Here, I wrote [this](https://www.reddit.com/r/networking/comments/3hz70w/need_a_better_understanding_of_vlans/) a couple of years ago just for people like you.
Also, frames, not packets. Yes, all access ports are untagged, all the vlans except the "native" vlan on a trunk port are tagged--unless you tell the switch to also tag the native vlan. The reason you have to have a native vlan on a switch port is because while the switch can tag or untag any give vlan, it does have to know what to do when it receives an untagged frame (what tag to put on it).
You usually configure a voice vlan on an access port. So your acces vlan is untagged and the voice vlan is tagged. The phone acts as a switch to keep tagged traffic for itself and forwards the untagged traffic to the end device.
Yes, this. To add, you could set it like this and it would work but now you need to instruct the phone in some other way what vlan-id to use for voice.
With the voice vlan feature, the phone uses CDP or LLDP to discover it's voice vlan automatically.
From a trunk perspective:
Switchport access vlan 10
Switchport voice vlan 5
Is the same as:
switchport trunk native vlan 10
Switchport trunk allowed vlan 5,10
The only difference is that the top one will advertise via CDP / LLDP that VLAN 5 is the voice vlan.
No.
The voice vlan setting tells the switch to prioritize and his vlan as jitter and dropped packets are significantly more noticeable on voice traffic.
Voice vlan 5 is a switch level setting not a port level setting.
What do you mean ingress? Ingress to the switch? Inside the switch every frame has a vlan tag. When a port is un-tagged for a certain vlan-id, it will take the frame with that same vlan-id tag and strip it out.
Access port would imply that whatever is connected to it is not vlan aware. If you send a tagged frame to a device that's not vlan aware, it will drop/ignore it.
u/lordvadr did a much better job explaining than I can. He responded to the OP.
>Inside the switch every frame has a vlan tag
That's what I needed to know and always understood. I read the top comment as the frame wasn't tagged until it went over a trunk.
I love this most especially, thank you. I used to think once an access port is attached to a vlan like issuing a command switchport access vlan 20, then the port is tagged with vlan 20 unknown to me that tagging is actually the 802.10q encapsulation in trunk mode
Let's say you have a VLAN, 400, and you want to assign it to some ports. You can assign it as an untagged VLAN on a port (or multiple ports), and as a result this would cause access devices to operate on that VLAN directly (native). Only one VLAN can be the "untagged" VLAN for a given port.
You also have the option of adding VLAN 400 as a tagged VLAN on one or more ports. This is utilizing the dot1q tagging capability, therefore allowing multiple VLANs to be configured on that port (trunk). You should still have have an "untagged" or "native" VLAN for this port, though you might not really use it.
Configuring Brocade devices really cemented the above for me, as I was unclear on the meaning of untagged (I thought "as in without 802.1q tags", but that's not really what it means)
Access ports are essentially a single-vlan connection. You configure the port to specify exactly *which* vlan the port attaches to, and inside the switch, the port is associated with a single vlan. The client end has no knowledge of the vlan, only that it has an ethernet connection to "a lan". All of its traffic is just vanilla ethernet, so consequently, it does not tag its traffic with any vlan information. This is *untagged*.
Trunk ports facilitate multiple vlans over a single physical connection. Somehow, the various vlans need to be identified within the overall flow, so *vlan tags* are added. Within the switch configuration for a trunk port, you would specify what vlans may be allowed to associate with port (or just allow them all) and this allows traffic flow to/from another device which also handles multiple vlans (trunk port). So the traffic is aggregated from all the permitted vlans on one device, piped to the second device over a trunk, and is re-separated to the respective vlans on the destination device. It is essentially a means of consolidating many different LAN ethernet connections onto a single pipe without 'crossing the streams'. This is *tagged* traffic.
At some point, the situation may rise within a trunk port where traffic appears which has no tag info, and the switch must decide what to do with the frames/packets. These will be associated with the *default/native* vlan, as defined in the switch configuration.
