Hybrid or Trunk

You typically don't want to use VLAN 1 in a tagged environment, and this might be where some confusion comes from. When using a hybrid port, you specify one or more tagged VLANs, and a single* untagged VLAN. The untagged VLAN should be the same as the default VLAN; for example, to have untagged traffic on VLAN 10 and tagged traffic for VLANs 20 and 30, something like:

Note VLAN 10 as both untagged and pvid.

* You can have more than one untagged VLAN on a hybrid port, but incoming untagged traffic can belong to only one of them, unless you use protocol VLANs.

Some special applications like MAC-based VLAN assignment and multicast VLAN must work on hybrid ports.

All incoming untagged traffic on a port, whether it is access, trunk or hybrid, is tagged with PVID (the port VLAN ID, previously also called the default VLAN of the port), which defaults to VLAN 1 and is user configurable. PVID is irrelevant to how the port handle the outgoing traffic from the PVID.

The "tagged" and "untagged" for the "port hybrid vlan" command are meaningful only for outgoing traffic.

For example,  to enable a port tag incoming untagged traffic with VLAN 10 and sends the outgoing traffic from VLAN 10 with the VLAN tag removed, we configure 

           "port hybrid pvid vlan 10

          port hybrid vlan 10 untagged" 

To sends the outgoing traffic from VLAN 10 with the VLAN tag intact, we replace "port hybrid vlan 10 untagged" with "port hybrid vlan 10 untagged"

bombeii,

when you say this: "to enable a port tag incoming untagged traffic with VLAN 10 and sends the outgoing traffic from VLAN 10 with the VLAN tag removed"

why would you tag it with vlan 10 and send the traffic out with vlan 10 tag removed?

Forgive my newbieness. :robothappy:

Sorry, I didn't put it in a clear way.

The text describes two traffic directions (inbound and outbound) of the same port. Incoming traffic is from PC to switch, outgoing traffic is from swtich to PC. They are different traffic flows.  

Because PC does not support 802.1q, the switch must tag the traffic received from a PC, and remove 802.1q tag before sending traffic to the PC.

Can you provide more information on "You typically don't want to use VLAN 1 in a tagged environment"?  How would you configure your network if you want to use the shared network port for iLO?  I typically simply set the server's (OS) VLAN untagged and tag vlan 1 for iLO.  I guess I should be doing the opposite (tag the OS VLAN and untag VLAN 1)?

For you info, I tried configuring it with something like

port link-type hybrid

port hybrid vlan 1 tagged

port hybrid vlan 3 untagged

port hybrid pvid vlan 3

(vlan 3 is the server's vlan and vlan 1 is for iLO, using shared network port).  It worked OK except that it wouldn't go through the firewall.  I didn't have time to troubleshoot, so I set it back to dedicated NIC port for iLO.

Thanks,

Ugo

I cannot fully agree on this.

There is tagged and untagged traffic, so that has nothing to do with the port type (hybrid/trunk), so communication between a procurve and h3c should just work, with hybrid or trunk port (or must be config mistake).

Essentially, the hybrid port allows everything from the trunk port, plus : it allows more control over the untagged traffic.

If you do not need this control, you can go for the trunk port.

In my installations the rule is simple:

* uplink (switch) ports : trunks

* user/end-node  ports : hybrid

This makes it very simple to distinguish the uplinks to other switches (display port trunk) from the downlink ports to end-points which are vlan-aware (dis port hybrid).

The added value for hybrid on untagged is :

* instead of port-based packet processing (port config PVID will decide to which vlan the incoming untagged packets are assigned), the hybrid port supports packet-based vlan processing (based on the values in the incoming ethernet packet).

You could compare it with a tagged link, which is also packet-based vlan processing, but in that case, the switch will read the 802.1q tag value, and use that value to assign the packet to a vlan.

With a hybrid port it is the same, but you just change the relation : the switch can read e.g. the source mac address value of a frame, and assign it to vlan x for maca, vlan y for macb.

This sounds complicated, and it is for manual config examples. You could configure for instance a rule so all untagged packets from mac 123456000000 mask ffffff000000 (some printer range) would be assigned to vlan x (the printers vlan), so the packets which are tx on an uplink will be tagged with vlan x. All other untagged packets would not match the rule, so they would be assigned to the PVID vlan configuration.

Essentially, when no rules are defined, all traffic is assigned to the PVID (just like a trunk interface).

The power comes when this concept is combined with edge-authentication.

When you enable 802.1x or mac-auth on the port, you can use a central vlan assignment via radius. The first device online  (assume macA) could be assigned to vlan 11. On a traditional port, the untagged port membership changes, so when a second device (macB) comes online and would be assigned to vlan12 by the radius, it cannot come online since the port is already untagged in vlan 11.

Now with the hybrid port, the switch can program the port with the learned first macA and assign it to vlan 11 (better than the manual config!), so when the second device with macB comes online, it programs this macB into vlan 12, and both hosts are online, untagged, on the same port, while they each belong to their own vlan (e.g. dhcp request from macA would be tagged with vlan 11 on uplink, macB with vlan12 on uplink).

This means when an unmanaged switch with 2 internal hosts (like meeting room) would be connected to the hybrid port, 2 internal hosts can be authenticated and assigned to their own vlan at the same point in time.

You could even have a 3th host which fails authentication, so it would be assigned to the guest vlan on the same port.

If you do not need this functionality, a trunk port will do fine as well.

Best regards,Peter

In my case, it is not the communication between two switches, it is the configuration of a server port to allow the use of the shared network port for iLO (I know it is not the best practices, but it makes sense in our environment).

Ok, so for example:

• My data VLAN is 25 and must be untagged
• My iLO VLAN is 1 and must be tagged

What kind of configuration must I do under comware?

port hybrid pvid 25

port hybrid vlan 1

or

port hybrid vlan 1 tagged

port hybrid vlan 25 untagged

?

