If you are familiar with VLAN according to 802.1q, you might already be familiar with terminology such as "PVID", "untagged Membership", "tagged Membership" and VLAN-Tag etc.
However, more and more networking devices show in their VLAN setup terms such as "Trunk", "Trunking", "Access" etc., which causes massive confusion to a topic, which seems anyways hard to come by. Especially the switch port settings within Nebula use this terminology and by this differ very much from how we previously learned to set up VLANs.
In this article, we want to tackle the confusion surrounding this topic and hopefully give some insight into how VLAN is set up within Nebula.
History Lesson - a recap in VLAN according to 802.1Q
If you are interested in more detailed explanation, check out these articles - it is highly recommended to check this out before continuing reading, as these articles explain the core foundation on which Trunk / Access VLAN types are based upon:
VLAN - A deeper look at how they work
VLAN - Tagged VLANs vs. PVID (Setup Example Untagged/Tagged VLAN on a GS22XX-Switch)
If we look back on how VLAN are defined, there are some very basic parameters we have to get straight first - according to the 802.1q standard, frames belonging to a VLAN are differentiated upon the size of the header and certain bytes which are added and have certain content written into them in case of a VLAN membership. We call this a VLAN-Tag. See below graphic for your reference:
A switch-port will only accept the enlarged frame, if it has been made aware, that there is a bigger frame to be expected then the usual frame-size, and if the content of the VLAN-ID (VID) matches to what the switch has been made aware of. This is called Tagged Membership. Once accepted, the switch will treat the incoming frame as belonging to the VLAN the frame was tagged for.
If we have an Untagged Membership, that means that the switch port itself is not expecting any kind of tagged traffic, but instead normal-sized frames without VLAN-Tag. What it will do however, is, in conjunction with the PVID, treat the untagged incoming frame as belonging to a certain VLAN. For this, you can imagine as if the VLANs set on the port indicate "railroads/lanes with a identifier number":
Now that we have taken a look at how VLAN work generically according to the IEEE standard defining VLAN, let's put this into context of the new ways of setting up VLAN via Trunk & Access Mode.
Setting up VLANs easier - Trunk & Access Mode
VLAN is following a concept which is hard to grasp for a lot of people. It's one of these fields, which you do not understand at all, until you understand them really thoroughly. But once you really get the grip on how they work, they become "easy as pie". Competitors like Cisco have changed the way they assign VLAN memberships to something which seems more intuitive for the unskilled engineer, and which by now has established itself as a parallel industry standard running along the 802.1q definition of VLAN, using Trunk Mode and Access Mode to define the memberships. In our Nebula solution, in order to cater toward this growing demand, we have also implemented this concept of assigning VLAN memberships. Let's take a look at what the menu looks like for Trunk Mode first and put that into perspective of the 802.1q Standard - the menu can be found via:
Site-wide > Configure > Switch > Switch ports
Now check the checkbox of one of the ports you wanted to edit and press the "Edit" button, and you will be prompted with the port editing menu:
What we want to focus on, is the marked area consisting of Type, PVID & Allowed VLANS
- Type - Let's you choose between Trunk & Access Mode
- PVID - Let's you set the PVID for the port
- Allowed VLANs (only in Trunk Mode) - Let's you set what VLANs are activated/tagged/assigned to the port
- VLAN Type (only in Access Mode) - Allows you to assign certain dynamic VLAN distribution mechanisms such as Voice VLAN etc.
So now that we have discussed where to find the settings and what can be set up, how do we translate the Trunk & Access Type to our formerly gained knowledge on 802.1q. It's pretty simple, honestly:
Trunk
The Trunk VLAN type is basically choosen, when we have a VLAN-capable device at the peer side. So if we want to handle any sort of tagged VLAN traffic, we choose Trunk-Type. Then, we set the PVID to our needs. As we learnt in the article VLAN - A deeper look at how they work , the PVID always has to match our untagged, membership, and there only can be one untagged membership per port = one PVID per port as well. So setting the PVID to = 1 , we automatically in the background assign this switch port an Untagged Membership in VLAN 1 as well. Moving on, we have "Allowed VLANS" defined, by default with "all". This basically can be stated as: "This port has been assigned with all 4096 VLANs. Since PVID 1 is set and there is a match within the Allowed VLANs, VLAN1 is untagged, but all the other VLANs from 2 to 4096 are set to tagged membership".
If we only only want a specific selection, for example Untagged VLAN1, and tagged VLAN10, 20, 30, we would set up the following:
This basically can be stated as: "We are setting up the port to accept untagged traffic and treat it as VLAN1 traffic. Apart from that, tagged frames with the VID 10, 20,30 are also allowed to enter. Anything differing from this will be rejected".
Having these examples at hand, it should be clear, why the Trunk Type is very easy and intuitive to set up and is slowly becoming an industry standard in VLAN setup.
Access
The Access mode vastly differs from the Trunk VLAN type in the sense, that the Access mode has no VLANs configurable except for the PVID. As we learnt before, the PVID always has to match the untagged membership. In turn, this can be stated as: "If we set up access mode, we are purely allowing untagged traffic to be treated as belonging to whatever VLAN is set in the PVID. Tagged traffic in it's entirety will be rejected". Access Type is especially used on ports of which you know the connected end devices are not VLAN-capable, also often referred to as "edge-ports". This is commonly the case with normal desktop PCs and laptops.
Let's look at this example:
This can be described this way: "We set the switch port VLAN type to "Access". This exclusively allows for incoming frames, which have no tag attached, to be treated as belonging to VLAN1. All other tagged traffic will be rejected, since the frame size exceeds the accepted maximum and the content of the VLAN header is rejected by the Access Type port".
Don't get confused, that the "VLAN type" is set to "None". The VLAN type only comes into play, when you want to assign dynamically assigned VLAN mechanisms, such as Voice VLAN etc. - the wording might be confusing and is a bit unlucky in the respect that it conflicts with the "Type" above:
With this newly gained knowledge, you should now be able to assign VLANs in Nebula in a breeze and gain a full understanding of VLAN and how they function.
Comments
0 commentsPlease sign in to leave a comment.