I am wondering what tagged and untagged means. Also what is the difference between them and how does it work exactly. I have a research project to do so please help me guys!
Tagged vs untagged on VLANS?
- Thread starter Aznguy1872
- Start date
look up 802.1q trunking.
tagging is just a technique used to add a small header to the ethernet frame as it is passed between devices so the the original VLAN (broadcast domain) is maintained.
normal ethernet there is no tagging. Only when trunking VLANs between devices is involved.
tagging is just a technique used to add a small header to the ethernet frame as it is passed between devices so the the original VLAN (broadcast domain) is maintained.
normal ethernet there is no tagging. Only when trunking VLANs between devices is involved.
if you're using one switch, untagged vlan is just fine
if you're using 2 or more switches and you want all the vlan2's to talk with each other, they will all need the same tag.
one thing bad about cisco vlan is that people have already figured out how to hack through them...so there really isn't any security in vlan.
if you're using 2 or more switches and you want all the vlan2's to talk with each other, they will all need the same tag.
one thing bad about cisco vlan is that people have already figured out how to hack through them...so there really isn't any security in vlan.
Awe.....
C'mon.
finally we get a meaty topic to discuss and we get vendor bashing. A VLAN is a VLAN no matter who the vendor. It is a concept and not a vendor specific thing. it of course is not a means for security. Please tell how cisco implements a VLAN is different from others?
As far as manufacturers are concerned a vlan is a vlan. there is nothing special about them and everybody implements them the same.
Let's hope the OP comes back. I gave him the hint that will help him, but I'm not doing his paper for him.
Sometimes I crave that this section of AT can grab a hold of something interesting and we can help others. Not to get off on a rant - but this is a good subject and can help others.
-edit-
sorry for the rant. but VLANs have been around for 10+ years and yet their concept is still confusing. We could make this into an enlightening thread - staring with what is a LAN, what is a broadcast domain, what does a switch do with a frame and how it determines what the source VLAN is (vlan tagging), blah, blah, blah. But let's have a decent discussion. I'm only ranting because I'm bored.
skyking
Lifer
- Nov 21, 2001
- 22,817
- 5,979
- 146
I had vlan bite me in the arse earlier this year, for a few minutes
I set up 4 ports on a dell switch for a seperate vlan, and never did implement anything on it.
Fast forward to the other day, and the network is nearing capacity. I used one of those ports, and wondered why I could not get to the server
I set up 4 ports on a dell switch for a seperate vlan, and never did implement anything on it.
Fast forward to the other day, and the network is nearing capacity. I used one of those ports, and wondered why I could not get to the server
Could be, but who uses ISL? It is Cisco only (afaik) and has more overhead than `normal` dot1q.
Also, knowing VLANs is *critical* to deployments of any network. It's pretty easy to get ahold of routing, subnetting, yada yada layer 3, but wrapping your head around all of the stuff happening at L2 & L3 is incredibly important - and makes L3-L7 that much easier.
Also, knowing VLANs is *critical* to deployments of any network. It's pretty easy to get ahold of routing, subnetting, yada yada layer 3, but wrapping your head around all of the stuff happening at L2 & L3 is incredibly important - and makes L3-L7 that much easier.
Doubtful.
Most of the big guys in networking see a need and implement their own stuff because their customer base is screaming "I need this and I need it NOW!!!"
So the big guys implement their own version of what needs to be done and waits/develops the standards. Then there is a big battle in the standards committees with each manufacturer proclaiming that their way is the best (of course they do, they already have it in their software/hardware)
Cisco's ISL later became 802.1q. Cisco has all but abandoned ISL trunking.
At its development tagging VLANs to be carried to another networking device was a big deal - there were no standards and yet the market demanded it. It really was a HUGE deal and forever changed networking.
To bad it is bad practice these days to tag vlans.
Incidentally, I was referring to FreshPrince. Considering he mentioned Cisco's implementation of VLAN, I was assuming he meant ISL.
Are you sure about that? ISL uses packet encapsulation while 802.1q inserts information into the Ethernet header which are completely different methods of acheiving the same result - hence why it's surprising that one would become the other.
