Segmenting networks with VLANs

Logically Tunneled

Cross-Switch VLANs

Where one or more VLANs extend across multiple switches, VLAN trunks (VLTs) are used. In the case of port-based VLANs (for packages that have no tag), a VLAN tag that indicates to which VLAN the packet belongs is added to forward a data packet across a trunk; this typically happens before feeding into the trunk. The switch on the receiving side needs to remove this again. In the case of IEEE 802.1Q VLANs, however, the packets are tagged by the device or at the input port on the switch. Therefore, a switch can feed a packet into a trunk without any changes. When a switch on a VLT port (trunk port) receives a packet with an 802.1Q VLAN tag, it can transfer the packet unchanged.

If it receives packets without tags on a trunk port, they can either be assigned to a default VLAN depending on the configuration (the switch later adds the tag), or they are discarded.

Dynamic VLANs with GVRP

VLAN memberships of devices can be assigned statically via a management tool, but also dynamically on the basis of the Generic Attribute Registration Protocol (GARP) VLAN Registration Protocol (GVRP). However, you need to bear in mind that a dynamic VLAN assignment is only useful if topology changes occur because of the use of the spanning-tree protocol and the switches thus need to re-learn the existing MAC addresses.

GARP is defined in the IEEE 802.1D standard; with its help, devices can transmit their attributes to the switch and from switch to switch. To register devices in VLANs, GARP was extended to include VLAN functionality (GVRP). The registration services provide a GARP application. The application is responsible for defining the semantics of the parameters to be transferred and generates the Protocol Data Units (PDUs). To exchange the necessary information, GVRP uses the GARP Information Declaration (GID) and the GARP Information Propagation (GIP).

GID describes the current states for registrations and declarations and determines the required actions. A registration or declaration can be made, for example, using a GID_JOIN or GID_JOIN request, and deleted with a GID_LEAVE or GID_LEAVE request. Joins are regularly repeated per port and multicast group.

GIP is a feature that distributes registrations and declarations on one port to all switches on the LAN. Moreover, the switches discover which VLANs the users are currently working in. GIP also reacts to topology changes triggered by spanning tree. Information is forwarded to GVRP nodes via a specific multicast address. For this purpose, the multicast address 01-80-C2-00-00-21 is set as the destination address for the GVRP protocol data units.

VLAN Troubleshooting

During troubleshooting, you need to examine the data acquired using an analyzer for packets from the corresponding VLAN. Check whether the data stream is correctly tagged by trying to find the VLAN tags in the captured data. In practice, it happens time and time again that the VLAN tags are missing in the traces; complete analysis of the errors is thus impossible.

On many machines, this is a normal phenomenon. The reason is that the VLAN tags are not displayed and are filtered out by the network card before being captured. The suppression of VLAN tags during traffic analysis has its origin in the operating system. Windows, for example, has no built-in mechanism for recording the VLAN tag. Most Ethernet adapter drivers either discard the VLAN tag or remove it automatically before processing. It thus looks as if the Ethernet packet has no VLAN tag. To eliminate this representation problem, each network card used must be considered individually. On Intel cards, the current drivers must be installed. Then you can also take advantage of this feature.

Also, additional manual intervention in the Windows registry is required. Intel provides a corresponding guide [1] for reconfiguring Windows machines. The current driver must also be installed for Broadcom adapters. In the registry you then need to search for the value TxCoalescingTicks and, after clicking on the instance number (e.g., 008), add a new string entry with the name PreserveVlanInfoInRxPacket and a value of 1.

After the change, the respective analyzer should be able to display the respective VLAN tag correctly. It goes without saying that registry changes always involve a certain amount of risk in terms of system stability.

Buy this article as PDF

Express-Checkout as PDF
Price $2.95
(incl. VAT)

Buy ADMIN Magazine

SINGLE ISSUES
 
SUBSCRIPTIONS
 
TABLET & SMARTPHONE APPS
Get it on Google Play

US / Canada

Get it on Google Play

UK / Australia

Related content

  • GENEVE network tunneling protocol
    LAN data transmission has evolved from the original IEEE 802.3 standard to virtual extensible LAN (VXLAN) technology and finally to today's Generic Network Virtualization Encapsulation (GENEVE) tunneling protocol, which offers improved flexibility and scalability, although it still faces some issues. We look at the three technologies and their areas of application.
  • Network overlay with VXLAN
    VXLAN addresses the need for overlay networks within virtualized data centers accommodating multiple tenants.
  • Link Encryption with MACsec
    MACsec encrypts defined links with high performance and secures Layer 2 protocols between client and switch or between two switches.
  • VTP for VLAN management
    Cisco's VLAN Trunking Protocol for Virtual LAN management in medium to large computer networks can make a network administrator's life easier.
  • Understanding Layer 2 switch port security
    What happens when an intruder with a laptop parks at an empty cubicle and attaches to your local network? If you don't want to find out, it might be time to think about implementing some switch port security.
comments powered by Disqus