2.8.4.2 802.1Q VLAN Concept
Port Based VLAN is simple to implement and use, but it cannot deploy cross switches VLAN.
The 802.1Q protocol was developed in order to provide the solution. By tagging VLAN
membership information to Ethernet frames, the IEEE 802.1Q can help a network
administrator to break up large switched networks into smaller segments so that broadcast
and multicast traffic won't grab too much of the available bandwidth, as well as providing a
higher level of security between segments of internal networks.
The 802.1Q frame format is shown below,
FCS
Payload
T/L
VID
C
P
TCI
SA
DA
SFD
PRE
PRE Preamble
62 bits Used to synchronize traffic
SFD Start Frame Delimiter
2 bits Marks the beginning of the header
DA Destination Address
6 bytes The MAC address of the destination
SA
Source Address
6 bytes The MAC address of the source
TCI Tag Control Info
2 bytes set to 8100 for 802.1p and Q tags
P
Priority
3 bits Indicates 802.1p priority level 0-7
C
Canonical Indicator
1 bit Indicates if the MAC addresses are in
Canonical format - Ethernet set to "0"
VID VLAN Identifier
12 bits Indicates the VLAN (0-4095)
T/L
Type/Length Field
2 bytes Ethernet II "type" or 802.3 "length"
Payload
< or = 1500 bytes User data
FCS Frame Check Sequence 4 bytes Cyclical Redundancy Check
Important VLAN Concepts for Configuration
There are two key components to understanding:
- The Default Port VLAN ID (
PVID
), which specifies the VLAN to which the switch will
assign
unlabeled
traffic from that port;
- The VLAN ID (
VID
), which specify the set of VLAN from which a given port is allowed to
receive, and to which allowed to send
labeled
packets.
Both variables can be assigned to a switch port, but there are important differences between
them. An administrator can only assign one PVID to each switch port (since the 802.1Q
protocol assigns any single packet to just one VLAN). The PVID defines the default VLAN ID
tag that a switch will add to un-tagged frames it receives on that port (ingress traffic).
On the other hand, a port can be defined as a member of multiple VLAN (multiple VID).
These VID constitute an access list for the port. The access list can be used to filter tagged
ingress traffic (the switch will drop a packet tagged as belonging in one VLAN if the port on
which it was received is not a member of that VLAN). The switch also consults the access
list to filter packets it sends to that port (egress traffic). Packets will not be forwarded out the
port if they unless they belong to one of the VLAN in which the port is a member.
The differences between
Ingress
and
Egress
configurations can provide network
segmentation while still allowing resources to be shared across more than one VLAN.
Important VLAN Definitions
36
