it becomes a whole thing and I understand truly I do understand that this is a lot of effort to have to go through but you shouldn't use VLAN one for your regular traffic do you want to know why the reason is VLAN 1 is the default VLAN for a lot of systems this can end up conflicting with other things that expect to be allowed VLAN one if you're using foret gear for example with uh 40 link 40 link to link 40 gates to 40 switches to 40 APS to 40 analyzers to 40 sandboxes to 40 males all of the 40 gear that is in a 40 link 40 EMS or whatever else it's got all of it ex expects to be allowed VLAN 1 and only VLAN one that is it if you have other traffic using the untagged VLAN VLAN one that's too bad you got to take all of it off because 40 link is going to take that over and you don't get a choice about that so that's one reason the other reason is for security you never want the native VLAN on an switch trunk a trunk line between two switches you never want that native VLAN to carry actual traffic why is this again the native VLAN is set per Port that means if you have VLAN 5 on one end as the native VLAN this is what's going to be untagged traffic it's going to be sent without a tag because it's the default or native VLAN for that Port maybe on your switch over here you have a native VLAN of 10 so any untagged traffic it receives is going to be considered to be VLAN 10 this kind of VLAN jumping where it leaves one switch on VLAN 5 and comes into the other switch on VLAN 10 is a security risk it's a problem because you're breaking the guarantee that these vlans are logically isolated and logically separate and now you're mixing the traffic of two different vlans not only is this a security violation you're also increasing the size of your broadcast domain the number of stations that have to be reachable anytime a single station needs to send out a broadcast at Layer Two which causes performance issues and other such fun things but the security thing is the biggest one pretty much so for General reasons of security you always want your native VLAN on trunks on inter switch trunks to not only be a default for and the making it be the default is just good practice in case the admin forgets something if the admin is guaranteed never to forget this fine you can set your native VLAN to 999 or something of that sort um but the native VLAN on all inter switch trunks should be a VLAN that is not used for any customer traffic whatsoever which means that all customer traffic all regular Network traffic will have a VLAN tag guaranteed to make sure that the receiving switch always knows exactly what it belongs to with no ambiguity whatsoever there are a couple of reasons why you might end up with a trunk link connected to an end station such as a telephone a lot of VoIP telephone handsets have the capability to accept a single network connection and then pass through a computer port to a computer that's also attached to the phone how does this work well typically you're going to have two vlans one is going to be for data traffic the other is going to be for voice traffic so that voice traffic is not interfered with or run into conflict with regular data traffic so you set this up as a trunk line the untagged VLAN the native VLAN is the data VLAN and that gets passed through to the computer port the phone itself listens to the network to be told what it should configure as the voice VLAN and then any voice traffic that the phone part needs to send will get sent tagged for The Voice network while the computer doesn't need to know anything about the vlans and it just passes through its data untagged to the regular switch port and you can set up a switch Port as a trunk in that case and configure it to announce the voice VLAN and do all the other fun stuff that you get to do in that case but it's still important to know that your native VLAN is set per port and this is why I'm emphasizing inter switch trunk links versus endstation trunk links because some end stations like a phone might require a native untagged VLAN that does carry customer traffic because it's intended to connect to a computer that is going to be on the data Network only on inter switch trunk links do you want really really really want that native VLAN the untagged VLAN to be something that is essentially dead doesn't carry any traffic doesn't have any Services there's no router address on it it's just a dead VLAN there with nothing on it so how does this work with wireless access points wireless access points can be considered another type of switch it's just that they're handling traffic from multiple Wireless clients instead of multiple wired clients so if an access point is a switch then you want to make sure that that native untagged VLAN carries no traffic it's a security risk it always has been it always will and all of the data that comes from the AP that is actually supposed to go somewhere should be tagged and a lot of APs will have configuration for this if you set it up to handle a VLAN by default everything will start out as VLAN one because that's the default VLAN for everything fine you can say okay my native VLAN is one my management VLAN the one where I'm going to have an IP address that the AP can actually be managed is a different number altogether then your management interface is tagged even though the native VLAN is untagged and your ssids your wireless networks should also be set to a particular VLAN identifier that is different from the Native VLAN so that when that identifier when when it accepts traffic on that SSID it will set that identifier in the VLAN tag and send it off to the rest of the network what happens if you have a manufacturer that is making assumptions some manufacturers make the assumption that hey my management interface is always going to be untagged I don't need to set any VLAN tag on that now you've broken the Assumption and the security practice that you never want to have actual traffic meaningful traffic on the untagged VLAN between two switches even though one of the switches is an AP it's still functioning as a switch at Layer Two all right now what okay it's going to assume that the untagged VLAN is its native V it's going to assume that the untagged VLAN is the same one that its management interface should be on fine and we know that the untagged VLAN is the same as the native VLAN but again this is set per port on the switch end you're going to need to make sure that you configure the native VLAN to be the VLAN you want this non-standard equ equipment to be using for its management interface okay now what about the ssids do we assume that VLAN 1 is going to be the untagged VLAN we cannot assume that VLAN one is the untagged VLAN because the native VLAN the untagged VLAN is set per Port if you set up an SSID on V one and just assume that that's the untagged one so that's going to work out fine it might if that's