Confused about Frame Tagging

Answered Question
Mar 13th, 2008
User Badges:

Extracted from course materials.


"VIDs are associated with only those frames that traverse a trunk link. When a frame enters or exits the switch on an access link, no VID is present. The ASIC on the switch port assigns the VID to a frame as it is placed on a trunk link and also strips off the VID if the frame exits an access switch port."


1) "When a frame enters or exits the switch on an access link, no VID is present." If there is no VID on a frame when it enters an access port, why was it even mentioned that there is no VID when the frame exits the access port? OR does it mean that a frame is tagged with a Vlan ID whenever it enters an access port but the Vlan ID is removed when the frame exits an access port?


2) "The ASIC on the switch port assigns the VID to a frame as it is placed on a trunk link and also strips off the VID if the frame exits an access switch port." Isn't the VID removed as soon as the frame reaches the receiving end of the trunk link? The sentence seems to imply that the VID is not removed at the end of the trunk link, and is only removed when the frame exits an access port.


Any effort to clarify the confusion would be deeply appreciated!

Correct Answer by lamav about 9 years 3 months ago

1) Frame entering an access port is NOT tagged with any Vlan ID. That in turn implies that any frame exiting access ports do not have any Vlan ID.


Correct.


2) Frame entering a trunk link will be tagged with the Vlan ID that is based on the access port that the frame enters. ie. If the frame enters an access port configured for Vlan 10, then the frame will be tagged with a Vlan 10 tag before entering a trunk link.


Correct.


3) When a tagged frame reaches the end of the trunk link on the receiving switch, the frame will be stripped of its Vlan ID tag. Based on the Vlan ID that the frame had just before it exits the trunk link, the untagged frame is then flooded out on all access ports that are configured with the same Vlan ID.


Yes, IF the destination MAC address does not exist in the switch's MAC address table. If it does, it will forward the packet out the corresponding port.


4) However, if the trunk is encapsulated with dot1q, the frame will not be tagged if the frame had entered an access port that is configured with a vlan that is part of the dot1q trunk's native vlan. At the receiving end of the dot1q trunk, the untagged frame will be then be flooded out on all access ports that are configured with vlan that is the same as the dot1q trunk's native vlan.


Yes, but be aware that a lot of native vlan traffic is generated by the switch itself, like CDP packets and STP BPDUs.


As for the flow you have given: Remeber that flooding only occurs if the destination MAC address is not in the MAC address table.


HTH


If so, kindly rate my post


Victor

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 5 (4 ratings)
Loading.
cisconoobie Thu, 03/13/2008 - 18:48
User Badges:

1) "When a frame enters or exits the switch on an access link, no VID is present." If there is no VID on a frame when it enters an access port, why was it even mentioned that there is no VID when the frame exits the access port? OR does it mean that a frame is tagged with a Vlan ID whenever it enters an access port but the Vlan ID is removed when the frame exits an access port?



Vlan tagging only occurs on the trunk, not access port. It just states that if the port is an access port and not trunk, the frame will not be tagged. The switch will strip off the vlan tag at the end of the trunk and switch it in hardware to the correct access port it needs to go to.


2) "The ASIC on the switch port assigns the VID to a frame as it is placed on a trunk link and also strips off the VID if the frame exits an access switch port." Isn't the VID removed as soon as the frame reaches the receiving end of the trunk link? The sentence seems to imply that the VID is not removed at the end of the trunk link, and is only removed when the frame exits an access port.


Egress trunk to ingress trunk on receiving end, the egress is an access port.


keep in mind you have ingress/switch backplane/egress.


frame enters ingress switchport, l2 engine forwards to egress trunk port, over the wire, receiving switch receives on ingress trunk ports, sends to L2 switch, egress access port to destination.

Joseph W. Doherty Thu, 03/13/2008 - 19:02
User Badges:
  • Super Bronze, 10000 points or more

The vlan tag on the frame is necessary on a trunk so that the other side can map frames to the correct vlan. However, once the device "knows" what vlan a frame belongs, then what happens?


I believe it's up to the device's architecture how it manages internal matching of frames to vlans. One method, would be to keep vlan tags attached to all frames until they must be striped, such as sending it out on a access port (and attaching tag as frame arrives on access port). Your documentation appears to assume such an architecture.

akhran1974 Fri, 03/14/2008 - 17:55
User Badges:

In conclusion, am I right to say that


1) Frame entering an access port is NOT tagged with any Vlan ID. That in turn implies that any frame exiting access ports do not have any Vlan ID.


2) Frame entering a trunk link will be tagged with the Vlan ID that is based on the access port that the frame enters. ie. If the frame enters an access port configured for Vlan 10, then the frame will be tagged with a Vlan 10 tag before entering a trunk link.