Regarding bad practice, yea, there are a lot of ways to do VLANs wrong (extending them across WAN links, using them for 'security,' routers on a stick, etc), but there are a lot of really neato things to do with them ... segmenting your LAN quickly and easily without having to buy additional hardware + recabling being among them (my primary use).
I'm a n00b in the land of VLANs but I did manage to tinker with it enough to get some use out of it at work.
We needed to set up a system for ghostcasting PCs on a workshop bench but couldn't tie that into the live network due to the DHCP/PXE server that I was running (the network folks don't like it when your DHCP server starts handing out leases where it shouldn't, hehe.)
So with an aging Intel 24-port switch, I set up 10 ports for the 'GHOST' vlan to which the ghostcast/pxe/dhcp server is connected. PC's just patch into any of those ports and they can ghost without issue. When it comes time for post-imaging configuration that requires a live network connection, they patch over to the 'LIVE' vlan which in turn is connected to the live network.
I would've preferred they just stop my DHCP/PXE traffic at the router/switch level on the live network to avoid the need to change ports but this was one workaround that so far hasn't let us down. And more importantly, the network guys haven't had to murder me =)
I'm sure that VLANs have MUCH more interesting uses than the above, but being the VLAN newbie that I am (heck, this was my first time ever configuring a managed switch even) it seemed like a good idea. I'd definitely be interested to hear more about how to put VLAns to good use, and how/where/when *not* to.
We needed to set up a system for ghostcasting PCs on a workshop bench but couldn't tie that into the live network due to the DHCP/PXE server that I was running (the network folks don't like it when your DHCP server starts handing out leases where it shouldn't, hehe.)
So with an aging Intel 24-port switch, I set up 10 ports for the 'GHOST' vlan to which the ghostcast/pxe/dhcp server is connected. PC's just patch into any of those ports and they can ghost without issue. When it comes time for post-imaging configuration that requires a live network connection, they patch over to the 'LIVE' vlan which in turn is connected to the live network.
I would've preferred they just stop my DHCP/PXE traffic at the router/switch level on the live network to avoid the need to change ports but this was one workaround that so far hasn't let us down. And more importantly, the network guys haven't had to murder me =)
I'm sure that VLANs have MUCH more interesting uses than the above, but being the VLAN newbie that I am (heck, this was my first time ever configuring a managed switch even) it seemed like a good idea. I'd definitely be interested to hear more about how to put VLAns to good use, and how/where/when *not* to.
spidey07, early Cat systems (5000, 5500) had hardware flaws that would cause VLAN leakage. In some cases, it was only .1Q (ISL was ok) and in some cases it was everything (even port-based/non-trunk configurations). This was a serious black eye, failure to provide the separation between VLANs as documented and promised really sucked, and caused a lot of headache.
>As far as manufacturers are concerned a vlan is a vlan. there is nothing special about them and everybody implements them the same.
Oh? We've got some folks whose designs give magical special treatment to vlan 1, or some other chosen "native VLAN." Others who appropriate random tag numbers for their own use (4095 & 0 being prime examples)... or choke if you send packets with those. Some folks designs can't filter membership on tagged packets, so a PC on that switch can send out a tagged packet and hop into any VLAN they want.
Then there's the joys of spanning tree. Do we do the STP on top, or underneath? .1d? .1s? Cisco or Extreme's proprietary stuff? Multiple STP domains or one? (hint: I long for the day when the only answer to STP questions is *NO*... but for now we need it)
And what about vlan configuration protocols? Some devices automagically learn about new VLANs. Some of them even kinda have some security for that feature
And don't even get me started about all the NIC / router / firewall bugs I've tickled with .1Q tags.
>As far as manufacturers are concerned a vlan is a vlan. there is nothing special about them and everybody implements them the same.
Oh? We've got some folks whose designs give magical special treatment to vlan 1, or some other chosen "native VLAN." Others who appropriate random tag numbers for their own use (4095 & 0 being prime examples)... or choke if you send packets with those. Some folks designs can't filter membership on tagged packets, so a PC on that switch can send out a tagged packet and hop into any VLAN they want.
