802.1Q Encapsulation Explained

(Lazaros Agapides) #32

Hello AZM

The quick answer to your first question is yes and yes.

When a tagged frame enters a trunk port, the tag is always removed. Using your example of a tagged frame with VLAN 10, the switch checks to see a couple of things:

  1. Are there any access ports on the switch on VLAN 10? If yes, then the frame may be sent out of those ports untagged.
  2. Are there any trunk ports with VLAN 10 allowed? If yes, then the frame may be sent out of those ports as well. In those cases, the VLAN 10 tag is added once again to the frame as it exits the port.

(Keep in mind that in both of the above cases, whether a frame actually exits from one of these ports also depends on the mac-address table. If you need clarification on this, you can check out Rene’s lesson on how a switch learns MAC addresses.)

Concerning your second question:

The answer is yes. When you configure subinterfaces on the router itself, you are also enabling dot1q encapsulation, which essentially allows the router to perform VLAN tagging on the specific subinterface. You also specify the VLAN associated with the subinterface so that the appropriate VLAN can be tagged.

I hope this has been helpful!

Laz

(Lazaros Agapides) #33

Hello again AZM

The answer is yes. Let’s say there is a broadcast that comes into a switch on VLAN 10. This broadcast will have its tag removed, and the switch will search for:

  1. All access ports on VLAN 10 and will send out the frame on those ports untagged
  2. All trunk ports that have VLAN 10 allowed on them and it will send out the frame on those ports tagged.

I hope this has been helpful!

Laz

(AZM U) #34

Thank you so much Laz for the great explanation.

Azm

1 Like
(AZM U) #35

Hello Laz,
The order of operations between mac-address table lookup and routing lookup in a layer 3 switch while routing between SVIs is little bit confusing and I have a few questions to clarify myself.
Let’s say we have a topology like below:

Host A (Vlan 10)-----------------SWITCH_1----(trunk)-------SWITCH_2----------HostB (Vlan20)

Here both switches have vlan 10 and vlan 20 configured.

  1. Switch 1 has SVI configured for vlan 10 and Switch 2 has SVi configured for vlan 20. They both have ip routing enabled. Are those two hosts going to be able to talk to each other? Whether the answer is yes or no, please explain why. When Switch 1 will receive a packet from Host A, what would Switch 1 do first? Would it look at the mac address table first or it will look at the routing table since it has the routing capability? Please explain.

Thank you so much in advance.

Azm

(AZM U) #36

When Switch 1 will receive a packet from Host A destined to Host B, what would Switch 1 do first? Would it look at the mac address table first or it will look at the routing table since it has the routing capability? Please explain.

Thank you so much in advance.

Azm

(Lazaros Agapides) #37

Hello Azm

Here is the topology that you described.

Except for the labeling in the diagram, the network has the following elements:

  • VLAN 10 subnet is 10.10.10.0/24
  • Host A has a default gateway of 10.10.10.1
  • VLAN 20 subnet is 10.10.20.0/24
  • Host B has a default gateway of 10.10.20.1
  • Both Switch 1 and Switch 2 are layer 3 switches
  • We assume that no additional SVIs or routed ports are configured on either switch.

Keep in mind that the order of operations of MAC address-table lookup and routing is based on the order in which encapsulation and de-encapsulation take place.

Let’s go through it step by step. If Host A sends a packet to 10.10.20.2, it will

  1. Encapsulate the packet at the Network layer (layer 3) with a destination IP address of 10.10.20.2.
  2. To encapsulate the Data link layer (layer 2), it has to find the destination MAC address. Because the destination IP address is in a different subnet, and because MAC addresses only have significance within the current subnet, Host A will place the MAC address of the local default gateway (which is the SVI on Switch 1) into the destination MAC address field. If Host A does not know this MAC address it will send an ARP request for the 10.10.10.1 address. The SVI of Switch 1 will respond with its MAC address.
  3. The frame is placed on the medium and sent to Switch 1
  4. The switch receives the frame, de-encapsulates it and determines the destination MAC address to be that of its SVI. It continues to de-encapsulate and determines that the destination IP address is 10.10.20.2. It then looks at the routing table and sees no route for this destination and it drops the packet.

The hosts will not be able to talk to each other.

Routing in its simplest form is just the process by which a layer 3 device chooses the egress port through which to send a packet based on its destination address. This means that in order for routing to take place, there must be at least two layer 3 ports (virtual or not) on a device - one to be the incoming port and one to be the outgoing port.

