Understanding Network Switch Ports for System Administrators

By | September 7, 2020

This post are for the system administrators who are less familiar with Networking terms, particularly describing the nature of the ports.

  • Access Port
  • Trunk Port
  • Hybrid Port

These terms are not used on the system side, so unless you have done some networking training/read up on this, you may not know what they really mean, and what your systems need.

Before we dive into each one of these, there is one very important concept that you must be clear about, VLAN Tagging, and a high level idea on how it works.

VLAN expanded a little actually is short for Virtual LAN. Thought I should just point it out as VLAN is so widely used nowadays, that the full form may have been neglected. The keyword in there is Virtual.

Something many may already know, the use of VLAN allows multiple IP subnets (or layer 2 broadcast domains) to ride on the same physical cable and switch. Before VLANs came about, the only way to support multiple IP subnets, is have dedicated cables and switches for each subnet. VLAN essentially virtualised the LAN (Local Area Network) so that consolidation can occur, reducing the footprint of switches, and cutting down number of cables.

How VLANs are able to achieve this “magic”?

Like many technologies, VLAN has a proper standard definition, IEEE 802.1q. If you like detailed technical definitions, I encourage you to have a read at wikipedia for Virtual LAN and IEEE 802.1q.

I shall attempt to give an idea, in simple terms. Think about a device connected via ethernet, it will transmit and receive network packets (ethernet frames). Very much like what happens in a typical small home network, where VLANs are not used.

In a much large enterprise network, computers send and receive data similarly with ethernet frames. However, the main difference is that some where along the path that carries the network packets, additional VLAN Tags are added to the frames. These essentially mark every frame to belong to a specific VLAN, indicated by the VLAN ID that are in the tags.

Here is the key, the VLAN Tags are indicated in the headers of each frame. The key to what is needed for your system to send and receive data properly, is to understand where the tagging needs to be done. It can be the end device, or a network switch.

Example 01 – Totally No VLAN Tagging

Example 01 – Ethernet Frames with no VLAN Tagging

Let’s have some examples. The simple image above has two computers (C1 & C2) connected via a pair of network switches (S1 & S2). Green packets are sent from C1 to C2, and orange packets are sent from C2 to C1.

Example 01 is a simple network environment with no VLAN tagging being used, at all. Packets sent between C1 and C2 traverse the entire path without any VLAN tags being used. Such network, typically also only operates under a single IP Subnet.

Such configurations are typical of home networks, or small networks. Larger networks should not be doing this as there will be other issues to worry about.

Example 02 – Access and Trunk Ports – VLAN tagging by switches only

Example 02 – Ethernet Frames that are only tagged between Switches

Example 02 – this example, frames exchanged between each computer and its corresponding switch are not tagged with any VLAN ID. However, all packets flowing between S1 and S2 are tagged with a relevant VLAN ID.

  1. Looking at the green flow, which data is sent from C1, and the destination is C2.
  2. C1 is not aware of any VLAN ID, and all frames leaving C1 to S1 are not VLAN tagged.
  3. S1 receiving the green frames will automatically tag them with the VLAN ID (shown in red) that the port belongs to.
  4. S1 then forwards the frames on to S2, keeping the VLAN tag in the frame header.
  5. S2 receives the VLAN tagged frames, strips off the tags and then forwards them to C2. The red box disappears at this point.

The opposite, orange flow, goes through the same experience, where VLAN tags are added for frames exchanged between the switches S1 and S2.

This sort of implementation is common in larger networks, be it in the datacenter or the offices.

Using this example, we can start to explain what is an Access port and a Trunk port on the switch.

Access Port

The switch ports in this example which C1 and C2 connect to are considered Access ports, and they have the following characteristics.

  • Access ports will only carry traffic for one and only one VLAN. Frames belonging to other VLAN IDs will never be sent out from that port.
  • Any device connected to that port must not send packets which are VLAN tagged. If the device sends any VLAN tagged frames, the switch will discard those frames.
  • The switch will subsequently add the VLAN tag on the untagged frames received from the connected computer, then forward on.
  • Similarly, all packets sent from the switch to the computer will also be stripped of the VLAN tags.

Usage – Access ports are most commonly used with end devices; however there are scenarios which they can be used with other network devices. Like in Example 01, all switch ports are access ports, even those used to connect the two switches.

