Behavior without VLAN Configuration

This section discusses the following:

n	How an outbound packet is processed on the untagged native VLAN

n	Delivering Inbound Packets to the LAN: No VLAN Interfaces

Tunnel packets outbound for the WAN are by default untagged, and no VLAN information is propagated across the WAN.

n	When the appliance is inserted in-line, it can see all the VLAN tags and packets and match policy map criteria based upon VLAN tags, without any VLAN configuration on the appliance.

n	When the appliance receives tagged traffic for which it has no VLAN interface, and it optimizes that traffic, then the tag is stripped off when the L2 header information is removed.

n	If the tagged packets are sent pass-through, then the entire original L2 header (with the VLAN tag) is preserved.

n	When the appliance is inserted out-of-path and no VLAN interfaces are configured, it doesn’t see packets associated with the VLANs because they are not even redirected to the appliance.

How an outbound packet is processed on the untagged native VLAN

By default, optimized traffic leaves the appliance without any VLAN tags.

For every packet entering the appliance for optimization on its way to the WAN:

a	The appliance strips away the existing L2 header

b	The appliance then applies a new L2 header, designating the appliance as the Source MAC.

Untagged outbound LAN packet to untagged tunnel

Neither the outbound LAN packet nor the tunnel’s endpoint have a VLAN tag.

Tagged outbound LAN packet to untagged tunnel

This is the most common deployment.

The outbound LAN packet has a VLAN tag but the tunnel’s endpoint does not.

Delivering Inbound Packets to the LAN: No VLAN Interfaces

For packets arriving from the WAN, the LAN route table is what determines where a packet goes.

n	After discarding the arriving packet’s L2 and tunnel headers, the appliance does a LAN route table lookup, based solely on the Destination Host IP address.

n	Based on the destination’s subnet, the appliance determines where to send the packet.

n	Because no VLAN interfaces are configured on the appliance, the packet can only go on the untagged VLAN.

n	The following two conditions must be met for this packet to reach its final destination:

a	The switch/router on the LAN side of the appliance supports untagged (native) VLAN, and

b	The switch/router can route the packet to the destination VLAN.

Please send comments or suggestions regarding user documentation to techpubs@silver-peak.com.