3) When a tagged frame reaches the end of the trunk link on the receiving switch, the frame will be stripped of its Vlan ID tag. Based on the Vlan ID that the frame had just before it exits the trunk link, the untagged frame is then flooded out on all access ports that are configured with the same Vlan ID.


4) However, if the trunk is encapsulated with dot1q, the frame will not be tagged if the frame had entered an access port that is configured with a vlan that is part of the dot1q trunk's native vlan. At the receiving end of the dot1q trunk, the untagged frame will be then be flooded out on all access ports that are configured with vlan that is the same as the dot1q trunk's native vlan.


Is that how the flow goes?


Frame enters access port configured for vlan 10 -> Frame flood out on all vlan 10 access ports and the trunk links -> Frame enters trunk link and gets tagged -> Frame reaches end of trunk link and tag gets removed -> Frame exits trunk link and flood out on all access ports that are configured for vlan 10 and all trunk links.



Thanks all !


Joseph W. Doherty Fri, 03/14/2008 - 18:36
User Badges:
  • Super Bronze, 10000 points or more

Not precisely, see if this helps.


Frames entering an access port could be tagged, although the switch doesn't expect them to be.


Frames leaving an access port shouldn't be tagged.


Frames leaving a trunk port are usually tagged, but some might be untagged. The untagged frames could be mapped from a vlan (like leaving an access port).


Frames entering a trunk port are usually expected to be tagged, but untagged frames are also often supported. Untagged frames might be mapped to a vlan (like an access port's untagged frames).


Untagged frames crossing a trunk, could be from different vlans. (Similar to connecting one switch's access port to another switch's access port.)


Frames identified to a particular vlan should be constrained to just the ports or trunks that support that vlan. (Trunks often don't have to carry all vlans.)


Actual flooding of frames within a vlan follow the norms of switches. E.g. broadcasts will flood to all ports or trunks for the vlan but multicast and unicast (hopefully) often will not.

Correct Answer
lamav Fri, 03/14/2008 - 18:45
User Badges:
  • Blue, 1500 points or more

1) Frame entering an access port is NOT tagged with any Vlan ID. That in turn implies that any frame exiting access ports do not have any Vlan ID.


Correct.


2) Frame entering a trunk link will be tagged with the Vlan ID that is based on the access port that the frame enters. ie. If the frame enters an access port configured for Vlan 10, then the frame will be tagged with a Vlan 10 tag before entering a trunk link.


Correct.


3) When a tagged frame reaches the end of the trunk link on the receiving switch, the frame will be stripped of its Vlan ID tag. Based on the Vlan ID that the frame had just before it exits the trunk link, the untagged frame is then flooded out on all access ports that are configured with the same Vlan ID.


Yes, IF the destination MAC address does not exist in the switch's MAC address table. If it does, it will forward the packet out the corresponding port.


4) However, if the trunk is encapsulated with dot1q, the frame will not be tagged if the frame had entered an access port that is configured with a vlan that is part of the dot1q trunk's native vlan. At the receiving end of the dot1q trunk, the untagged frame will be then be flooded out on all access ports that are configured with vlan that is the same as the dot1q trunk's native vlan.


Yes, but be aware that a lot of native vlan traffic is generated by the switch itself, like CDP packets and STP BPDUs.


As for the flow you have given: Remeber that flooding only occurs if the destination MAC address is not in the MAC address table.


HTH


If so, kindly rate my post


Victor

Joseph W. Doherty Sat, 03/15/2008 - 04:58
User Badges:
  • Super Bronze, 10000 points or more

Reading Victor's and my posts, might lead to confusion since they appear to disagree, but I suspect we have different facts in mind. An important distinction needs to be made between what's on the wires going in and out of the switch, vs. vlan processing within the switch.


For instance, "1) Frame entering an access port is NOT tagged with any Vlan ID. That in turn implies that any frame exiting access ports do not have any Vlan ID.", we don't know what attached devices are actually sending to an access port, so the frames could be tagged. Some hosts today have the capability of tagging frames. Second, untagged frames entering an access port being associated to a vlan might have a vlan tagged frame made internally, or not. There's also the question of what a switch does with a tagged frame if it is provided (ingress) to access port or an untagged frame on a trunk port.


Similar issues of what should be on the wire, what could be on the wire, and when the switch actually tags or untags frames apply to your other conclusions. The latter of when a frame is actually tag or untagged, is a bit different from what the switch should do when placing its frame on a wire outbound. When you see ASICs you're within the realm of physical architecture.


Victor makes an interesting point about native vlan traffic, such as CDP packets and STP BPDUs that would be seen untagged (native) on trunks. Here too, the simple can become complex. Some switches might suppress (by configuration) the native vlan across a trunk. CDP might not be active. STP BPDUs could also be tagged in support of PVST.

Actions

This Discussion