The above topology has both layer 3 switches with only one layer 3 port each - the SVI port. So all packets that arrive at the SVI port to be routed will be dropped. The best and most straightforward way to allow the above topology to work is to choose one of the two switches to perform inter-VLAN routing, and configure both SVI ports (VLAN 10 and 20) on that switch providing for both an ingress port and egress port. Just make sure that the default gateways are configured correctly on the hosts as well.

I hope this has been helpful!

Laz

(AZM U) #38

Hello Laz,
As usual, spectacular.
When Host A will communicate with host B or vice versa, what would be the order of operations between mac-address table lookup and arp lookup while both Vlan 10 and Vlan 20 SVIs are configured on the same switch (either Switch_1 or Switch_2)?

Thank you so much.

Azm

(Lazaros Agapides) #39

Hello Azm.

The order of operations will always be in the same order as the de-encapsulation that occurs when the switch receives the frame. Let’s go through the process assuming that the SVIs for VLAN 10 and VLAN 20 are both configured on Switch 1.

Host A sends a packet to Host B

  1. Host A encapsulates the packet at the Network layer (layer 3) with a destination IP address of 10.10.20.2.
  2. To encapsulate the Data link layer (layer 2), it has to find the destination MAC address. Because the destination IP address is in a different subnet, and because MAC addresses only have significance within the current subnet, Host A will place the MAC address of the local default gateway (which is the SVI on Switch 1) into the destination MAC address field. If Host A does not know this MAC address it will send an ARP request for the 10.10.10.1 address. The SVI of Switch 1 will respond with its MAC address.
  3. The frame is placed on the medium and sent to Switch 1
  4. The switch receives the frame, de-encapsulates it and determines the destination MAC address to be that of its VLAN 10 SVI. It continues to de-encapsulate and determines that the destination IP address is 10.10.20.2. It then looks at the routing table and sees that for the destination IP address, the packet should be sent out of the VLAN 20 SVI.
  5. To send it out of this SVI, the switch re-encapsulates the packet and has to populate the destination MAC field in the frame header. To do this, it looks in its ARP table and checks to see if the MAC address that corresponds with the destination IP address is there. (Notice that the destination IP address is now in the subnet of the VLAN 20 SVI.) If the address is there, then the MAC address is taken and placed in the frame. If not, an ARP request is sent out and Host B responds with its MAC address and that address is placed within the frame.
  6. Next, in order to determine which switch port the frame should be sent out, it looks up the destination MAC address learned in the previous step in the MAC address table. It should find that the Host B MAC address corresponds with the trunk port that connects to switch B. (if not it sends it out all the ports where VLAN 20 is allowed)
  7. When the frame exits this port, a VLAN tag is added to the frame header to indicate that this frame belongs to VLAN 20.
  8. When the frame enters the trunk port of Switch 2, the VLAN tag is removed.
  9. The frame is de-encapsulated and the destination MAC address is looked up in the MAC address table. The port where Host B is connected should show up as that corresponding to the destination MAC. (Note here that there is no additional de-encapsulation to layer 3 since no routing takes place for these VLANs at switch 2.)
  10. The frame exits the port where Host B is connected and reaches the host.
  11. The frame is de-encapsulated all the way up to layer 7 and used accordingly.

I believe that this step by step description will give you a better idea of the order of operations that occur when routing (layer 3 de-encapsulation) and when switching (layer 2 de-encapsulation).

I hope this has been helpful!

Laz

(AZM U) #40

Hello Laz,
Thanks a lot once again. Your write up has been pretty useful. One quick question. Let’s say IP ROUTING is enabled on Switch B and it also has a few SVIs configured for other VLANs that are connected to Switch B, but Switch B does not have any SVIs configured for VLAN 10 and VLAN 20 both. In this case, What will happen when Switch B will receive a packet from Switch A destined to host B? Will Switch B look at the routing table first and drop the packet since it will not have any routing entry or it will look at the mac- address table first, find the entry for a particular switch port and send the frame out of that port accordingly? What will happen to the return traffic that is coming from Host B destined to Host A? Will Switch B not look at the routing table to look for a routing entry for 10.10.10.2 first when Switch B receives a packet from Host B destined to Host A and drop the packet since it will not have any routing entry for it or Switch B will look at the mac-address table and forward the frame accordingly? My problem is when it comes to solid layer 3 or layer 2 devices, I am fine with them, but when it comes to layer 3 devices, I get confused.

Thanks a lot Laz for your time once again.

