NETGEAR is aware of a growing number of phone and online scams. To learn how to stay safe click here.
Forum Discussion
Solved
The handling of untagged packets across a physical network
I should be getting two GS308T units tomorrow. Glancing at this forum and the owners manual, I feeling mystified about the handling of untagged packets, and the notion of packets "defaulting to V...
Thats the ah-haa I wanted to happen!
On a switch, and by design you have one or multiple VLAN on a physical network.
On the links, e.g. a Ethernet link, a LAG, ... a VLAN can be tagged (one or many), or untaged. A port where you want to connect a system for VLAN 123, is only an untagged member of VLAN 123, the PVID 123 does make untagged frames to enter the VLAN 123. The traffic in a VLAN is not VLAN "tagged" - while this is not fully correct,also QoS information can be part of a tag. How the frames are coming out of a port, with or without VLAN tags, is defined at the switch boundary. Where untagged frames are assigned to does also happen as defined by the PVID at the switch boundary.
Similar for the wireless access point - there the VLAN is always* untagged on the SSID. (*Again, highly sophisticated designs allow one SSID and multiple VLANs, depending on the 802.1x authentication the VLAN membership can be assigned).
Hallo Thomas,
Sure you can - both solutions are workable and can be implemented.
Don't be confused about terms like trunk or access port. sure a trunk port can carry untagged and tagged frames, while an access port just carries untagged frames for a single VLAN. The trunk term is also used in the context of LAG/bonding/port trunking where multiple physical ports of the same speed and latency are combined into a trunk.
By default, the ports on these switches are configured to the VLAN 1
VLAN 1 [U]ntagged ... what makes the switch remove the tag from the frame when leaving the switch , and
PVID 1 ... what makes incoming VLAN untagged frames to be associated to the VLAN 1.
When creating a port connecting to the VLAN 500 resp. VLAN 700, ensure the PVID is also set to 500 resp. 700, and the port is removed from the default VLAN 1 by an [ ]empty entry.
Regards,
-Kurt
Thanks Kurt! Very helpful.
Per your reply, an ah-ha seems to be... the "1" in "VLAN 1" does not imply packets vtagged with a 1. It seems the descriptor (token) "VLAN 1" could have been named "VLAN UNTAGGED" so as not to imply a vtag of 1.
Edit/hum - do untagged packets OUTSIDE the switch get tagged with 1 for internal handling purposes within the switch? Outwardly I have untagged packets, but for brief periods within the switch they get mapped/unmapped from said "VLAN 1".
My units should arrive today, and it will be fun to get hands on and pound it out.
Thomas Gilg
Thats the ah-haa I wanted to happen!
On a switch, and by design you have one or multiple VLAN on a physical network.
On the links, e.g. a Ethernet link, a LAG, ... a VLAN can be tagged (one or many), or untaged. A port where you want to connect a system for VLAN 123, is only an untagged member of VLAN 123, the PVID 123 does make untagged frames to enter the VLAN 123. The traffic in a VLAN is not VLAN "tagged" - while this is not fully correct,also QoS information can be part of a tag. How the frames are coming out of a port, with or without VLAN tags, is defined at the switch boundary. Where untagged frames are assigned to does also happen as defined by the PVID at the switch boundary.
Similar for the wireless access point - there the VLAN is always* untagged on the SSID. (*Again, highly sophisticated designs allow one SSID and multiple VLANs, depending on the 802.1x authentication the VLAN membership can be assigned).
Everything seems to be working fine. Attached is a visual of the winning settings.
The only real question is... I have untagged and tagged traffic coming into g1 from the SonicWall, and presumably only the untagged traffic from the SonicWall is popping out on g8.
Thanks again.
siletzspey wrote:I have untagged and tagged traffic coming into g1 from the SonicWall, and presumably only the untagged traffic from the SonicWall is popping out on g8.
Sure, this is how it has to be - the g8 port is a connection into the VLAN 1. The VLAN 1 is logically yet another VLAN which is accessible to untagged frames on g1 and g8. Again: The VLAN tagging on the links does exist just to mark the frame is a member of another network, different from the untagged frames. Tagging does not "make" the VLAN.
To avoid confusion: The PVID information on the table shown for switch g1 is wrong - only one PVID can be set, and this must be PVID 1 in this config.
Last but not least, the old rule not to use the VLAN 1 (coming from crappy design from certain vendors having a default primary VLAN "0" spanning all ports and without any control) does not apply here, unless people forget to unmark the ports from VLAN 1. further on, if adding more switches daisy chained to this one, ensure the VLAN 1 untagged is part of the trunks - features like STP/RSTP (valid for the complete physical network, all VLANs) do always run on the untagged network.
NETGEAR Academy
Boost your skills with the Netgear Academy - Get trained, certified and stay ahead with the latest Netgear technology!
Join Us!
