http://www.ibmsystemsmag.com/aix/tipstechniques/applicationdevelopment/Understanding-802-1q-VLANs/
====================================================================
VLANs (short for virtual LANs) are used to divide networks into smaller, more manageable chunks. This helps to reduce the size of the broadcast domain and helps with security through isolation. Essentially, there are two types of VLAN specifications for Ethernet:
· Port-based VLAN. A defined VLAN based on the port number of the switch. This is easy to configure but often limited to one single switch.
· 802.1q Tag VLAN. In 802.1q, the VLAN information is written into the Ethernet packet itself. Each packet carries a VLAN ID, called a tag. This allows VLANs to be configured across multiple switches. Note that it’s possible for VLAN tags to be stripped by H/W and/or S/W.
When using 802.1q, four bytes are added to the Ethernet frame, of which 12 bits are used for the VLAN ID. Theoretically, there can be up to 4096 VLANs per network.
An Ethernet packet that contains a VLAN ID is called a tagged packet. Conversely, an Ethernet packet with no VLAN ID is called an untagged packet. Typically all packets leave untagged, unless tagged by the adapter prior to arriving at the switch port.
Egress and Ingress Rules
Egress rules determine which frames can be transmitted out of a port, based on the Egress List of the VLAN associated with it. Each VLAN has an Egress List that specifies the ports out of which frames can be forwarded, and specifies whether the frames will be transmitted as tagged or untagged frames.
Ingress rules are a means of filtering out undesired traffic on a port. When Ingress Filtering is enabled, a port determines if a frame can be processed based on whether the port is on the Egress List of the VLAN associated with the frame.
When an untagged packet arrives at the switch port, the switch will write a VLAN ID into the header of the frame according to the PVID (port VLAN) port definition. Typically, most switches today have all ports are set to a default PVID of 1. . When a tagged frame arrives at a switch port the tag is respected.
A VID defines the member of a port group. A packet can only travel inside a member port when the member port is part of a VID port group.
====================================================================
VLANs (short for virtual LANs) are used to divide networks into smaller, more manageable chunks. This helps to reduce the size of the broadcast domain and helps with security through isolation. Essentially, there are two types of VLAN specifications for Ethernet:
· Port-based VLAN. A defined VLAN based on the port number of the switch. This is easy to configure but often limited to one single switch.
· 802.1q Tag VLAN. In 802.1q, the VLAN information is written into the Ethernet packet itself. Each packet carries a VLAN ID, called a tag. This allows VLANs to be configured across multiple switches. Note that it’s possible for VLAN tags to be stripped by H/W and/or S/W.
When using 802.1q, four bytes are added to the Ethernet frame, of which 12 bits are used for the VLAN ID. Theoretically, there can be up to 4096 VLANs per network.
An Ethernet packet that contains a VLAN ID is called a tagged packet. Conversely, an Ethernet packet with no VLAN ID is called an untagged packet. Typically all packets leave untagged, unless tagged by the adapter prior to arriving at the switch port.
Egress and Ingress Rules
Egress rules determine which frames can be transmitted out of a port, based on the Egress List of the VLAN associated with it. Each VLAN has an Egress List that specifies the ports out of which frames can be forwarded, and specifies whether the frames will be transmitted as tagged or untagged frames.
Ingress rules are a means of filtering out undesired traffic on a port. When Ingress Filtering is enabled, a port determines if a frame can be processed based on whether the port is on the Egress List of the VLAN associated with the frame.
When an untagged packet arrives at the switch port, the switch will write a VLAN ID into the header of the frame according to the PVID (port VLAN) port definition. Typically, most switches today have all ports are set to a default PVID of 1. . When a tagged frame arrives at a switch port the tag is respected.
A VID defines the member of a port group. A packet can only travel inside a member port when the member port is part of a VID port group.
No comments:
Post a Comment