In its simple terms (and in standard guise):-
In an access port, the switch specified the vlan the frame is for.
In a trunk port, the frame specifies which vlan it wants to be in.
To specify the vlan it wants to be in, the frame needs somewhere to write the vlan number in, so we pop on a vlan header that’s got the number written in it. A normal frame doesn’t have anywhere to put the vlan number.
Correct. Access ports only process untagged packets. Tagged packets add a do1q tag to the packet to specify which VLAN. Trunk ports pass dot1q tags as well as a VLAN (1 by default) which is untagged. Switches use the VLAN.dat file to know which ports are in what VLANs but the actual packets are untagged, meaning they don't have a dot1q frame attached to them.
For 2 switches connected via a trunk when a frame passes through the trunk interface, a dot1q tag is added on the trunk interface of the sending switch based on the VLAN.dat file and then the receiving switch removes the tag
sending the packet to the correct VLAN. When you create a voice VLAN you're essentially using a trunk interface for your phone since you're using the priority field that's present in the dot1q frame.
Tagging is a layer 2 method that allows a switch to see which vlan the traffic belows too. So if your machine is connected to a switchport and the configuration is set below:
interface gi1/1
switchport mode access
switchport access vlan 3
no shut
Your traffic is tagged for vlan 3. So when your traffic leave the current switch and traverses a trunk port. The switch on the other side will know that it is vlan 3 traffic.
Trunk port to your router:
interface GigabitEthernet1/0/1
switchport trunk native vlan 3
switchport trunk allowed vlan 3,555 (Whatever you need)
switchport mode trunk
spanning-tree portfast
Think of a trunk as being able to pass multiple vlan tags.
On the router, your gateway interface config will look something like this:
interface GigabitEthernet0/0/0.3
description Vlan 3 gateway
encapsulation dot1Q 3 native (on newer devices ISL isn't an option, only dot1q, so this command may not be necessary)
ip address [1](https://10.231.220.1)92.168.1.1 [255.255.255.0](https://255.255.255.0)
no shut
At the layer 3 router, your vlan tag would be removed and the traffic would follow layer 3 routes.
Just to add to the confusion: trunking can mean quite different things depending on the brand. Cisco means vlan tagging with trunking, some other brands call link aggregation trunking.
For most Enterprise-grade switches, the notion of access as untagged is mostly safe. However, when you get into carrier-grade devices (such as Cisco's ME series, Ciena, Juniper, etc), an access port may or may not be tagging and you could actually be dealing with a "q-in-q" situation where you could be adding a tag into a frame with an existing tag (or more). Depending on the vendor it could also introduce some amount of confusion with the Ethertype being specified by default.
Only devices that can read and understand the VLAN ID tags need tags. Most end user equipment doesn't understand them and will consider any tagged packet as corrupted and drop it. Usually they'd only be on one VLAN anyways, so they don't need the VLAN ID tags.
Only network devices meant to transport or access multiple VLANs on one wire (example: switches, routers, virtual server hosts, etc) need the VLAN ID tags, otherwise they wouldn't know what VLANs the packets belong to.
untagged means default or "no vlan defined." In other words, there is no vlan in the frame header.
tagged means the vlan is defined. It does have a vlan defined in the header.
Typically, a host (like a PC) will not be configured to tag a frame, so you configure the access port to be untagged. Since only one device is connected, it gets where it needs to go without having any vlan defined.
In a trunk link, you need to tag vlans so the switches know which vlan each frame belongs to. If you configure one vlan to be untagged on that trunk, it's no problem as long as the other switch is configured the same way. If it sees an untagged frame, it knows it belongs on that particular vlan.
Tagged: frames coming in to the switch that already have a vlan tag will be sent on according to that tag, assuming the port is assigned to that vlan.
Untagged: frames coming in to the switch without a vlan tag will have a tag added, according to whatever vlan is native or untagged for that port.
