Recall we had a scenario with two switches each with a different subnet connected together by a router. It is possible through switch programming to achieve the same thing with a single switch or multiple switches – that is we can make groups of ports on a switch act as though they are a single switch (virtual lan or vlan). ports in the one vlan are part of the broadcast domain but frames will not be sent outside the vlan

What is more tricky is that the segregation can be across multiple switches. Say we have 2 10 port switches and we put 4 ports of each in to vlan 1 (ports 1-4) and 4 ports in to vlan 2 (5-8) . We will have the remaining ports as trunk ports.

frames from devices connected to vlan 1 cannot travel to vlan 2 and vice versa, they are blocked. The communication between the vlans must be through a router that connects the two vlans together. High end switches are capable of doing this routing but often lack the firewall capabilities needed for true network segmentation

It is usually assumed that an end point device such as computer or printer does not understand vlans and that the vlan tag (801.q) should be removed. This is done by setting the type of port that the end device connects to as an access port and assigning it to the correct vlan. For example, if we had a computer vlan (1) and secure vlan (100) we would connect host computer to port 1 with that port assigned as an access port vlan 1. Frames coming into that port would then be tagged as vlan 1 and would not be forwarded or flooded to ports assigned to other vlans. The secure server on port 5 does not receive the frame

For the server to get the frame, it needs to be routed at layer 3 – the server is in another subnet. So we have a router with two interfaces. For example port G1 is in vlan 1 and in the subnet . Port G2 is in vlan 100 and subnet

This strategy can conserve hardware but can make for vastly increased complexity. Ports that carry multiple vlans are called trunks. These should not be plugged into end devices. We could use a trunk to conserve a port on both switch and router on the above scenario by configuring the port on the switch as a trunk and then configuring subinterfaces on the router with vlan and ip subnet set,

it is a very difficult and confusing topic.

Ethernet packets, Ethernet frames and IP packets in the Virtual World

On layer 2, we are transmitting ethernet frames. Confusingly, these are sometimes referred to as ethernet packets. They are in fact not quite the same thing. The IEEE standard is shown below

The ethernet packet is the frame plus some extra headers and trailers

When the ethernet frame (or packet) arrives at the NIC, it is briefly stored , an interrupt is raised from the NIC card to the motherboard to ask for the frame to be read into the computer’s memory. A series of processes then occurs in the kernel of the operating system


This particular graphic is confusing as the distinction between ethernet packet, ethernet frame and IP packet is not clear.

If the NIC is a virtual switch, the NIC will pass the frame to the driver which will send the memory structure (sk_buf) to the hypervisor’s memory. This is then forwarded to the driver part of the appropriate Hyper-V virtual network adapter which will unencapsulate the frame to pass the IP packet up the stack of the virtual machine. If the host does not have a virtual adapter connected to the virtual switch, it should in theory be impossible to be able to attack the host by this vector