Before switches and VLANs, Ethernet networks link through hubs. Hubs hold all the network hosts onto a single segment. This is like a chain each host with another. This is an improvement from previous token bus networks. At least a single host failure does not result from the chain breaking. One disadvantage of hubs is that all networks are present in the same collision domain. It means that when at once two hosts are transmitted the data may be colliding and need to be resent. To address this problem switches were introduced to resolve this, as each host became a separate collision domain. The native VLAN is used for traffic separation.
The basic switches called unmanaged switches have only simple functions. These switches do not have VLAN support. It means all the host on the switch is still on the same domain broadcast. Managed switches allow traffic separation by using VLAN support. That is the reason managed switches are common today and unmanaged switches are still in use.
Table of Contents
What Vlan can do?
The basic function of Vlan is to segregate 2-layer traffic. The host on one VLAN cannot communicate with the host on another VLAN. For example, the service is a router to transfer packets between the VLAN. One way, to achieve this is by connecting each group to its switches. This is done for management traffic. But, it is costly which is why Vlan is mostly preferred. In concept, Vlan is like a virtual switch.
The main reason to put the host on individual Vlan is to limit the amount of broadcast across the networks. For example, IPv4 depends on the broadcast. Separating the host will limit how far it will go. Another reason for doing this is for security. Consider a simple example in a multitenant data center, it is essential to separate one customer data that is not available to another host. Separating will avoid to this from happening.
Another security case is in which hackers use a packet sniffer to steal data. A mitigation scheme could be to create a “guest” Vlan for anyone who wants to visit the Vlan premises. By server-to-server communication use a secured VLAN. On the same Vlan, a host will be able to communicate with another host. Switches pass the Vlan traffic between each other. So, the host on a VLAN does not need to be present on the same switch.
Types of VLAN:
There are three types of Vlan such as,
- Tagged VLAN
- Untagged VLAN
- Native VLAN
In some cases, an untagged frame arrives on a tagged port. To overcome this tagged ports will have a special Vlan on them called the native Vlan or untagged VLAN. The native VLAN is a way to carry untagged traffic on many switches.
Let’s discuss the example of the host link to the trunk ports, with the native VLAN configured.
- Firstly, host A sends a frame with no VLAN tag.
- Switch 1 receives the frame. The frame did not have a tag so; it adds the VLAN 15 tag to the frame.
- The switch sends this configured frame to port 2. The frame has a tag of Vlan 15 which matches the native Vlan on port 2. So, the switch makes the tag out.
- Host b will receive the frame.
Carrying untagged switches has its uses. This happens when one switch sends the information to another switch. The CDP is an example of switch-to-switch communication. if there is a trunk line between two switches, how does the sending switch choose which Vlan is to use? In short, it transfers the untagged traffic, which is on the native VLAN.
A switch port is a tagged or untagged port. An untagged port or access port on a cisco switch links to the host server. But the host is not aware of any VLAN configuration. Without any configured VLAN on the frame, the host sends its traffic. When the frame approaches the switch port, the switch will add the tag. The switch port has a configured VLAN ID that will put the tag on the frame. Most switch ports use the mode by default with VLAN ID 10. In short, when the frame passes from the untagged port, the switch puts the tag on it. After that traffic moves forward normally.
The following diagram shows all these processes,
- Server A sends its untagged traffic to the switch.
- The frame receives on port no 1 of the switch. The switch inserts its configure tag VLAN 10 on the frame.
- The switch sends this frame to port no 2, this is also an untagged port. So, the VLAN tag was stripped from the frame.
- The server/host B can receive the untagged frame as normal.
A port is called a tagged port when the interface has a frame containing VLAN tags. For example, when two switches are connected pass the tagged traffic. Cisco switch uses the word trunk to refer to a tagged port.
The sender host sends a frame with the VLAN tag, the receiving switch sees the VLAN tag. If the VLAN has access it will further move forward the frame if needed. For example, the broadcast receives a VLAN 10. In this case, the switch will overflow the frame to all other ports that have VLAN 10.
The following diagram shows the process.
- A server host will send the untagged frame.
- The frame receives on the untagged port of switch 1, configure with VLAN 10. The switch put the tag on the frame.
- Switch 1 decides that the port of switch 2 receives this tag frame. This switch is a tagged port, so only VLAN 10 configure frame allow on this port. If the VLAN 10 is not allowed it will drop the frame.
- Switch 2 receives the tag frame on port 1. This switch will determine VLAN 10 is allowed or not. Switch 2 determines that port 2 sends the frame.
- The Port is untagged, it takes the tag from the frame and then sends it further.
- Server B receives the untagged frame from port 2.
Working of native VLAN:
To understand how it works let’s take an example, below is a diagram given in which many PCs are linked to hubs and switches. Switch 1 and 2 are linked with each other. Same, the HUB is connected to many PCs and linked to switch2. By connecting to a hub we got the connection between switches 1 and 2 is called a true link.
Particular traffic comes to switch1, so before sending to a true link add a tag. This is to make sure that switch2 should know this frame belongs to which VLAN. So they will be able to send further. But in some cases it will receive a frame without a tag, especially coming from a Hub as they were not able to understand a tag, especially coming via HUB which will not understand the concept of tagging. Switches assume that it relates to native VLAN, so it will send this untagged frame to native VLAN.
As well all aware that a switch has two types one is a trunk port and the other is an access port. Endpoints are not able to understand the concept of VLAN tagging, switches receive the untagged traffic and trunk port expect to receive the tagged frame. Simply when the switch receives the untagged traffic by access points, the switch links that traffic with the port with VLAN also associated with that port.
On the trunk, port traffic must be tagged and the switch will use this VLAN information to decide which VLAN links with it. So, if a switch receives any untagged frame it will be going to assume it associates with native VLAN. A trunk will carry only tagged frames and the purpose is to pass data from many VLANs. Only one native VLAN per trunk must match both ends of the trunk which is responsible for all the untagged traffic.
Why the frames are tagged?
The frames are tagged before transferring the trunk is that when it goes to the other side the switch can read that tag and determine which frame will belong to which VLAN. Keep in mind that native VLANs carry all the untagged frames and tagged frames carried by the trunk.
Importance of native VLAN:
Here is some importance of native VLAN discuss below,
- It takes care of the frame that does not have an assigned VLAN membership.
- It is a real VLAN with its member and transmit frames that are tag ones.
- Un-capsulated frames received on a trunk port drop out immediately.
- Every physical port has an identifier called a port VLAN identifier (PVID).
- All the untagged frames are assign to this PVID.
- It is always better to use a VLAN other than VLAN 1 as a native VLAN.
Why do we use native VLAN?
- To reduce workload.
- For more flexibility.
- It provides support and carries untagged traffic on a port.
- Separate the traffic sent by the devices to the different PCs.
- Support Dot1Q.
- Provide better security by keeping the host that works with sensitive data on a separate VLAN.
So we can sum up that the basic purpose of native VLAN is to serve as a common identifier on opposite sides of the trunk line. To carry untagged traffic which is generated by a device linked to the port, which is configured with native VLAN.