actually VLAN one if it's not then it won't work correctly let's say that my management interface is on VLAN 7 just because okay and now I've got some substandard non-standard equipment that doesn't let me configure a VLAN ID for the management interface okay fine here's our scenario I'm going to need to set my native VLAN on the switch end as VLAN 7 so that the management interface is on VLAN 7 untagged native VLAN fine that part is good let's say I've got a main Network a main wireless network SSID and I want to put this on VLAN 7 because I want it to be on untagged I need to configure that as VLAN 7 because if my native VLAN is VLAN 7 then anytime it accepts traffic on the wireless interface it says this is for VLAN 7 okay now I'm going to send it across this link ah this link has a native VLAN of VLAN 7 so I'm going to send it untagged then when the switch receives it the switch says I'm reing ceing untagged traffic I can see that my local configuration for this port says it's VLAN 7 and I can tag it appropriately as I send it through the rest of the network okay cool what happens if you say ah VLAN 1 is the untagged network let's put VLAN one on this Wireless SSID okay now you've got traffic coming in there and the AP says oh this is VLAN 1 my native VLAN here is VLAN s so if I've got traffic to send on VLAN 1 that means I need to tag it as VLAN 1 and send it into the network when the switch receives it it says oh this is tagged for VLAN one okay and now I can send it through the rest of the network removing the tag if VLAN one is the native VLAN or keeping the tag if the native VLAN is something else until it gets to the destination it reaches which is an access port or a router or what have you and it'll strip the VLAN tag and process the traffic at layer three because a VLAN tag is only at Layer Two so then it'll strip it off and it'll do whatever processing it needs to on that traffic okay vlans can be [Music] remarkably tricky for a lot of people honestly I'm not 100% sure why but then I am a network work adman and my brain works in weird ways can't help it but if you're struggling with vlans you're certainly not alone everybody else is uh commiserating with you and those of us who do understand vlans are or darn well should be happy enough to assist you and provide whatever guidance we can kind of how we hope all learning works really H yeah the biggest thing to remember is that your VLAN tag is not static it has to be you have to keep in mind the state of the frame as it passes through the network because the tag might be added when it goes across a line that it's not the native VLAN it might be taken away if it's going to be sent across a link where the native VLAN is the same one and you can also have weird things happen if you send a packet with a tag for traffic that should be the untagged VLAN let's say I've got VLAN 5 on this switch right over here and the VLAN is supposed to be 10 well five is not 10 so it's going to be tagged for VLAN 5 send it over on this switch over here VLAN 5 is the native VLAN so it's expecting VLAN 5 to come in untagged what happens here weird things can happen here the switch might accept it strip the tag off and go yeah okay this said it was VLAN 5 it's not supposed to be tagged just get rid of the tag and keep processing it send it somewhere else or it might treat it as a q andq packet and say oh well I'm not supposed to be receiving traffic for VLAN 5 with a tag attached so if it has a tag attached this must be for VLAN 5 on a network which is already passing through on my VLAN 5 so that it's a tagged packet within an untagged packet and weird things just go cra crazy from there it's really important to make sure that you have a firm grip on what your native VLAN is what it should be and make sure that you keep the exceptions as limited as possible to prevent yourself from running into issues there are protocols out there that try to make this easier you can have an auto negotiating VLAN trunk that instead of access or trunk will just try and autoc configure itself in my experience that causes more problems than it solves because sometimes it's supposed to be one way and the switch says oh I've detected it's supposed to be the other and things break try to stay away from the autoc configuring VLAN stuff as much as you can it's just not worth it there's also protocols like CDP The Cisco Discovery protocol which functions at Layer Two Two Cisco switches running CDP will talk to each other and they will exchange information including what is my native VLAN and if the native VLAN is configured differently on both ends it will alert the administrator and say there's a native VLAN mismatch here it might even shut down the port to prevent traffic from flowing through an incorrectly configured VLAN trunk and because CDP Flows at layer 2 it doesn't have a VLAN of its own it is its own layer 2 protocol so the switches will continue to talk to each other and exchange this information even if you're trying to say oh I only want this one VLAN to pass through K but the switch is no if this is a trunk line it might carry other vlans at any point depending on how the admin changes their mind so it will warn you it might cause traffic flow to shut down if you've done it wrong so the best thing to do is make sure you've done it right vlans are a very tricky subject sometimes but for today that's probably enough on the subject for now and if you have any questions be sure to leave them down in the comments and I will answer them or if we have lots of questions I might even do another video on it we'll have to see but for now thank you very much for watching I am your next door netadmin and we'll see you next time
Info
Channel: NextDoorNetAdmin
Views: 21
Rating: undefined out of 5
Keywords:
Id: nHrzMOsyGZw
Channel Id: undefined
Length: 26min 40sec (1600 seconds)
Published: Mon Jun 10 2024
Related Videos
Interview with Double CCIE - Steven Dipippo (Hosted by INE)
Eli the Computer Guy
82K
Which way??? (How routers choose where to send your traffic!)
NextDoorNetAdmin
6
Configuring SMTP Relay
NextDoorNetAdmin
707
ZFS vs. RAID - vdevs and more!
NextDoorNetAdmin
42
ACME: PKI Basics
NextDoorNetAdmin
36
NDNA: May 2024 Freeform
NextDoorNetAdmin
9
A Penguin Said That Nobody Drinks Pepsi
NextDoorNetAdmin
36
New Server: Choosing the Parts
NextDoorNetAdmin
46
OSI Model Deep Dive
Kevin Wallace Training, LLC
306K
CIDR house rules: IP network classes
NextDoorNetAdmin
20
New Server: Hardware Fundamentals
NextDoorNetAdmin
103
More about ZFS - datasets and zvols!
NextDoorNetAdmin
99
ACME: Accounts and Validations
NextDoorNetAdmin
54
VLAN Explained
PowerCert Animated Videos
1.6M
Hubs, Bridges, and Switches (oh my!)
NextDoorNetAdmin
27
Tagged vs Untagged VLAN: What's the Difference?
JumpCloud
89K
Note
Please note that this website is currently a work in progress! Lots of interesting data and statistics to come.