In-depth understanding of the working principle of VLAN with pictures and texts, don't miss it

After learning about several methods and configurations of VLAN division, I am very curious about how VLAN works. How does it achieve the isolation function? With these questions, let's take a look today.

Basic VLAN Communication Principles

In order to improve processing efficiency, all data frames inside the switch are VLAN tagged and processed in a unified manner. When a data enters the switch interface, if it does not have a VLAN Tag and the interface is configured with a PVID, then the data frame will be tagged with the PVID of the interface. If the data frame already has a VLAN Tag, then even if the interface has been configured with a PVID, the switch will not tag the data frame with a VLAN Tag.

Due to different interface types, switches process data frames differently. The following two cases illustrate the working principle of VLAN:

Different VLANs on the same switch

In the figure above, the switch is configured with VLAN 10 and 20 respectively, and the corresponding PCs are added to different VLANs. By capturing packets on GE0/01 and GE0/0/3 on the switch, it is found that GE0/0/1 can capture data packets, but no data packets pass through GE0/0/3. This also confirms a feature of VLAN, isolating broadcast storms.

Normally, when PC1 communicates with PC2 for the first time, it broadcasts an ARP request, which can be received normally by all ports of the switch except the port that sends data. However, since the above topology is divided into VLANs, the ARP broadcast is discarded by the GE0/0/3 port. As a result, PC1 cannot obtain the MAC address of PC2, resulting in communication failure.

When you see this, you may ask, can we tell PC1 the MAC address of PC2 in advance, so that PC1 does not need to send ARP broadcast packets to request the MAC address.

Add the MAC addresses of each other on PC1 and PC2 and execute the following command:

 PC1 > arp -s 192.168.1.3 54-89-98-C1-58-5A
 PC2 > arp -s 192.168.1.2 54-89-98-05-20-B9

After adding, capture packets on the switch GE0/0/1 and GE0/0/3 ports again. As shown in the following figure, no data is captured on GE0/0/3. This time, the request from GE0/0/1 port to the ICMP packet times out.

By binding the MAC address information in advance, however, PC1 and PC2 still cannot access each other. So how does the VLAN data packet work? First, let's look at what the Access port does when receiving and sending data packets.

• The access interface processes the received untagged message by receiving the message and adding the default VLAN ID.
• The access interface processes the received tagged messages: when the VLAN ID is the same as the default VLAN ID, the message is received; when the VLAN ID is different from the default VLAN ID, the message is discarded;
• Sending frame processing: first strip the PVID Tag of the frame and then forward it.

Note: If the port is of access type and a VLAN is added, the PVID attribute value of this port becomes the same as the VID value; the default VLAN ID is the currently added VLAN ID

From the above access port receiving and sending data packets, we can roughly infer that the communication process between PC1 and PC2 is as follows:

• When PC1 sends a data packet, it is not tagged. After entering the switch GE0/0/1 port, it is tagged with VLAN 10.
• When the switch GE0/0/3 port receives the data packet sent by the GE0/0/1 port, it checks and finds that it is tagged. It further compares it with its own default VLAN to see if it is consistent. As a result, it finds that they are inconsistent, so it directly sends the data packet and discards it.

Same VLAN on the same switch

In the figure above, two switches are interconnected through GE0/0/24 port, and GE0/0/24 is configured as a trunk port to allow VLAN 10 and 20 to pass. So what is the process of VLAN across switches?

First, capture packets on the GE0/0/24 ports of SW1 and SW2 respectively to see what kind of data packets pass through GE0/0/24.

From the above figure, we can see that the data packets passing through the G0/0/24 ports of SW1 and SW2 are the same and carry tags. Let's take a look at the process of sending and receiving data packets on the trunk.

Trunk port processing of untagged packets:

• The default VLAN ID is marked, and when the default VLAN ID is in the list of VLAN IDs allowed to pass, the message is received.
• If the default VLAN ID is not in the list of VLAN IDs allowed to pass, the packet is discarded.

Trunk port processing of tagged packets:

• When the VLAN ID is in the list of VLAN IDs allowed to pass through the interface, the message is received;
• If the VLAN ID is not in the list of VLAN IDs allowed by the interface, the packet is discarded.

Send frame processing:

• When the VLAN ID is the same as the default VLAN ID and is a VLAN ID allowed to pass through the interface, the Tag is removed and the message is sent;
• If the VLAN ID is different from the default VLAN ID and is a VLAN ID allowed by the interface, the packet is sent with the original tag.

From the above Trunk port data packet sending and receiving process, we can roughly infer the process of PC1 and PC3 as follows:

• When PC1 sends a data packet to the SW1 port (the data packet does not carry a tag), after entering the GE0/0/1 port of the SW1 switch, the port VLAN ID 20 is added for forwarding.
• ARP broadcast is performed to request the MAC address of PC3. The data packet enters the GE0/0/24 port of SW1. Since the GE0/0/24 port of SW1 is in trunk mode, VLANs 10 and 20 are allowed to pass through, and the frame is sent according to the trunk port processing process. The data packet successfully arrives at the G0/0/24 port of SW2.
• Since the ARP broadcast packet carries the Tag, only the corresponding port processes the broadcast and responds accordingly.
• PC1 obtains the MAC address of PC3, encapsulates and forwards data packets, and communicates.