Can One VLAN Reach Another Without a Router or OSI Layer 3 Device?

abstractdata122204352Early one morning, an engineer end user discovered that the Engineer servers were unreachable, and he didn’t know if he could reach the Internet. The administrator investigated the user’s PC with the IPCONFIG /ALL command and verified that the PC was a DHCP client, but it had received an address from the Accounting DHCP server, not the Engineering DHCP server. The administrator wrote down the engineer’s MAC address and proceeded to the data center, expecting to find that the engineer’s PC was connected to the wrong access port on the access switch or that the port was assigned to the wrong VLAN.

The administrator was surprised to find the user’s port Fa0/1 configured for the correct Engineer VLAN (VLAN 10). Upon closer examination, the DHCP server for the engineers was operational and connected to Engineer VLAN 10, and the Accounting DHCP server was operational and connected within the Accounting VLAN 20.

So there are two separate VLANs, but they are performing as a single broadcast domain. How is this possible?

The engineer’s PC sent a DHCPDiscover message within its VLAN 10, but the Engineer DHCP server was busy responding to other requests. So the second DHCPOffer coming from the Accounting DHCP server was accepted.

A DHCPDiscover frame uses a destination MAC address of 12 hexadecimal Fs (broadcast), which will result in a flood. Since this frame will exit the access port of VLAN 10 untagged or modified in any way, when it is received on the other end of the cable into an access port of VLAN 20, the switch will not care and will continue to flood the frame throughout VLAN 20.

OSI Layer 2 devices, such as a bridge or switch, create multiple smaller collision domains from a larger single collision domain.

VLANs create multiple smaller broadcast domains from a larger single broadcast domain. Prior to VLANs, the only way to segment a broadcast domain was by using a router, an OSI Layer 3 device. Therefore, broadcast domains existed long before VLANs, and VLANS can be comprised of a single broadcast domain.

In a properly designed IP network, a VLAN should map to a single broadcast domain, which in turn should map to a unique IP network. For ease of troubleshooting (and for avoiding trouble!), traffic from one VLAN should not reach another VLAN without an OSI Layer 3 device, such as a router. Historically, as in the days of Novell IPX, two frame types (802.3 and 802.2) constituted two unique networks and operated on the same cable/broadcast domain.

If a user was to walk into a data center and a cable was to fall from the wire nest of the rack-mounted devices, it could easily be placed back into an incorrect port. VLAN membership is not visible on the exterior of the device. This will result in combining the VLANs into a single broadcast domain and would be an undesirable result in most cases.

Cabling an access port belonging to VLAN 10 into an access port belonging to VLAN 20 on the same switch or on a different switch would achieve this compromise. Some would argue CDP, if enabled, would catch this and send a console message stating native VLAN mismatch, but the compromise would still exist and traffic would still flow.

Keep in mind that when a switch looks up the destination MAC address and is unable to find it, it will flood the frame. Flooding means it will allow the frame to exit out all ports of the VLAN in which the frame was received but not out of the port in which it entered. The frame will also flood out trunk ports.

Another way to combine two VLANs into a common single broadcast domain is using a trunk port with 802.1q trucking protocol. 802.1q tags all VLAN traffic except one. This untagged VLAN is called the native VLAN.

It is possible to create a trunk between two switches, with each switch having a different native VLAN on its end of the trunk. Though CDP will generate a native VLAN mismatch message, the trunk will still form and untagged traffic from one switch will be deposited into the neighboring switches’ native VLAN.

Of course, CDP can be turned off to silence the warning.

So, can one VLAN reach another without a router or OSI Layer 3 device? Yes, but this is normally found as a fault, not a proposed design. Depending on manufacturer, make, model, IOS release and lunar position, some devices may respond differently to this mostly undesirable outcome.

Related Courses
ICND1 v2.0 – Interconnecting Cisco Networking Devices, Part 1
CCNAX v2.0 – CCNA Routing and Switching Boot Camp
SWITCH – Implementing Cisco IP Switched Networks v1.0

In this article

Join the Conversation

6 comments

  1. Marcello Reply

    Why ‘DHCP Discover packet’ coming from an ACCESS PORT VLAN10 should be forwarded to a different ACCESS PORT VLAN20 on the same switch or sent untagged through a TRUNK PORT ?
    This is the basic function of a VLAN: to create dfferent broadcast domains. Why should it not apply to frame with Broadcast destination ?

    Can you explain it or all other considerations cannot be applied.

  2. Marcello Reply

    … rethinking, the mistake could be setting same native VLAN for access port and trunk port (eg VLAN 10). The broadcast packet that enters from Access is tagged 10, but then is forwarded untagged by TRUNK port.
    Right ?

  3. Kevin Reply

    Marcello,
    correct………… when a frame leaves an ACCESS port it is untagged.
    same for Native VLAN frames on an 802.1q trunk.

  4. Jonas Reply

    Hi,

    Having read the article twice, I am struggling to understand what it’s trying to tell me, other than untagged traffic can pass between two VLANs if there is a cabling error…which as you mention is a fault of the administrator and not a weakness in how VLANs work.

    Also, trunk’s don’t combine VLANs into a single broadcast domain…that is not their function…it’s to allow multiple VLANs to pass traffic on a single link. Yes, untagged traffic will flow, but best practice is to ensure that there is no user/server/whatever traffic on that VLAN and to set the Native VLAN to a VLAN not used anywhere else.

    Maybe I just missed something….

    Jonas

  5. Khalid Reply

    By default vlan 1 is native vlan which carry all untagged traffic but her there are 2 different vlans, vlan 10 and 20 if we have 802.1q encapsulation vlan 10 will be tagged as 10 vlan 20 will be tagged as 20 (Both vlans are tagged) and my native vlan will be 1. can any on explan me how to differet tagged vlans can exchange frames without any layer 3 function. ????

  6. Khalid Reply

    2nd thing ip address come at layer 3 layer 2 will understand mac address. Her there are 2 different dhcp with different ip pool one with vlan 10 ip range and 2nd with vlan 2 ip range. switch will not understand the dhcp ip addess it will only understand dhcp server mac address.If any network administrator connect two different dhcp servers on same vlan switch port so the switch will automatically assume both servers are in same vlan hence forward the Layer 2 traffic between both switch port wher 2 different DHCP server are connected. it would be a normal switching function there wont be any broadcast storm or any issue of untagged or tagged vlan frame forwarding.(Correct me if I am wrong). DNCP server is a service falls under UDP which comes at layer 4 of OSI Model Nothing to do with Layer 2.

    Thanks.

    Khalid.