System Config – on the system side, there is typically nothing that needs to be done to configure the NIC port to work with an access port. If ever there is a need to fill in the VLAN ID, the value to use is 0 (zero).

Trunk Port

In Example 02, the ports used to connect S1 and S2 together are Trunk ports, and they have the following characteristics.

  • Trunk ports can carry traffic belonging to one or more VLANs.
  • Since there can be more than one VLAN, to avoid any mix up, all frames must be tagged with their respective VLAN ID.
  • While trunk ports are commonly used with other network devices, it can also be used with end devices, if the end devices can handle VLAN tagging.
  • All frames arriving and leaving the port must already be tagged with a VLAN ID. Untagged frames will be discarded.

Usage – Trunk ports are commonly used between switches and network devices. They are almost never used with desktop computers. Servers on the other hand, can work with trunk ports, especially when they are virtualisation hosts. Typically standalone servers that has the OS (e.g. Windows, Linux, Unix) run on the bare metal, will use access ports. See Example 05 for more details regarding virtualisation hosts.

System Config – to configure a system to work with a trunk ports, the NIC configuration must be supplied with a VLAN ID. A valid number is 2 to 4094 inclusive. Be aware that, 0, 1 and 4095 are reserved. There is more to what systems can do, and will be explained next.

Example 03 – Trunk Ports – End-to-end VLAN Tagging

Example 03 – End-to-end VLAN Tagging

In this example, all the ports on the switches are configured as Trunk ports. Which means the computers C1 and C2 have to also be configured to tag VLAN IDs. Most desktop computers do not do that, and only some NIC drivers support specifying VLAN IDs, so it is almost never done for end computers.

What can be more common to see, is that the configuration of VLAN IDs be done on virtualisation hosts, hypervisors.

Nutanix AHV, VMware ESXi and Microsoft Hyper-V are a few examples of hypervisors. Virtualisation allows a physical host to run multiple virtual machines (VM). These VMs can belong to the same VLAN (and subnet), or they can be on different VLANs. Either case, their traffic can be tagged by the hypervisor, before sending over the wire to the neighbouring switch.

Of course, another way to view this, especially for those who have encounters with virtualisation, is that there are virtual switches operating within the hypervisors. Example 05 will dive into this, by adding the virtual switch into the picture.

A word of caution though, the term Trunk, has two possible meanings in the networking world. Those more familiar with Cisco will know the term Trunk as how I have described, a port/link that allows multiple VLANs to pass. For those more familiar with HP networking (maybe some other brands too), Trunk refers to LAGs. That is a totally different definition. So, be careful when discussing about Trunk ports.

Usage – there are very few examples I know of where an end device will need to connect to a trunk port. The first is a VOIP phone, it is common to place VOIP network traffic in a dedicated VLAN for special handling. Second, would be hypervisor hosts, where they can host multiple virtual machines that are connected to different VLANs.

System Config – the end device must support VLAN tagging. In terms of a virtualization host, there is always a virtual network construct, e.g. Portgroups on ESXi or Networks on AHV, where VLAN ID is provided for each portgroup/network. In this example, all portgroups must have a non-zero VLAN ID. Any portgroups with VLAN ID set to 0, will have the traffic rejected by the trunk port on the physical switch.

Example 04 – Hybrid Port – Multiple VLANs with mixed Tagging

Example 04 – Introducing Hybrid Port on S1 and connected to C1

In this example, I introduce the third type, Hybrid port. It is hybrid in the sense that it is literally the combination of both the Access port and Trunk port.

In the diagram above, the switch port that C1 is attached to is configured as a hybrid port. All other ports are trunk ports. Also, the Green, Blue and Orange all belong to different VLANs. Take note that the purpose behind the colours is also different from the earlier examples.

Earlier examples, the computers C1 and C2 belong to the same VLAN, and the coloured packets just represent traffic destined for C1 or C2. Here, the colour represent traffic for different VLANs, and not simply the direction of flow.

So, you can see that C1 is rather unique to be using three different VLANs, whereas C2 has two and C3 only uses one VLAN.

C1 is the one of interest here. It has access to three different VLANs, Green, Blue and Orange. Do notice that the Green and Orange packets between C1 and S1 are VLAN tagged, very much like what you would do in a Trunk port scenario. The Blue packets sent from C1 are not tagged, just like an Access port scenario.

Here is the expected behaviour of a Hybrid switch port.

