2.2.6 VLANs, Trunks & QinQ

Questions and Answers

What is the primary purpose of VLANs in a network?

• To increase the physical distance between network devices.
• To divide a physical network into multiple logical networks. (correct)
• To create a single broadcast domain across multiple physical networks.
• To reduce the number of devices connected to a single switch.

Which of the following is a benefit of using VLANs?

• Decreased broadcast traffic
• Improved network security (correct)
• Increased collision domain size
• Reduced network complexity

What is a 'trunk' in the context of VLANs?

• A connection that carries traffic for multiple VLANs between switches. (correct)
• A port configured to only allow a single VLAN.
• A physical cable connecting two network devices.
• A method to reduce the MTU on a network.

What is the purpose of QinQ (802.1AD) in networking?

To allow service providers to use VLANs while also supporting customer VLANs. (D)

Which IEEE standard defines the process of frame tagging for VLANs?

802.1Q (D)

Why is it beneficial for a business with multiple sites to use VLANs?

To allow each site to have the same set of VLANs for consistency and manageability. (A)

What is the result of connecting switches without any VLAN configuration?

All devices become part of a single broadcast domain. (A)

What is the maximum number of VLANs that can be configured using the 802.1Q standard?

4,094 (A)

What is the significance of the VLAN ID 0 in the 802.1Q standard?

It signifies that the frame is not part of any VLAN. (D)

In an 802.1Q frame, what is the size of the VLAN tag field added to the Ethernet frame?

32 bits (D)

What is the main difference between an access port and a trunk port in a VLAN environment?

Access ports carry traffic for only one VLAN, while trunk ports carry traffic for multiple VLANs. (A)

In a network using VLANs, what happens to a broadcast frame?

It is only forwarded to devices within the same VLAN. (D)

If a frame enters a switch through an access port and is destined for a device on a different VLAN, what must be present in the network for the frame to reach its destination?

A router or Layer 3 switch to route traffic between the VLANs. (D)

What is the purpose of the Customer tag (C-TAG) and Service tag (S-TAG) in the context of QinQ?

The C-TAG identifies the customer's VLAN, while the S-TAG identifies the service provider's VLAN. (D)

When a tagged frame enters an access port on a switch, what typically happens to the VLAN tag?

The VLAN tag is removed. (C)

What is the key implication if different groups don't need to communicate with each other in a physically segmented network?

There is no need for cross-domain communication. (D)

If a staff member changes roles, moving from sales to game tester, what challenge does this pose in an entirely physical networking environment without VLANs?

The staff member needs to be physically moved to a different network segment. (C)

How does using a switch instead of a hub improve network performance?

By making each port a separate collision domain. (B)

What is the role of the destination MAC address in an Ethernet frame?

To specify the network interface card (NIC) of the intended recipient. (D)

In the context of VLANs, what happens when switches are connected, facilitating cross-building or cross-domain communications, without proper configuration?

One larger broadcast domain is created. (D)

What is a key advantage of using VLANs in cloud platforms like AWS (Amazon Web Services)?

VLANs allow for configuration of public and private Virtual Interfaces (VIFs) on Direct Connect. (B)

What is the main problem with physically separating different groups of devices into different network segments?

It doesn't scale well and requires physical reconfiguration for changes. (C)

What is the fundamental limitation VLANs address that traditional physical network segmentation does not?

The need for physical rewiring when network requirements change. (C)

What characteristic defines a physical network segment?

Devices connected to a single Layer 2 capable device such as a switch. (B)

How does 802.1Q modify a standard Ethernet frame?

By adding a new 32-bit field within the frame. (B)

Where is the 32-bit field inserted in a standard ethernet frame by 802.1Q?

Between the ET field and the Source MAC Address (D)

For unicast frames, what action will a switch take if it is unaware of the destination MAC address within a specific VLAN?

It will initiate a broadcast within the same VLAN. (D)

Which of the following is the most accurate description of how VLANs facilitate network management in a large organization?

VLANs improve network organization by logically grouping resources, simplifying policy enforcement and administration. (B)

Considering a scenario where a company uses both internal VLANs and a service provider’s VLANs, how does QinQ (802.1AD) specifically address potential VLAN ID conflicts?

By encapsulating the company’s VLAN tags within the service provider’s VLAN tags, adding an additional layer of segmentation. (D)

In a complex network environment using both VLANs and trunk ports, what is the impact on network traffic if a trunk port is misconfigured to disallow a specific VLAN?