Then there's the joys of spanning tree. Do we do the STP on top, or underneath? .1d? .1s? Cisco or Extreme's proprietary stuff? Multiple STP domains or one? (hint: I long for the day when the only answer to STP questions is *NO*... but for now we need it)
And what about vlan configuration protocols? Some devices automagically learn about new VLANs. Some of them even kinda have some security for that feature
And don't even get me started about all the NIC / router / firewall bugs I've tickled with .1Q tags.
Originally posted by: cmetz
spidey07, early Cat systems (5000, 5500) had hardware flaws that would cause VLAN leakage. In some cases, it was only .1Q (ISL was ok) and in some cases it was everything (even port-based/non-trunk configurations). This was a serious black eye, failure to provide the separation between VLANs as documented and promised really sucked, and caused a lot of headache.
>As far as manufacturers are concerned a vlan is a vlan. there is nothing special about them and everybody implements them the same.
Oh? We've got some folks whose designs give magical special treatment to vlan 1, or some other chosen "native VLAN." Others who appropriate random tag numbers for their own use (4095 & 0 being prime examples)... or choke if you send packets with those. Some folks designs can't filter membership on tagged packets, so a PC on that switch can send out a tagged packet and hop into any VLAN they want.
Then there's the joys of spanning tree. Do we do the STP on top, or underneath? .1d? .1s? Cisco or Extreme's proprietary stuff? Multiple STP domains or one? (hint: I long for the day when the only answer to STP questions is *NO*... but for now we need it)
And what about vlan configuration protocols? Some devices automagically learn about new VLANs. Some of them even kinda have some security for that feature
And don't even get me started about all the NIC / router / firewall bugs I've tickled with .1Q tags.
Damn you for bringing up spanning-tree and VLAN configuration protocols.
*shakes fist wildly in the air*
Well done cmetz for pointing out the inherent flaws in the system and the push of manufacters' belief that their way is the "right way" I wholeheartedly agree that the answer to spanning-tree is NO! A good design will completely elminate its need.
I will however point out that the cat5000/5500 has been end or support for sometime and was end of life in 1999. Nice switch in its day, but does't belong in a modern network.
You and I both know that VLANs are not an appropiate security measure.
To that end - a good design doesn't rely on VLANs. Back in the late 90s/very early 2000s it did (the birth of the layer3 switch). But given the modern network it doesn't.
Everything layer3, everywhere. Trunking bad....m'kay?
All these spanning-tree enhancements are nothing more than bandaids IMHO. Why do you have layer2 loops in your network to begin with!!!!!????? Why do you need to span a VLAN and tag it? the only application for that in today's network is IPtelephony. that is the only reason why you tag VLANs.
Unless we're talking QinQ. Then maybe.
I use spanning-tree pretty much as a way to prevent some well-intentioned but clueless person from getting a 5-port SOHO switch, hooking one port to the wall, one to their desktop PC, one to their voip phone, one to their laptop, and then one to the wall. It happens all the time. And it never ceases to amaze me how s witches handle this situation - by broadcast storming until they fall over, spewing enough broadcasts to take some other gear out in the process (Cisco routers being fine examples of boxes that can be knocked out by such things).
In my dream network, each jack gets its own little subnet
The reason I bring up the cat5000/5500 is that they had severe VLAN separation bugs, and Cisco got a well-deserved black eye from it. People today don't always remember the details, only vaguely that Cisco had major VLAN security problems.
Cisco switches have a long and sordid history. They kept producing switch after switch that sucked, each just a little less than the previous. The 3750s are decent, as long as you understand their limitations.
The one thing I do like about .1Q tagged VLANs is that with gear that actually works I can simplify my physical topology and trade it for a soft/virtual topology. Which I can remotely administer. When you're not on the same coast as the network you're working on, anything that invoves adding or removing cables is bad. The thing is that you need to be thoughtful about where to use tagging and VLANs, and you need to know which gear has what bugs.