I didn't find how to have tagged and untagged vlans on the same port using trunk.  I think a trunk is only permit/not permit for vlans.

Thanks,

---

@pombeii wrote:

Some special applications like MAC-based VLAN assignment and multicast VLAN must work on hybrid ports.

 

All incoming untagged traffic on a port, whether it is access, trunk or hybrid, is tagged with PVID (the port VLAN ID, previously also called the default VLAN of the port), which defaults to VLAN 1 and is user configurable. PVID is irrelevant to how the port handle the outgoing traffic from the PVID.

 

"The "tagged" and "untagged" for the "port hybrid vlan" command are meaningful only for outgoing traffic.

For example,  to enable a port tag incoming untagged traffic with VLAN 10 and sends the outgoing traffic from VLAN 10 with the VLAN tag removed, we configure port hybrid vlan 10 untagged"  

By default, a hybrid port sends outgoing VLAN 1 traffic untagged, however, you can configure "port hybrid vlan 1 tagged" so the port send outgoing traffic from VLAN 1 without removing the VLAN tag. "


if so- what is the difference in the outgoing traffic between access port and hybrid untagged port?
isn't it just the same?
because in the two situations inbound traffic get tagged and outgoing traffic do not get tagged

 

 

---

@pombeii wrote:

Some special applications like MAC-based VLAN assignment and multicast VLAN must work on hybrid ports.

 

All incoming untagged traffic on a port, whether it is access, trunk or hybrid, is tagged with PVID (the port VLAN ID, previously also called the default VLAN of the port), which defaults to VLAN 1 and is user configurable. PVID is irrelevant to how the port handle the outgoing traffic from the PVID.

 

"The "tagged" and "untagged" for the "port hybrid vlan" command are meaningful only for outgoing traffic.

For example,  to enable a port tag incoming untagged traffic with VLAN 10 and sends the outgoing traffic from VLAN 10 with the VLAN tag removed, we configure port hybrid vlan 10 untagged"  

By default, a hybrid port sends outgoing VLAN 1 traffic untagged, however, you can configure "port hybrid vlan 1 tagged" so the port send outgoing traffic from VLAN 1 without removing the VLAN tag. "


if so- what is the difference in the outgoing traffic between access port and hybrid untagged port?
isn't it just the same?
because in the two situations inbound traffic get tagged and outgoing traffic do not get tagged

 

 

Just to follow up with what Peter was talking about...

We run a "cloud computing" farm with just under 1000 servers.  These machines are created and destroyed on the fly depending on their "current" use and project.  The way we deal with the creation and destruction issues is that ALL machines are placed on VLAN 15 when unrecognized by the system (this also applies to anyone who brings in an unauthorized laptop into the data center and tries plugging into the network).  VLAN 15 for us has a complete PXEboot environment that puts a "live ramdisk linux image" on the machine (it doesn't do anything to the drive just in case you were accidentally put here) and the live image then takes inventory of the machine and reports it to a central server.

Eventually we build the machine out here on VLAN 15 then we insert the MAC address and destination VLANs in our SQL driven radius database.  Since all machines have 2-4 interaces, we might populate several MAC addresses in the DB.  The machine is then rebooted and with the following configuration, voila, its running inside its destination environment.

#

# Define how we use mac-authentication and the authorization scheme "z5cloud"

#

 mac-authentication

 mac-authentication timer offline-detect 180
 mac-authentication timer quiet 15
 mac-authentication domain z5cloud

#

# Create a scheme "mac-auth" and how it connectes to the actual radius

# system. Note we do not describe how to set up your radius database nor the

# format of the DB entries. Insure your entries are of the format "aa:bb:cc:dd:ee:ff"

# and not the older format "aabb-ccdd-eeff". Also insure the format is lowercase for

# all your hex characters"

#

radius scheme mac-auth
 primary authentication 172.16.1.16
 primary accounting 172.16.1.16
 key authentication cipher <radius cipher password>
 key accounting cipher <radius cipher password>
 user-name-format without-domain
 nas-ip 172.16.1.32
#

# This is the authorization method for the mac-authentication. It uses the radius

# scheme labeled "mac-auth". authentication and authorization are required.

# accounting is only for logging purposes.

#

domain z5cloud

 authentication lan-access radius-scheme mac-auth
 authorization lan-access radius-scheme mac-auth
 accounting lan-access radius-scheme mac-auth
 state active

#

# repeat this for basically ALL interfaces in the data center that need to use

# the mac-authentication method.  This is *highly* dependend on using the hybrid

# mode of the port and *only* the authorization portion of 802.1x

#

interface GigabitEthernet1/0/1
 port link-mode bridge
 port link-type hybrid
 undo port hybrid vlan 1
 port hybrid vlan 15 untagged
 port hybrid pvid vlan 15
 mac-vlan enable
 mac-authentication
 mac-authentication guest-vlan 15

 # speed and stp are to "speed up" negoiations. Use at your own risk

 speed 1000
 stp edged-port enable

#

Hi,

I have not understood the problem very well. with this configuration
port hybrid vlan 52 tagged
port hybrid vlan 41 untagged
port  hybrid  pvid 41

That traffic is forwarded without tags (802.1Q) and with traffic tag refers to a port for a access point for example having VLAN 802.1q trunk 52 and not 802.1Q 41??

Thanks

best regards

HI,

 In WLAN controller is config as a  untagged port, all tha access point should be in untagged so we are using hybrid commend in which tha port carry both tagged and untagged.

For ex if i need two WLAN in network i need two vlans, but communicating with Controller to Access point that port should be in access port and to carry two Wlan Info we need two vlan should be tagged .