  • That hybrid port on S1 will carry traffic for at least two VLANs, one which will not be tagged by C1, and everything else will be tagged.
  • Only one VLAN can be untagged.
  • Any ingress traffic (from C1 to S1) which are not tagged, will be assumed to belong to that Blue VLAN.
  • S1 to C1 will send any packets belonging to the Blue VLAN with the tags removed as well.
  • All other VLANs will behave exactly like a Trunk port in Example 03.

In other words, a Hybrid port differs from a Trunk port that the Hybrid will accept untagged ingress traffic, whereas a Trunk port drops untagged ingress traffic.

So, you may be wondering, how does the system determine which VLAN can be untagged? Answer is simple, some switches support a feature called Native VLAN. If we are to configure a port as hybrid, we essentially define a Native VLAN on that port, in addition to Trunk configurations. I have come to learn that Cisco switches typically can support Native VLANs at the per-port level, where each port can have a different VLAN ID as Native. Other switches either do not support Native VLAN at all, or will need to configure Native VLAN for the entire switch.

Usage – there are several scenarios where Hybrid ports are used. An example in an office setting where VOIP phones are used. For convenience it is possible that the switch ports are configured to be used either with a desktop or a VOIP phone. A desktop will not have VLAN tagging, and the Native VLAN of the port will take the computer into the subnet for desktops. For VOIP phones, they will be configured on the phone for a specific VLAN, hence the trunked VLAN will take care of that.
In the datacenter, a Hybrid port is useful for a Nutanix node. Particularly when each node is having a simplified design to only have two uplinks to carry storage, host management and VM traffic. The host management and CVMs will ride on the Native VLAN. The VMs will make use of the Trunked VLANs. For greater details, please watch out for a coming post.

System Config – this depends on each use case. Simply put, for a hypervisor host that supports different type of workloads, the management network can be the one that uses the Native VLAN, and it’s VLAN ID will be set to 0 (zero), and all other VMs, will be attached to portgroups (or similar) with the corresponding non-zero VLAN ID specified.

Example 05 – Ethernet Frames with Virtual and Physical Switches

Example 05 – Expanding into Virtual Switches on Hypervisors

In this example, we will drop one of the physical switches S2. Instead we focus on the exploded view for one of the computers. Very specifically I reveal it to be a hypervisor, and let’s call it H1. Within the host, it has a virtual switch VS1, and two virtual machines, VM1 and VM2.

Here, within the virtualisation layer, we will keep it simple for all VMs to not require any VLAN tagging. Instead, we will attach the VMs to their corresponding portgroup/network. Just like in Example 2, the end computers do not need to be aware or configured with VLAN details, it is the switch that take cares of it. Hence, all the Green and Blue traffic when received by VS1 from VM1 and VM2, have no VLAN tags. VS1 will add on the VLAN tags and forward them out to S1.

You can see that the concept on VLAN tagging is still very much similar between virtual and physical switches.

If we zoom out and treat H1 like a black box, just like a computer C1, the relationship between H1 & S1 is just like C1 & S1 in Example 3. In fact, if you think about it C2, is likely to be a virtualisation host as well.

Wrapping it up…

This post attempted to demystify the differences between Access, Trunk and Hybrid ports. Systems connected to the various ports will have to use different VLAN tagging on the system side.

  • Access port – VLAN is set to 0 (or not set at all)
  • Trunk port – there will be multiple portgroups/networks and the VLANs for each are set to a non-zero number between 2-4094
  • Hybrid port – it is a combination of both, where one portgroup/network is set to 0 (or not set at all); and all others will have a number between 2-4094

Which type of port to be used, depends on situation.

  • Access port – simplest end device configuration, suitable for end user computer, or a single purpose server.
  • Trunk port – a specialised end device, or a multi workload server, such as a virtualisation hypervisor.
  • Hybrid port – when there can be different types of end devices that be connect in; or for virtualisation hypervisors that have functions that can benefit from the simplicity of not having to specify a VLAN ID.

What type of port a switch port needs to be configured as, only depends on the device needs on the opposite side of the cable. It should not matter what configuration other devices have. It is possible to have a mixed configurations on a switch. It all comes down to the requirements and design.

There are many more possible combinations and advance scenarios. This post aims to lay a foundation which can be built upon later on.

One thought on “Understanding Network Switch Ports for System Administrators

  1. Pingback: What you should consider when deploying a Nutanix cluster – vChips

Leave a Reply

Your email address will not be published.