In my dream network, each jack gets its own little subnet
The reason I bring up the cat5000/5500 is that they had severe VLAN separation bugs, and Cisco got a well-deserved black eye from it. People today don't always remember the details, only vaguely that Cisco had major VLAN security problems.
Cisco switches have a long and sordid history. They kept producing switch after switch that sucked, each just a little less than the previous. The 3750s are decent, as long as you understand their limitations.
The one thing I do like about .1Q tagged VLANs is that with gear that actually works I can simplify my physical topology and trade it for a soft/virtual topology. Which I can remotely administer. When you're not on the same coast as the network you're working on, anything that invoves adding or removing cables is bad. The thing is that you need to be thoughtful about where to use tagging and VLANs, and you need to know which gear has what bugs.
quickly...the damn SOHO switches don't run spanning-tree.
all the more reason to hate them.
but yeah. I'm pushing a much more secure network as are others.
quite plugging crap in.
all the more reason to hate them.
but yeah. I'm pushing a much more secure network as are others.
quite plugging crap in.
We live and die by the vlans at work. We VLAN/route it all on a 6500 Cat. We rarely trunk to other switchs, but just access layer them, and don't let folks seperate our groups of computers (racks in the test lab). I am going to be doing .1q with servers, so that every server can be moved independant of the others.
Hey thanx for the replies, i have a another question. So if I wanted to have 4 VLANS. and I wanted 2 of them to beable to communicate with each other I gotta have them tagged? The ports that is?
to communicate between vlans, you need a L3 device to route the packets. If you have arouter capable of reading the tags, then you can "router on a stick" it, with a single trunk to the router that routes between vlans. If your switch is L3, then you can route it inside the switch.
The whole purpose of a VLAN is it is a single layer2 broadcast domain. Frames from let's say vlan BLUE are all contained on the VLAN. These frames - layer2.
Add another vlan RED and you have the same thing. Even if they are on the same switch there is no communication between them. If a host sends out a broadcast on vlan BLUE none of the hosts on vlan RED will receive it. The switch will not forward the broadcast to the other vlan.
you can think of a VLAN as a single LAN. a single broadcast domain. a single network. a single IP network.
In order for separate lans/ip networks to communicate you need a router. something that routes packets (layer 3) instead of forwarding frames (layer2). a switch that routes is called a layer3 switch.
tagging vlans (802.1q trunking) is when you have two or more switches or network devices and BOTH switches have ports in vlan BLUE and RED. The link between the switches would then be configured as a 802.1q trunk.
Take switch1 and switch2. Link them together with a 802.1q trunk. Both switches have ports that are in vlan BLUE and RED.
a blue host on switch1 needs to send a frame to another blue host on switch2. Switch1 will receive the frame and look in its forwarding table on where to forward the frame (what port to spit it out of). It sees that it needs to send it out the trunk port. switch 1 then adds a small header to the frame indicating that this frame belongs in vlan blue.
switch 2 receives the frame on its trunk port. realizing that this port is a trunk it looks at the 802.1q header - ah! this frame goes in vlan blue. removes the header, looks in its forwarding table and spits the frame out the correct port based on the destination MAC address.
In the broadcast example a blue host sends out a frame with a destination address of ffff.ffff.ffff. switch receives this frame and forwards out all blue ports, but not red ports. The trunk port is technically a member of both vlans and as such the switch will bcast out the trunk port and add the 802.1q header to it of course.
switch2 receives the broadcast with the blue tag. switch2 then forwards the frame out all blue ports, but not red.
-edit-
found a really good reference...THE reference actually. you'll need to accept the terms.
http://standards.ieee.org/getieee802/download/802.1Q-2003.pdf
TRENDING THREADS
-
Discussion Zen 5 Speculation (EPYC Turin and Strix Point/Granite Ridge - Ryzen 9000)- Started by DisEnchantment
- Replies: 25K
-
Discussion Intel Meteor, Arrow, Lunar & Panther Lakes + WCL Discussion Threads
- Started by Tigerick
- Replies: 23K
-
Discussion Intel current and future Lakes & Rapids thread- Started by TheF34RChannel
- Replies: 23K
-
-
Facebook
Twitter