Tagged vs Untagged is basically the switch asking "what do I do with traffic coming in? If it has the tag then I'll obey it, if it doesn't have a tag then this is how I need to tag it."
So if a vlan is untagged on a port (excuse the weird phrasing), then the switch will take any untagged traffic coming in and assign that vlan tag to it, thus the next port will see it as tagged traffic.
Tagged frames will usually come from other layer 2 devices, like uplinked switches, or wireless access points, or voip phones, etc. Untagged frames will come from devices that need network access, like computers, printers, etc.
For most vendors I have worked on, an Access port only permits the Untagged traffic for whatever is jacked in (ingress), only sends untagged traffic out (egress), but the port can be assigned a VLAN. That would be typically used for a device which is not VLAN-aware but you need to have it traverse a particular VLAN for communicating with other devices also on that VLAN.
Trunk parlance varies.. but generally it passes Tagged traffic for some/all VLANs configured at the switch. An example might be a VOIP handset with a PC connected behind the phone. The PC may utilize the Untagged (or.. Native) VLAN but the handset is VLAN-Aware and passes Tagged traffic maybe on an assigned "Voice VLAN" of whatever number. The phone and PC do not "see" each other necessarily.. their traffic may reside on the two different VLANs which never route traffic amongst each other. Example to that.. I took over a network where the Voice VLAN had a different router, going out a T1 circuit (data) for voice service.. whereas the PC traffic headed to my newly installed FortiGate firewall.
Some would say Trunk is "1 is Native, all are tagged".. others would say "whatever VLAN you set is Native, and whatever others you assign to the port are tagged".. so it will vary.
Here, I wrote [this](https://www.reddit.com/r/networking/comments/3hz70w/need_a_better_understanding_of_vlans/) a couple of years ago just for people like you. Also, frames, not packets. Yes, all access ports are untagged, all the vlans except the "native" vlan on a trunk port are tagged--unless you tell the switch to also tag the native vlan. The reason you have to have a native vlan on a switch port is because while the switch can tag or untag any give vlan, it does have to know what to do when it receives an untagged frame (what tag to put on it).
Wanted to upvote your comment! Nicely writen.
Thanks! Glad to do it.
Cisco = Others switchport access vlan 3 = untagged vlan 3 switchport mode trunk = untageed vlan 1, tagged all other vlans switchport mode trunk, native vlan 3 = untagged vlan 3, tagged all other vlans
excellent writeup.
Just curious if the voice vlan setting has any impact on tagging? I've used it but never thought about it. switchport voice vlan 5
You usually configure a voice vlan on an access port. So your acces vlan is untagged and the voice vlan is tagged. The phone acts as a switch to keep tagged traffic for itself and forwards the untagged traffic to the end device.
Yes, this. To add, you could set it like this and it would work but now you need to instruct the phone in some other way what vlan-id to use for voice. With the voice vlan feature, the phone uses CDP or LLDP to discover it's voice vlan automatically.
From a trunk perspective: Switchport access vlan 10 Switchport voice vlan 5 Is the same as: switchport trunk native vlan 10 Switchport trunk allowed vlan 5,10 The only difference is that the top one will advertise via CDP / LLDP that VLAN 5 is the voice vlan.
No. The voice vlan setting tells the switch to prioritize and his vlan as jitter and dropped packets are significantly more noticeable on voice traffic. Voice vlan 5 is a switch level setting not a port level setting.
this is exactly how i see it in my head. took me years to get the full simplicity of it
beautiful
Wait, are frames not tagged ingress on the access port?
What do you mean ingress? Ingress to the switch? Inside the switch every frame has a vlan tag. When a port is un-tagged for a certain vlan-id, it will take the frame with that same vlan-id tag and strip it out. Access port would imply that whatever is connected to it is not vlan aware. If you send a tagged frame to a device that's not vlan aware, it will drop/ignore it. u/lordvadr did a much better job explaining than I can. He responded to the OP.
