Proper flow of network traffic and solid network connectivity is critical to any network. Past experiences have shown while it is acceptable to leave the advanced configurations to the network team, a basic understanding and the ability to configure the basics is important for anyone at just about any level. The ability to troubleshoot issues and successfully resolve them, make a small change to the network, verify security, or even designing or re-designing an infrastructure, and the level of success or failure of these tasks will all be greatly impacted by the level of understanding of networking as all of these tasks will include the network at some level.
A quick review of some terms and concepts will be important when understanding the next section. Here are a few basic ideas, concepts, and terms to help navigate the world of networking.
TCP/IP (Transmission Control Protocol/Internet Protocol) is the basic communication language or protocol of the Internet
IP (Internet Protocol) is the primary network protocol used on the Internet, developed in the 1970s. On the Internet and many other networks, IP is often used together with the Transport Control Protocol (TCP) and referred to interchangeably as TCP/IP.
TCP is one of the main protocols in TCP/IP networks. Whereas the IP protocol deals only with packets, TCP enables two hosts to establish a connection and exchange streams of data. TCP guarantees delivery of data and also guarantees that packets will be delivered in the same order in which they were sent.
UDP (User Datagram Protocol) is a communications protocol that offers a limited amount of service when messages are exchanged between computers in a network that uses the Internet Protocol (IP).UDP is an alternative to the Transmission Control Protocol (TCP) and, together with IP, is sometimes referred to as UDP/IP.
An IP address is a binary number that uniquely identifies computers and other devices on a TCP/IP network.
An IP address can be private – for use on a local area network (LAN) – or public – for use on the Internet or other wide area network (WAN). IP addresses can be determined statically (assigned to a computer by a system administrator) or dynamically (assigned by another device on the network on demand).
Handshaking is an automated process of negotiation that dynamically sets parameters of a communications channel established between two entities before normal communication over the channel begins. It follows the physical establishment of the channel and precedes normal information transfer.
In networking, a single layer-2 network may be partitioned to create multiple distinct broadcast domains, which are mutually isolated so that packets can only pass between them via one or more routers; such a domain is referred to as a virtual local area network, virtual LAN or VLAN.
A virtual private network (VPN) extends a private network across a public network, such as the Internet via encryption and establishing an encrypted tunnel within which the traffic is passed between 2 endpoints. It enables a computer or network-enabled device to send and receive data across shared or public networks as if it were directly connected to the private network, while benefiting from the functionality, security and management policies of the private network. A VPN is created by establishing a virtual point-to-point connection through the use of dedicated connections, virtual tunneling protocols, or traffic encryptions. Major implementations of VPNs include OpenVPN, IPsec, and SSL.
A native VLAN is the untagged VLAN on an 802.1q trunked switchport. The native VLAN and management VLAN could be the same, but it is better security practice that they aren’t. Basically if a switch receives untagged frames on a trunkport, they are assumed to be part of the VLAN that are designated on the switchport as the native VLAN. Frames egressing a switchport on the native VLAN are not tagged.
You can’t change or even delete the default VLAN, it is mandatory. The default VLAN is needed for many protocol communication between switches like spanning-tree protocol for instance.
Tagged packets are only relevant between devices and endpoints that support them. Tagged packets contain a VLAN ID which is used to identify the VLAN the packet is associated with. This allows port interfaces to be associated with a single specific VLAN or multiple VLANS
Untagged packets are packets that don’t have the VLAN ID identifier. These packets will traverse the port and will be assumed to be associated to the native VLAN of the port interface.
The following is examples that will illustrate the how traffic will be passed on a given interface given specific configurations.
Unconfigured port (Default VLAN):
When a switch port has no configuration, it will use the default VLAN (typically VLAN 1) and it will assume the native VLAN which will be the default VLAN (in this case VLAN 1). This is the configuration of a layer 2 switch by default and allows all traffic to pass and doesn’t tag any packets.
Single VLAN port:
In this configuration, a VLAN is associated with the switch port, and all packets routed through the interface will be tagged with that specific VLAN. For example, if the VLAN associated with the switch port is VLAN 10, and no other VLAN has been configured, connecting the port to another switch on a port configured for VLAN 1, will result in all communication failing.
Single VLAN port, with native VLAN assignment:
This configuration is similar to the single VLAN port configuration, with one important difference. If the native VLAN has been configured to be VLAN 20 and the port is configured to tag VLAN 10 for all the packets, the packets will still be tagged with VLAN 10, but any packets inbound to the interface without a VLAN-ID identifier, will be assumed to be part of VLAN 20. An example of this type of configuration is typically found in VoIP environments where the VoIP phones use VLAN 20 for voice traffic and VLAN 10 for data traffic. The phones understand VLAN tagging and when a device is connected to the phone, the switch on the phone tags the packets with VLAN 10 (or the data VLAN) and sends them on to the primary switch.
Multiple tagged VLANS, and a native VLAN assignment:
This configuration is identical to the Single VLAN port, with native VLAN assignment, with one important distinction, the interface recognizes and allows multiple VLANS, again assuming packets that do not have a VLAN-ID associated to them are the native VLAN specified in the configuration.
This is the configuration of a switch port that allows all VLANs to pass through the interface. This is common when connecting similar devices together such as a switch to switch configuration. This allows all VLANs to move seamlessly through the interface to the other device.
A couple of important items to note:
• Tagged and untagged in commonly associated with HP equipment
• Native VLAN and trunk encapsulation are commonly associated with Cisco devices
• It is possible if traffic is not flowing through the switch via the default VLAN, the setting to prevent default VLAN traffic may be enabled
• By default, routing is not enabled on switches. It can be enabled on HP switches, but issuing the following command:
• If routing is enabled, a default route needs to be configured by issuing the following command:
ip route xxx.xxx.xxx.xxx / YY zzz.zzz.zzz.zzz where “x” is the network and “y” is a subnet (for example /24) and zzz is the IP address of the gateway.