Azm

(Lazaros Agapides) #41

Hello again AZM

I’m always glad I could be of help! :slight_smile:

If Switch B were configured as you describe above, the functionality would be EXACTLY the same as described in my previous post. This is because when the frame leaves the VLAN 20 SVI interface on Switch 1, its destination address (10.10.20.2) is in the SAME subnet as the VLAN 20 SVI interface (10.10.20.1). This means that it is on the last hop of the trip and no additional routing is necessary. So when this frame exits the trunk port of Switch 1, it will have in its header the destination MAC address of Host B. When the frame reaches the trunk port of Switch 2, only a MAC address table lookup will take place within the switch which will direct the frame out of the port where Host B is connected.

On the return trip, when Host B sends a packet to 10.10.10.2, it will see that it is not in the same subnet as its own, so it will send the packet to the default gateway configured in its network settings, which is the VLAN 20 SVI port on Switch 1 (10.10.20.1). When it encapsulates the packet in a frame it will place the MAC address of this SVI port as the destination MAC address. The frame will go to the VLAN 20 SVI port on Switch 1, become de-encapsulated and will go through the routing table much like it did in the initial trip from Host A to B.

I believe the following principles will help you out in understanding where layer 2 and layer 3 addressing functionalities take place:

When a packet is sent from one host to the other, the destination IP address remains the same for the whole trip. The destination MAC address however changes for each hop.

When one host sends a packet to another, each hop requires the use of the next hop router’s MAC address as the destination address. That means that for all hops except for the last one, routing will take place. Thus de-encapsulation will take place to layer 3, routing tables will be looked up and packets will be routed. On the LAST hop, the destination MAC address is always the MAC address of the host. In that case, there will be no routing, no layer 3 de-encapsulation. De-encapsulation will occur on the destination host itself all the way up to the application layer.

I hope this has been helpful!

Laz

(AZM U) #42

Hello Laz,
Your explanation was great as it is always. I have one more question and I am going to use the below topology for it.

In this topology, I have HSRP configured between DIST_1 and DIST_2 switches. DIST_1 is the active switch for vlan 10 and DIST_2 is the active switch for vlan 20. That means, DIST_1 switch will act as the default gateway for vlan 10 and DIST_2 switch will act as the default gateway for vlan 20. All the IP address information is mentioned in the topology including spanning tree. I also have two access layer switches and they both are solid layer 2 switches.

Vlan 10 : 10.10.10.0/24
Vlan 20: 10.20.20.0/24

Question:
Let’s say PC A (10.10.10.10 / VLAN 10) is trying to communicate with PC B (10.20.20.200 / VLAN 20). So PC A will send the packet to its active default gateway located in DIST_A. Now DIST_A will look at its routing table and find the route for 10.20.20.0/24. Even though DIST_A has the route for destination(PC B), the active default gateway for vlan 20 is in DIST_B switch. What would DIST_A switch do next to forward the packet to the destination PC B? How would the traffic flow between PC A and PC B? Please describe it.

Thank you so much once again.

Azm.

(Lazaros Agapides) #43

Hello again AZM!

The process will be much the same, however, in this case, Host A will have a default gateway of 10.10.10.50 and Host B will have a default gateway of 10.20.20.50. Each of these IP addresses correspond to the MAC address of the currently active router. So it is this MAC address that will be placed in the destination MAC address field. Let’s look at it step by step.

  1. Host A prepares a packet with destination IP address 10.20.20.200. It is on a different subnet, so when encapsulating, the destination MAC will be that of the default gateway (10.10.10.50). Using ARP, this MAC is learned and placed in the packet. This is the MAC that corresponds to the active router for VLAN 10, which is DIST_1
  2. The destination IP address of 10.20.20.200 will be used to look in the routing table of DIST_1 and see where this should be routed. The routing table shows that this should egress from the VLAN 20 SVI port on DIST_1 which has an IP address of 10.20.20.1. Note this is NOT the virtual HSRP interface, but the SVI interface on the switch.
  3. Encapsulation occurs, destination MAC address of Host B is inserted in the field and the MAC address table lookup takes place. Based on STP, whichever path is not blocked will be taken.
  4. The frame reaches ACCESS_SW2 and using another MAC address lookup it knows to send the packet from the port connected to Host B

The return trip works much the same way, but the DIST_1 and DIST2 switches are reversed. I’ll go through it quickly

  1. Host B sends a packet with destination IP address 10.10.10.10. MAC of default gateway (10.20.20.50) is destination MAC. This is the MAC that corresponds to the active router for VLAN 20, which is DIST_2
  2. The destination IP address of 10.10.10.10 will be used to look in the routing table. This should egress from the VLAN 10 SVI port on DIST_2 which has an IP address of 10.10.10.2. Note this is NOT the virtual interface, but the SVI interface on the switch.
  3. Encapsulation occurs, destination MAC address of Host A is inserted in the field and the MAC address table lookup takes place. Based on STP, whichever path is not blocked will be taken.
  4. The frame reaches ACCESS_SW1 and using another MAC address lookup it knows to send the packet from the port connected to Host A.