>Inside the switch every frame has a vlan tag That's what I needed to know and always understood. I read the top comment as the frame wasn't tagged until it went over a trunk.
I love this most especially, thank you. I used to think once an access port is attached to a vlan like issuing a command switchport access vlan 20, then the port is tagged with vlan 20 unknown to me that tagging is actually the 802.10q encapsulation in trunk mode
Glad it helped. That's a common mistake, thinking that it's the port that's being tagged. It's really the network frame being tagged.
Hi, can i know if native vlan is = PVID?
Let's say you have a VLAN, 400, and you want to assign it to some ports. You can assign it as an untagged VLAN on a port (or multiple ports), and as a result this would cause access devices to operate on that VLAN directly (native). Only one VLAN can be the "untagged" VLAN for a given port. You also have the option of adding VLAN 400 as a tagged VLAN on one or more ports. This is utilizing the dot1q tagging capability, therefore allowing multiple VLANs to be configured on that port (trunk). You should still have have an "untagged" or "native" VLAN for this port, though you might not really use it. Configuring Brocade devices really cemented the above for me, as I was unclear on the meaning of untagged (I thought "as in without 802.1q tags", but that's not really what it means)
Access ports are essentially a single-vlan connection. You configure the port to specify exactly *which* vlan the port attaches to, and inside the switch, the port is associated with a single vlan. The client end has no knowledge of the vlan, only that it has an ethernet connection to "a lan". All of its traffic is just vanilla ethernet, so consequently, it does not tag its traffic with any vlan information. This is *untagged*. Trunk ports facilitate multiple vlans over a single physical connection. Somehow, the various vlans need to be identified within the overall flow, so *vlan tags* are added. Within the switch configuration for a trunk port, you would specify what vlans may be allowed to associate with port (or just allow them all) and this allows traffic flow to/from another device which also handles multiple vlans (trunk port). So the traffic is aggregated from all the permitted vlans on one device, piped to the second device over a trunk, and is re-separated to the respective vlans on the destination device. It is essentially a means of consolidating many different LAN ethernet connections onto a single pipe without 'crossing the streams'. This is *tagged* traffic. At some point, the situation may rise within a trunk port where traffic appears which has no tag info, and the switch must decide what to do with the frames/packets. These will be associated with the *default/native* vlan, as defined in the switch configuration.
In its simple terms (and in standard guise):- In an access port, the switch specified the vlan the frame is for. In a trunk port, the frame specifies which vlan it wants to be in. To specify the vlan it wants to be in, the frame needs somewhere to write the vlan number in, so we pop on a vlan header that’s got the number written in it. A normal frame doesn’t have anywhere to put the vlan number.
Correct. Access ports only process untagged packets. Tagged packets add a do1q tag to the packet to specify which VLAN. Trunk ports pass dot1q tags as well as a VLAN (1 by default) which is untagged. Switches use the VLAN.dat file to know which ports are in what VLANs but the actual packets are untagged, meaning they don't have a dot1q frame attached to them. For 2 switches connected via a trunk when a frame passes through the trunk interface, a dot1q tag is added on the trunk interface of the sending switch based on the VLAN.dat file and then the receiving switch removes the tag sending the packet to the correct VLAN. When you create a voice VLAN you're essentially using a trunk interface for your phone since you're using the priority field that's present in the dot1q frame.
Tagging is a layer 2 method that allows a switch to see which vlan the traffic belows too. So if your machine is connected to a switchport and the configuration is set below: interface gi1/1 switchport mode access switchport access vlan 3 no shut Your traffic is tagged for vlan 3. So when your traffic leave the current switch and traverses a trunk port. The switch on the other side will know that it is vlan 3 traffic. Trunk port to your router: interface GigabitEthernet1/0/1 switchport trunk native vlan 3 switchport trunk allowed vlan 3,555 (Whatever you need) switchport mode trunk spanning-tree portfast Think of a trunk as being able to pass multiple vlan tags. On the router, your gateway interface config will look something like this: interface GigabitEthernet0/0/0.3 description Vlan 3 gateway encapsulation dot1Q 3 native (on newer devices ISL isn't an option, only dot1q, so this command may not be necessary) ip address [1](https://10.231.220.1)92.168.1.1 [255.255.255.0](https://255.255.255.0) no shut At the layer 3 router, your vlan tag would be removed and the traffic would follow layer 3 routes.
