Can a VLAN reach another without a router or OSI Layer 3 device?

Can a VLAN reach another without a router or OSI Layer 3 device?

October 13, 2022 Off By Evelyn

One morning, an engineer end user found that the Engineer servers were not accessible. He didn’t know how to reach the Internet. The administrator ran the IPCONFIG /ALL command on the user’s computer. He confirmed that the client was a DHCP Client, but that it had received an address only from the Accounting DHCP Server. The administrator took down the engineer’s MAC address, and went to the data center expecting to find that either the engineer’s computer was connected to the wrong access port or that the port was assigned the wrong VLAN.
The administrator was shocked to discover that the user’s port Fa0/1 was configured for the correct Engineer VLAN (10). On closer inspection, it was found that the DHCP server for engineers was connected to Engineer VLAN 10 and the Accounting DHCP servers were connected within the Accounting VLAN 20.
There are two VLANs, but they perform as one broadcast domain. How is this possible?
Although the engineer’s computer sent a DHCPDiscover message to its VLAN 10, the Engineer DHCP server was busy with other requests. The second DHCPOffer from the Accounting DHCP Server was accepted.

What MAC address does the DHCPDiscover frame use for its MAC address?
A DHCPDiscover frame uses a 12 hexadecimal Fs destination MAC address (broadcast), which will cause a flood. This frame will leave VLAN 10’s access port untagged and will be received at VLAN 20’s access port. The switch will not care about it and continue to flood VLAN 20.
OSI Layer 2 devices such as a bridge, switch, or other device that creates multiple smaller collision domains out of a larger collision domain, can be used to create OSI Layer 2.

VLANs allow you to create multiple smaller broadcast domains out of a larger broadcast domain.
Before VLANs, the only method to segment a broadcast domain was to use a router, an OSI Layer 3 device. Broadcast domains were established long before VLANs. VLANS can also be made up of one broadcast domain.
A VLAN should map only to one broadcast domain in an IP network. This broadcast domain should map to an IP network. To make troubleshooting easier (and to avoid trouble), Traffic from one VLAN should not be sent to another VLAN without an OSI Layer 3 device such as a router. Two frame types (802.3 & 802.2) were used to create two networks that operated on the same cable/broadcast domain, just as they did in the days before Novell IPX.
If a user were to enter a data center, and a cable fell from the wire nest of rack-mounted devices in the racks, it could be reinserted into the wrong port. The VLAN membership is not visible from the outside of the device. This will combine the VLANs into one broadcast domain, which is undesirable in most cases.
This compromise would be achieved by tying an access port belonging VLAN 10 to an access port belonging VLAN 20 on the same switch, or on a different switch. Some argue that CDP, if enabled would catch this and send out a console message stating native VLAN Mismatch, but traffic would still flow.
Remember that if a switch searches for the destination MAC address but is unable to locate it, it will flood it.

What does flooding refer to?
Flooding is when the frame can exit all ports in the VLAN where it was received, but not the port from which it entered. The frame will flood trunk ports as well.

Another way to combine VLANs
Combining the VLANs into one broadcast domain is possible using a trunk port that supports 802.1q trucking protocol. All VLAN traffic is 802.1q tagged except one. This untagged VLAN is known as the native VLAN.
It is possible to create trunks between two switches. Each switch will have a different native VLAN at its end of trunk. CDP is not required.

CategoryUncategorized