On Mon, Jul 27, 2009 at 12:03 PM, paul chinnery<[email protected]> wrote:
> With the HP, am I correct that when I wish to place a port into vlan60, I
> "tag" it?
Short version: On an HP, all ports are associated with VLANs. A
port has at most one untagged VLAN, and zero or more tagged VLANs.
Untagged vs tagged indicates whether the switch places 802.1Q VLAN
tags on each frame it transmits from that VLAN. Also, the untagged
VLAN for a port (if any) is used for received frames that don't have a
tag.
Long version: What follows is something I wrote up for this list
back in Dec 2008, updated slightly to reflect our successful VoIP
deployment.
PROTOCOL CONCEPTS
We have regular "untagged" Ethernet frames. ("Frame" is the
data-link (layer 2) term for what some protocols calls a "packet" or
"datagram".) These are the same Ethernet frames from before VLANs
were invented.
Then we have "tagged" frames. These take a regular Ethernet frame
and add a marker -- the "tag". The tag itself contains the VLAN
number (along with a priority code). Thus, a tagged frame is
associated with a particular VLAN number.
Inside the frame, the tag is basically just a reserved Ethernet
frame type, followed by the tag information, followed by the rest of
the original frame (complete with its original frame type). So to
network nodes which are *not* VLAN aware, a tagged frame looks just
like a regular Ethernet frame, but with an "unknown" frame type.
For computers, a VLAN-aware network stack will usually turn each
VLAN into a separate network interface, as if each VLAN was a
different network card with a different cable. The "stock" network
stack included with Win 2000/XP does *not* include VLAN capability, so
they can only handle untagged frames. Tagged frames will generally be
silently ignored. Third-party software (often included with high-end
network cards) can add VLAN capability. I'm not sure about
2003/Vista/2008.
Switches which are not VLAN-aware, along with any repeaters, will
treat tagged frames exactly like they do any other frame.
SWITCH CONCEPTS
Switches which are VLAN-aware generally let you control which ports
are associated with which VLAN(s). The terminology, commands, etc.,
will vary with manufacturer. I'm most familiar with the HP ProCruve
managed witches, so I'll speak mostly to that. The concepts should
carry over to other manufacturers. Hopefully others can chime in with
specifics.
With HP, you can tell the switch that each VLAN is tagged, untagged,
or not available for each port. Internally, frames are *always*
associated a VLAN number. The configuration just tells the switch
which VLANs go with which ports, and which VLAN number to use for
untagged frames.
When the switch receives an untagged frame, it needs to know what
VLAN to associate it with. If the port has an untagged VLAN
associated it, the fame will go to that VLAN. If there is no untagged
VLAN associated with the port, the frame is dropped. This is why a
port can have (at most) one untagged VLAN associated with it -- how
could the switch know which one to use otherwise?
When the switch receives a tagged frame, it simply checks to see if
that VLAN is associated with the port. If so, it accepts it; if not,
it drops it. This is basically just an access control mechanism.
When the switch has a frame to *transmit*, it only considers ports
which are associated with the frame's VLAN. If a port is configured
as tagged for the frame's VLAN, it transmits the frame with the VLAN
tag. If a port is configured as untagged for the VLAN, the frame is
transmitted on that port without a VLAN tag.
APPLICATIONS
Okay, enough conceptual stuff, how do we use it?
At %DAYJOB%, we've got VLANs as follows:
1 – Reserved
2 – Main company private network
3 – Guest network
4 – ISP uplink
5 – IP telephony
We don't use VLAN 1 because that's the default on most things, and
to avoid confusion we avoid it.
VLAN 2 is where most traffic is. Most ports are configured as
untagged for VLAN 2. The computers, printers, etc., plugged into
those ports aren't even aware they are on a VLAN. All the employee
workstations are like this, as are most servers. The syntax to
configure this is easy. For example, if I want port 1 to be untagged
for VLAN 2 like this:
vlan 2 untagged 1
VLAN 3 is for guests (visitors). For obvious reasons, we don't let
them plug in to our main network. They get a separate IP subnet, a
separate DHCP server, and bypass much of our network filtering. This
is also where our wireless access points connect (employees use
VPN-over-wireless). Again, all untagged, and connected nodes are not
aware of the VLAN.
VLAN 4 exists because we've got a cable Internet feed we use for
employee web browsing. Circumstances meant the cable modem had to go
in a different building from the main server/network room. (We have
another feed for important stuff; that terminates in the server room.)
So the cable modem plugs into a particular switch port, which uses
VLAN 4 to carry it to our firewall in a different building. Again,
untagged, unaware.
VLAN 5 is for premises voice-over-IP. The phones are VLAN-aware and
tagged everywhere, so they operate "outside" the regular network. The
VoIP VLAN gets DHCP from our Nortel phone system, and has a different
IP network number. The PoE switches are configured with VLAN 5 tagged
for most ports. Thus you can plug a phone in to any port and it will
work. The phones are also configured to pass untagged traffic through
to the daisy-chain port, letting us hang PCs off the phones without
either device seeing the other. VLAN 5 is configured with higher QoS
priority everywhere, so voice traffic goes first.
Example switch command for this VoIP config:
vlan 2 untagged 1-24
vlan 5 tagged 1-24
I am using separate VLANs for security, manageability, and
robustness. I don't want guests to be able to probe/sniff/screw-up
the corporate network. They can't. I don't want the cable modem link
(which is full of garbage traffic from other subscribers) on the main
LAN. It isn't. I want the phones to have higher priority over
regular data, and to have their own DHCP server, so they operate
independent of the main network. I can shut all our servers off and
the phones keep working.
For links between switches, each VLAN is configured as *tagged* for
those ports, with *no* untagged VLAN. Those ports are only used to
carry traffic between VLAN-aware switches. (Cisco would call this a
"trunk port", IIRC.) The HP syntax for (e.g.) port 24 as a switch
link would be:
vlan 2 tagged 24
vlan 3 tagged 24
vlan 4 tagged 24
vlan 5 tagged 24
Finally, our firewall, which *is* VLAN-aware, is configured as
tagged for all VLANs on its port, with no untagged VLAN. Virtual
network interfaces are configured in the firewall OS, and all the IP
configuration and filtering rules are done with those virtual
interfaces, not the physical interface. This also means our firewall
only has one network cable plugged into it. Configures the same as a
switch link, really.
Hope this helps!
~ Finally, powerful endpoint security that ISN'T a resource hog! ~
~ <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/> ~
