I have never used VLANs before, so I'd like confirmation that it will work as I think.
We have three Netgear GS724T and a fortinet router.
If I configure a port to be Untagged on VLAN 1 with a PVID set to 1, and Trunk on VLAN 2, will it accept and transmit untagged packet on VLAN 1 and accept and transmit Tagged packet on VLAN 2 ?
I would like to keep the current default configuration of every port untagged on VLAN 1 and start to add new VLAN as needed without breaking the Internet access or access to the ESX virtual machines. My first test would be to put the ESX Ethernet port Trunk on VLAN 2 to test with a single VM on VLAN 2, and the other VMs still untagged on VLAN 1.
VLAN membership – Tagged and Untagged
vlan
Related Solutions
If you have more than one VLAN on a port (a "trunk port"), you need some way to tell which packet belongs to which VLAN on the other end. To do this you are "tagging" a packet with a VLAN tag (or VLAN header if you like). In reality a VLAN tag is inserted in the Ethernet frame like this:
The 802.1Q (dot1q, VLAN) tag contains a VLAN-ID and other things explained in the 802.1Q Standard. The first 16 bits contain the "Tag Protocol Identifier" (TPID) which is 8100. This also doubles as the EtherType 0x8100 for devices that don't understand VLANs.
So a "tagged" packet contains the VLAN information in the Ethernet frame while an "untagged" packet doesn't. A typical use case would be if you have one port from a router to a switch which multiple customers are attached to:
In this example customer "Green" has VLAN 10 and Customer "Blue" has VLAN 20. The ports between switch and customers are "untagged" meaning for the customer the arriving packet is just a normal Ethernet packet.
The port between router and switch is configured as a trunk port so that both router and switch know which packet belongs to which customer VLAN. On that port the Ethernet frames are tagged with the 802.1Q tag.
Without getting into NDA territory, a lot of it has to do with the switch (chip) internals. Of course anyone with a clue codes their UI and configuration language to handle these things automatically. You'd think something with a Cisco logo on it would be better, but you'd be wrong -- that switch grew out of the Linksys Small Business product line and has never seen the same engineering effort behind IOS, for example.
While it makes little sense, it's a valid configuration to set a PVID of 20 in your example. Untagged traffic handed to the switch would forward in VLAN 20. (no one in their right mind would(should) do that.)
[Note: even in switch IOS, one can set the native VLAN to something that isn't in the allowed list. And it's 100% valid.]
Related Topic
- Difference Between Untagged and Tagged Ports – VLAN Explained
- VLAN – Behavior of Untagged Traffic on TRUNK and ACCESS Ports
- VLAN Security – Is Splitting a Switch with VLANs Secure?
- VLAN Configuration – Converting Untagged VLAN to Tagged VLAN
- 802.1x Authentication – Dynamic VLAN Assignment of Tagged Frames
Best Answer
Here's one way to think about it:
A port with more than one VLAN associated with it is called a Trunk. A Trunk can have exactly ONE untagged vlan (also called the Native VLAN), and one or more Tagged VLANS. If you set a VLAN to be untagged on a port, there is no PVID associated with it; there is no PVID field in the Ethernet frame.
If a trunk port is configured with VLAN1 untagged, and VLAN 2 tagged, then all devices that use untagged frames (PCs etc) will communicate on VLAN 1 and be blissfully unaware of any other VLANs. If a device can tag frames with a PVID =2, then it can communicate on VLAN 2.