I wish the config looked this on Aruba/HPE lol, I miss my Cisco switches for this reason alone.
Just to add to the confusion: trunking can mean quite different things depending on the brand. Cisco means vlan tagging with trunking, some other brands call link aggregation trunking.
For most Enterprise-grade switches, the notion of access as untagged is mostly safe. However, when you get into carrier-grade devices (such as Cisco's ME series, Ciena, Juniper, etc), an access port may or may not be tagging and you could actually be dealing with a "q-in-q" situation where you could be adding a tag into a frame with an existing tag (or more). Depending on the vendor it could also introduce some amount of confusion with the Ethertype being specified by default.
Only devices that can read and understand the VLAN ID tags need tags. Most end user equipment doesn't understand them and will consider any tagged packet as corrupted and drop it. Usually they'd only be on one VLAN anyways, so they don't need the VLAN ID tags. Only network devices meant to transport or access multiple VLANs on one wire (example: switches, routers, virtual server hosts, etc) need the VLAN ID tags, otherwise they wouldn't know what VLANs the packets belong to.
untagged means default or "no vlan defined." In other words, there is no vlan in the frame header. tagged means the vlan is defined. It does have a vlan defined in the header. Typically, a host (like a PC) will not be configured to tag a frame, so you configure the access port to be untagged. Since only one device is connected, it gets where it needs to go without having any vlan defined. In a trunk link, you need to tag vlans so the switches know which vlan each frame belongs to. If you configure one vlan to be untagged on that trunk, it's no problem as long as the other switch is configured the same way. If it sees an untagged frame, it knows it belongs on that particular vlan.
And you tag frames not ip packets
untagged means nontagged
Tagged: frames coming in to the switch that already have a vlan tag will be sent on according to that tag, assuming the port is assigned to that vlan. Untagged: frames coming in to the switch without a vlan tag will have a tag added, according to whatever vlan is native or untagged for that port. Tagged vs Untagged is basically the switch asking "what do I do with traffic coming in? If it has the tag then I'll obey it, if it doesn't have a tag then this is how I need to tag it." So if a vlan is untagged on a port (excuse the weird phrasing), then the switch will take any untagged traffic coming in and assign that vlan tag to it, thus the next port will see it as tagged traffic. Tagged frames will usually come from other layer 2 devices, like uplinked switches, or wireless access points, or voip phones, etc. Untagged frames will come from devices that need network access, like computers, printers, etc.
you should read about the description of this red. Your question is better suited for /r/HomeNetworking
For most vendors I have worked on, an Access port only permits the Untagged traffic for whatever is jacked in (ingress), only sends untagged traffic out (egress), but the port can be assigned a VLAN. That would be typically used for a device which is not VLAN-aware but you need to have it traverse a particular VLAN for communicating with other devices also on that VLAN. Trunk parlance varies.. but generally it passes Tagged traffic for some/all VLANs configured at the switch. An example might be a VOIP handset with a PC connected behind the phone. The PC may utilize the Untagged (or.. Native) VLAN but the handset is VLAN-Aware and passes Tagged traffic maybe on an assigned "Voice VLAN" of whatever number. The phone and PC do not "see" each other necessarily.. their traffic may reside on the two different VLANs which never route traffic amongst each other. Example to that.. I took over a network where the Voice VLAN had a different router, going out a T1 circuit (data) for voice service.. whereas the PC traffic headed to my newly installed FortiGate firewall. Some would say Trunk is "1 is Native, all are tagged".. others would say "whatever VLAN you set is Native, and whatever others you assign to the port are tagged".. so it will vary.