Switches, Hubs, and Modems
cancel
Showing results for 
Search instead for 
Did you mean: 

Question re:multiple tagged/untagged VLANs on a switch

 
DoJu
Occasional Advisor

Question re:multiple tagged/untagged VLANs on a switch

Hi Everyone,

Can someone please explain this swich configuration?

vlan 1
name "DEFAULT_VLAN"
no untagged 1-48
no ip address
exit
vlan 10
name "Data"
tagged 11,48
no ip address
exit
vlan 60
name "VOIP"
tagged 1-48
ip address a.b.c.d 255.255.255.0
qos priority 5
voice
exit
vlan 200
name "ICT workstations"
untagged 1-48
ip address aa.bb.cc.dd 255.255.255.0
exit
loop-protect 1-47

7 REPLIES 7
C0LdWir3
Occasional Advisor

Re: Question re:multiple tagged/untagged VLANs on a switch

Hi.

It is normal than you can have ports with mulitiple TAGGED VLANs  and 0-1 untagged VLAN.

You need to TAG VLANs to carry multiple VLANs to hypervisor, routers with tagged interfaces or other switches.

Is this configuration VLAN 1 is "no untagged 1-48" which means it removed the standard "untagged 1-48".

This configuration means all ports have VLAN 200 untagged and VLAN 60 tagged.

VLAN 10 is tagged on 11 and 48.

VLAN 1 is not on any ports.

 

Best Regards
Highlighted
Emil_Gogushev
Respected Contributor

Re: Question re:multiple tagged/untagged VLANs on a switch

Hello, 

Some things to understand about VLANs. 

Tagged and untagged here refers to the VLAN membership of a port, not to the VLAN as a whole. A VLAN by itself is not tagged or untagged it is how a port assignes traffic to this VLAN. You can have tagged and untagged ports in the same VLAN (this is not the case in your config what may be confusing for you)

If a port is untagged member in a certain VLAN ID it means that it will accept all frames without VLAN tag and handle them as belonging to this VLAN ID. If a frame has to be sent out in the same VLAN ID via this port, it will also be sent without a VLAN tag.

If a port is tagged member in a certain VLAN ID that means that the port will accept frames which carry a VLAN tag with this VLAN ID and assign them to this VLAN. If a frame has to be sent out of this port and it belongs to this same VLAN it will also be sent with the VLAN ID in a VLAN tag.

A port on a switch has to be member of at least one VLAN, untagged or tagged. By default all the ports are untagged members of VLAN 1.

A port can be untagged member of only 1 VLAN but tagged member of multiple VLANs.

Regarding your configuration:

vlan 1
name "DEFAULT_VLAN"
no untagged 1-48
no ip address
exit

VLAN 1 is the default VLAN and all 48 ports were untagged members. However the line "no untagged 1-48" is telling us that all ports were removed from VLAN 1. That means currently no port is member of VLAN 1. The VLAN doesnt have an IP address.

vlan 10
name "Data"
tagged 11,48
no ip address
exit

VLAN 10 has 2 tagged member ports. Port 11 and port 48. This ports will handle frames of VLAN 10 only if they carry a VLAN tag with ID 10. Outbound frames in VLAN 10 will also be sent with a VLAN tag. The VLAN doesnt have IP address. The devices connected on ports 11 and 48 need to understand VLAN tags and also send their traffic tagged with VLAN ID 10 if it is expected that they should communicate in VLAN 10.

Please note that the same ports are untagged in VLAN 200 and tagged in VLAN 60. Probably other switches are connected to this ports because switch to switch links typically need to carry all the VLANs. The switches on the other side of the ports need to have exactly the same VLAN port configuration.

vlan 60
name "VOIP"
tagged 1-48
ip address a.b.c.d 255.255.255.0
qos priority 5
voice
exit

VLAN 60 is called voip. All 48 ports are tagged member of this VLAN. That means inbound and outbound frames need to carry VLAN tag with ID 60 in order for the communication to work. The IP phones typically send the VOIP traffic with a VLAN tag and the data traffic of cascaded PCs untagged, so this configuration looks proper to me.

qos priority 5 assigns 802.1p priority value 5 (Voice) to all traffic of this VLAN.

The line voice activates LLDP-MED on this VLAN. LLDP-MED is a mechanism for IP phones and switches to negotiation paramters like VOIP VLAN, priority, PoE etc.

vlan 200
name "ICT workstations"
untagged 1-48
ip address aa.bb.cc.dd 255.255.255.0
exit

VLAN 200. All 48 ports are untagged members of VLAN 200. That means that every untagged frame received on this ports will be assigned to VLAN 200. Every frame of VLAN 200 that has to be sent out will also be sent without a VLAN tag. This is the typical configuration for end devices like PCs and laptops because they usually dont send frames with VLAN tags. Looking back at the configuration of VLAN 60 this is the typical configuration when a VOIP phone is connected to a port and a PC is connected to the VOIP phone. The phone will send the VOIP traffic with a VLAN tag in VLAN 60 and the data traffic from the PCs without a tag, which will allow it to be assigned to VLAN 200.

loop-protect 1-47

This configuration is sending proprietary loop-protect packets out of all ports. Is some ports of the switch receives some of this packets back it has detected a loop and the port will be blocked.

Emil Gogushev /HPE
parnassus
Honored Contributor

Re: Question re:multiple tagged/untagged VLANs on a switch

Bravo Emil!

To @DoJu : two useful commands to (a) learn VLAN membership for a specific port (valid also for a range of ports or for a port aggregation <- as known as port trunk using the usual HP/HPE/Aruba jargon) and to (b) learn which ports are members of a particular VLAN Id (valid also for a range or a list of VLAN Ids)...these command would be part of your daily swiss-knifes' set for sure...presuming you're dealing with ProVision/ArubaOS-Switch based Switches:

show vlan port port-id detail

show vlan vlan-id

DoJu
Occasional Advisor

Re: Question re:multiple tagged/untagged VLANs on a switch

Thank you Emil for the detailed explanation.

DoJu
Occasional Advisor

Re: Question re:multiple tagged/untagged VLANs on a switch

Thanks for the reply in helping me unravel this confusing (to me) VLAN, tagged/untagged terminology.

DoJu
Occasional Advisor

Re: Question re:multiple tagged/untagged VLANs on a switch

Thanks parnassus, still needs to sink_in but will keep persisting.

The complexity is when configuring VLANs where you have a Hub/Spoke implementation whereby the Layer 2/3 switch for a site that has the IP ROUTE outbound, then multi-tiered "Spoke" switches, if not configured correctly the PCs won't get a DHCP IP address from the IP HELPER or even worse, taking down the network.

parnassus
Honored Contributor

Re: Question re:multiple tagged/untagged VLANs on a switch

Hi @DoJu IMHO the most important thing is to think about propagating VLAN tagging across linked switches as a way to propagate the networks they support...a recommandation is always to look at where a VLAN needs to transported and - in doing so - to respect the requirment that, on a uplink/downlink between peer switches, VLAN untagging/tagging should match (that's true on physical interfaces and also on logical ones, e.g. on aggregated ones "TrkX")...access ports are generally untagged because connected hosts don't "understand" VLAN Tagging...but, sometime, you can deal with Servers (think about an hypervisor, as example...or a Router with virtual interfaces each one on its own VLAN Id) and so VLAN Tagging should be used (and should match) on that ports.