Devices in the disallowed VLAN will not be able to communicate across that trunk link. (A)

Consider a scenario where a network engineer needs to implement VLANs to isolate guest network traffic from the corporate network. What is the most effective approach to ensure security and prevent unauthorized access?

Implement separate VLANs for each network, configure a router with access control lists (ACLs) to control traffic between them, and ensure no routing is enabled between the guest VLAN and the corporate VLAN. (A)

In the context of VLANs and network scalability, what is the primary limitation of relying solely on access ports in a large, growing network?

Access ports can lead to management overhead due to not having support for multiple VLANs. (A)

If a network administrator configures a VLAN only on the switch ports connected to end-user devices but neglects to configure VLAN trunking on the links between switches, what is the likely outcome?

The end-user devices will be unable to communicate with each other if they are connected to different switches. (A)

In a QinQ configuration, if a customer is utilizing VLAN IDs from 2 to 100 on their internal network, and a service provider encapsulates this traffic with a service VLAN ID 2000, What is the effective VLAN ID range available to the customer?

2 to 100 (B)

In a scenario where a frame is tagged with both an 802.1Q VLAN tag and a QinQ (802.1AD) tag, identify the sequence of tag processing as the frame traverses from a customer network, through a service provider network, and back to another site within the same customer network.

The service provider removes the QinQ tag and the customer removes the .1Q tag. (A)

Flashcards

What is a VLAN?

Virtual Local Area Network divides a physical network into logical networks.

What are trunk connections?

Connects different parts of a network, allowing devices to communicate.

What is Q-in-Q?

A more advanced version of VLANs.

What is a broadcast domain?

A shared communication pathway where one device transmits and all others receive.

Collision domain

A network segment connects devices using a switch rather than a hub.

Why segment the Network?

Breaks up broadcast domains and isolates traffic.

Source MAC Address

MAC address of the device creating and sending the ethernet frame.

Destination MAC Address

MAC address of the intended recipient of the ethernet frame.

What is a unicast frame?

Frame destined for one device.

What is a broadcast frame?

Frame for all devices.

What does the 802.1Q standard do?

Enables isolating devices into different network segments.

What does '.1Q' change?

Adds a 32-bit field to a standard ethernet frame.

What is the VLAN ID (VID)?

Identifies VLAN or VID.

What does 802.1Q allow?

Allows multiple virtual LANs to operate over the same layer 2 network.

Broadcast Domain (VLANs)

A network span.

Examples of VLANs

A VLAN for CCTV, servers, game testing and guests.

What is 802.1AD (Q-in-Q)?

Also known as provider bridging or stacked VLANs.

C-TAG (Customer Tag)

Keeps customer VLAN fields.

S-TAG (Service Tag)

The Provider tag.

VLAN Tagging

Tag frames with VLANs and tag with the VLAN ID.

802.1Q

Ports used to identify device types as separate buildings but they don't have to be.

VLANs

Allows to create separate layer two network segments.

What is an access port?

Port with one specific VLAN ID.

What is a trunk port?

Conceptually associated with all VLAN IDs.

Access ports

Ports communicate with devices using standard Ethernet.

Where frames move through an access port where is VLAN ID added?

All frames are tagged with the VLAN that the access port is assigned to.

Trunk Port

A port between two switches. It forwards all frames and it includes the VLAN Tagging.

Study Notes

VLANs, Trunks & QinQ

• VLANs, trunk connections, and Q-in-Q (a more advanced version of VLANs) are important topics in traditional or hybrid networking.

Physical Network Segment

• A physical network segment consists of eight devices connected to a single layer two capable device (switch).
• Each LAN is a shared Broadcast Domain
• Frames addressed to all FFs (broadcast) will be broadcast on all ports, reaching all devices.
• Adding more devices increases broadcast traffic, which doesn't scale well
• Switches improve performance by creating separate collision domains for each port, reducing retransmissions.

