802.1Q VLAN Tagging
What is IEEE 802.1Q?
IEEE 802.1Q is a networking standard that defines Virtual LAN (VLAN) tagging on Ethernet frames. It allows multiple VLANs to coexist on a single physical network link by inserting a tag into Ethernet frames to identify which VLAN the frame belongs to.
Purpose of 802.1Q
The primary objective of 802.1Q is to facilitate network segmentation and traffic isolation without necessitating separate physical switches or cabling for each VLAN. This improves:
- Security
- Performance
- Manageability
How 802.1Q Works
1. VLAN Tagging
802.1Q adds a 4-byte tag to the Ethernet frame between the source MAC address and the EtherType field. This tag includes:
- Tag Protocol Identifier (TPID): 2 bytes, always set to 0x8100 to indicate a VLAN-tagged frame.
- Tag Control Information (TCI): 2 bytes, containing:
- Priority Code Point (PCP): 3 bits for QoS (Quality of Service)
- Drop Eligible Indicator (DEI): 1 bit for congestion management
- VLAN ID (VID): 12 bits identifying the VLAN (range: 0–4095; 0 and 4095 are reserved)
2. Trunk Links
802.1Q is commonly used on trunk ports — switch ports that carry traffic for multiple VLANs. The tag tells the receiving switch which VLAN the frame belongs to.
3. Native VLAN
Frames belonging to the native VLAN are not tagged. This is used for backward compatibility with devices that don’t support VLAN tagging.
Example Frame Structure (Tagged)
| Destination MAC | Source MAC | TPID (0x8100) | TCI (PCP + DEI + VLAN ID) | EtherType | Payload | CRC |
Benefits of 802.1Q
- Efficient VLAN management across switches
- Improved security by isolating traffic
- Scalability for large networks
- Support for QoS via PCP bits
Considerations
- All switches must support 802.1Q for VLAN tagging to work across the network.
- Misconfigured native VLANs can lead to security vulnerabilities (e.g., VLAN hopping attacks).
- VLAN ID 1 is often the default and should be changed for security reasons.
No comments:
Post a Comment