So the actual frame takes a different physical path because the default gateways reside on different devices because of HSRP.

I hope this has been helpful!

Laz

1 Like
(AZM U) #44

Hello Laz,
This was super helpful. As you said the only problem is asymmetric routing. Am I correct? I am also trying to implement the same topology in packet tracer, but it is not working. for some reason. I just want to make sure this is a valid topology. Is it not?

Thank you so much.

Azm

(Lazaros Agapides) #45

Hello Azm

Strictly speaking, asymmetric routing is when the return path is different than the incoming path, that is, when routing takes place via different routers. In such a case, doing a traceroute should give you different paths. In the case described above, it’s not strictly asymmetric routing because the traceroute will give you the same path for both incoming and outgoing packets. The packet does pass through physcially different hardware, but the two HSRP routers must be considered as one routing entity.

As for the validity of the topology, yes it is valid and it is a very common setup. I have this very same topology implemented in one of the networks I administer, where I have 17 subnets/VLANs being routed by one HSRP router and 16 being routed by the other.

I hope this has been helpful!

Laz

(AZM U) #46

Hello Laz,
EXCELLENT. This has been really helpful and thank you so much for your time.

Azm

1 Like
(AZM U) #47

Hello Laz,
I am sorry for asking you so many questions. One more question.

When I am doing a traceroute from 10.10.10.10 to 10.20.20.20. I am getting the below result.

When I am doing a traceroute from 10.20.20.20 to 10.10.10.10, I am getting the below result:

My question is when I am doing traceroute either from 10.10.10.10 or 10.20.20.20 they both are going through their associated interface vlan IPs. Are they not supposed to use the HSRP VIP instead of interface IP? Please explain it to me. Thank you so much.

Azm

1 Like
(Lazaros Agapides) #48

Hello again!

Ah, yes, this is a very good question. I was too hasty to mention traceroute in my previous post. This output is correct. Cisco states in its documentation that when using traceroute with HSRP, you will always get the actual and not the virtual IP in the output:

Q. Which IP address must be seen when a reply is received for traceroute?

A. When a reply for traceroute is received from a hop that runs HSRP, the reply must contain the active physical IP address and not the virtual ip address. If there is an asymmetric routing in the network due to which standby router IP address is seen in the reply for the traceroute.
Taken from http://www.cisco.com/c/en/us/support/docs/ip/hot-standby-router-protocol-hsrp/9281-3.html#tr

Having said that, my statements in my previous post should read:

Strictly speaking, asymmetric routing is when the return path is different than the incoming path, that is, when routing takes place via different routers. In such a case, the path that is taken according to the next hop router addresses used should give you different paths. In the case described above, it’s not strictly asymmetric routing because the next hop router addresses used will give you the same path for both incoming and outgoing packets. The packet does pass through physically different hardware, but the two HSRP routers must be considered as one routing entity.

Thanks for your astute observation!

I hope this has been helpful!

Laz

(AZM U) #49

Hello Laz,
Got it. Great and accurate explanation once again. Thank you so much.

Azm

1 Like
(Noel N) #50

Hi !

I have a question for this command :
_switchport trunk encapsulation negotiate_

On CCNP SWITCH i read :
" The encapsulation is negotiated to select either ISL or IEEE 802.1q, whitchever both ends of the trunk support. If both ends support both types, ISL is favored"

But ISL (CISCO -proprietary) is a dead protocol no ?
Why this defaut command prefer ISL ??

Thanks for your help and for your perfect blog !!

(Lazaros Agapides) #51

Hello Noel

ISL is Cisco proprietary and in general dot1q is preferred. However, there are some default configurations and remnants of legacy technologies left over in Cisco IOS functionality. Another example is the VLAN 1002-1005 which are reserved for token ring and FDDI technologies. These are rarely used but are still there because the legacy coding has not been changed. I believe the default of the ISL protocol rather than the more popular dot1q is another such case.

I hope this has been helpful!

Laz