Segmenting Networks

• A local network can have distinct user groups, such as game testers, sales, and finance.
• Separate device groups are preferred for larger businesses, creating network segments for normal devices, servers, security systems, CCTV, IoT devices, and IP telephony.
• It is challenging to achieve this segmentation with only a physical network.
• To separate groups, devices can be placed on different floors or buildings with their own switches.
• Each building becomes its own broadcast domain because the switches aren't connected.
• This setup is suitable if groups don't need to communicate across domains.
• The switches have no layer two communications between them without connections.
• Connecting switches creates a larger broadcast domain, reverting to the drawbacks of a single network.
• Physical networking is complicated when staff members change groups but not buildings.
• Physically running new cables can solve this problem manually
• This manual solution does not scale well; therefore, virtual LANs (VLANs) are required.

VLANs and the OSI Model

• A regular Ethernet frame includes source and destination MAC addresses, and a payload for data.
• The source MAC address is from the device creating/sending the frame.
• The destination MAC address is a specific (unicast) address or all FFs (broadcast).
• Broadcast frames are viewed by all devices on the layer two network.
• Standard frames lack the ability to isolate devices into different groups.
• The 802.1Q (.1Q) standard modifies the frame format by adding a 32-bit field.
• This new field increases the frame size.
• Twelve bits of this field are used to store values from 0 to 4,095, identifying the VLAN ID (VID).
• 0 signifies no VLAN, and 1 is typically used for the management VLAN.
• The 802.1Q allows over 4,000 VLANs in a layer 2 physical network enabling creation of multiple Virtual LANs

Use Cases and 802.1AD

• It creates over 4,000 different broadcast domains in the same physical network
• Create VLANs for CCTV, servers, game testing, and guests.
• The possibilities are endless
• Businesses with multiple sites can use VLANs for each site and connect them via a dedicated WAN.
• When multiple sites each require VLAN 1337, and so does the communication provider, 802.1AD (Q-in-Q), also known as provider bridging or staggered VLANs comes into play.
• QinQ adds another VLAN ID field to the frame to solve conflicts of same VLAN ID's
• The original VLAN field is the C-TAG (customer tag).
• The added VLAN field is the S-TAG (service tag).
• Using .1Q allows VLANs from different customers with the same VLAN ID to traverse the network
• Large complex networks typically use Q-in-Q, while smaller networks and cloud platforms like AWS use .1Q.

VLAN Ports and Tagging

• 802.1Q is configured so that Ports and switches are defined as either access ports or Trunk ports.
• Each access port generally has one specific VLAN ID (VID) associated with it.
• A Trunk Port conceptually has all VLAN ID's associated with it.
• Assign finance team devices to VLAN 20 and game testing devices to VLAN 10.

VLAN Operation and Communication

• Buildings are separated by broadcast domains if their switches are disconnected
• Two laptops on the finance team connect to switch number 1, and two laptops on the game tester team connect to switch number 2.
• VLAN Capable networks have two types of ports
• Access Ports
• Trunk Ports
• End devices connect to access ports.
• Access ports use standard Ethernet, so frames are not VLAN tagged.
• When a frame enters the switch, the egress port adds the VLAN the frame is assigned.
• After exiting, it's tagged with VLAN 10 (for the orange VLAN).
• Switches must forward broadcasts out every port it did not originate from.
• For VLANs, this forwarding is different.
• First, forwarding is to any other access ports on the same VLAN, with tagging removed.
• The devices connected to these access ports won't understand VLAN tags.
• After, it can forward to trunk ports.
• Trunk ports connect two .1Q-capable devices and forward all frames, including VLAN tags.

VLAN Frame Handling

• VLAN Frames are forwarded to Switch 1 as VLAN10
• The .1Q Frames are forwarded only to Access ports on the same VLAN, or Trunk Ports.
• Frames for Unicast MAC addresses will either be forwarded to an access port in the same VLAN or broadcast if the MAC address is not known.
• Frames are forwarded to all devices connected to access ports on that VLAN and removed.
• Frames forwarded through trunk ports are tagged with VLAN 20 (Finance).
• Each device on the VLAN is isolated without communication between.
• Without a Layer 3 Device, each VLAN cannot communicate with each other

VLAN Summary Points

• VLANs allows creation separate layer two network segments,
• Traffic is isolated within VLANs, with no frames leaving the boundary without a router.
• VLANs can create isolated customer networks
• Connecting to VPC's using Direct Connect
• In AWS, separate broadcast domains are created with VLAN tagging
• If 802.1Q is mentioned => its VLANs
• VLAN stacking or provider bridging, or 802.1AD, or Q-in-Q, => Nested VLANs are present using a combination of customer and service tags
• QinQ must be understood to pass networking exams