NETGEAR is aware of a growing number of phone and online scams. To learn how to stay safe click here.
Forum Discussion
Solved
VLAN ID & PVID
Hi, This has been discussed a lot of times, but I just can't find a satisfying answer. This page was quite helping : https://kb.netgear.com/24721/How-does-a-VLAN-work-on-a-smart-switch But... On m...
ubiq1er wrote:Let's imagine my port 5 on my switch : PVID set to 1 / VLAN Membership in VLAN ID 10 - Untagged port.
Ok, let's go ahead...
ubiq1er wrote:- If an untagged frame enters this port : it goes to VLAN ID 1 and never touches VLAN ID 10, despite the fact that the port's membership is in VLAN 10.
Correct. That is what the PVID config is made for.
ubiq1er wrote:- If a tagged frame enters this port, the frame ignores the PVID (only used for untagged frames), and if the VLAN ID tag in the packet is 10 (as the port's membership), it is forwarded to VLAN 10, otherwise, it gets dropped.
Yes. The port has no config setting to limit untagged traffic only, the configured/matching tag is honored, otherwise it's dropped. Unrelated to the PVID setting.
ubiq1er wrote:- If a frame leaves this port 5, it is stripped from its tag and it can only come from VLAN 10.
Yes, because the VLAN 10 is configured [U]ntagged for the port. Again unrelated to the PVID setting.
ubiq1er wrote:I'm not sure about the last one, but wow, the relation between PVIDs and VLAN Memberships is more complex than I thought.
It's technically very clear 8-) However, it's the thing which is most confusing.
Now you are the Smart Managed Plus geek able answer almost any VLAN related question here in the community!
I guess that leaves me with a very last question to understand all the possible cases :
What would happen to an untagged packet entering an untagged port, if the PVID of this port was to be different from the VLAN ID to which this port belongs ?
Would this packet then be dropped ?
Would this packet be tagged ? If yes, with the PVID or the VLAN ID ?
Of course, the frame will go to the VLAN the PVID does ask for ... this can be interesting for certain purposes 8-)
From the security prospective, the other question would be more interesting: What happens to a tagged frame which is sent to the port but there is no such VLAN allowed on the port.
Would it be correct to make the 2 following statements, at least for all of the Netgear Switches ?
- PVID is for ingress traffic to a port (entering packets)- Vlan memberships, U or T, are for egressing traffic from a port (leaving packets)
If no, then i guess I'm even more confused now. :-)
ubiq1er wrote:Would it be correct to make the 2 following statements, at least for all of the Netgear Switches ?
- PVID is for ingress traffic to a port (entering packets)- Vlan memberships, U or T, are for egressing traffic from a port (leaving packets)
Almost 8-)
- PVID is for ingress untagged frames to a port
- VLAN membership U are for egressing untagged traffic from a port
- VLAN membership T is for ingress and egress tagged ports
Oh, thank you, that helped !
Just to be certain :
schumaku wrote:Of course, the frame will go to the VLAN the PVID does ask for ... this can be interesting for certain purposes 8-)
Let's imagine my port 5 on my switch : PVID set to 1 / VLAN Membership in VLAN ID 10 - Untagged port.
- If an untagged frame enters this port : it goes to VLAN ID 1 and never touches VLAN ID 10, despite the fact that the port's membership is in VLAN 10.
- If a tagged frame enters this port, the frame ignores the PVID (only used for untagged frames), and if the VLAN ID tag in the packet is 10 (as the port's membership), it is forwarded to VLAN 10, otherwise, it gets dropped.
- If a frame leaves this port 5, it is stripped from its tag and it can only come from VLAN 10.I'm not sure about the last one, but wow, the relation between PVIDs and VLAN Memberships is more complex than I thought.
ubiq1er wrote:Let's imagine my port 5 on my switch : PVID set to 1 / VLAN Membership in VLAN ID 10 - Untagged port.
Ok, let's go ahead...
ubiq1er wrote:- If an untagged frame enters this port : it goes to VLAN ID 1 and never touches VLAN ID 10, despite the fact that the port's membership is in VLAN 10.
Correct. That is what the PVID config is made for.
ubiq1er wrote:- If a tagged frame enters this port, the frame ignores the PVID (only used for untagged frames), and if the VLAN ID tag in the packet is 10 (as the port's membership), it is forwarded to VLAN 10, otherwise, it gets dropped.
Yes. The port has no config setting to limit untagged traffic only, the configured/matching tag is honored, otherwise it's dropped. Unrelated to the PVID setting.
ubiq1er wrote:- If a frame leaves this port 5, it is stripped from its tag and it can only come from VLAN 10.
Yes, because the VLAN 10 is configured [U]ntagged for the port. Again unrelated to the PVID setting.
ubiq1er wrote:I'm not sure about the last one, but wow, the relation between PVIDs and VLAN Memberships is more complex than I thought.
It's technically very clear 8-) However, it's the thing which is most confusing.
Now you are the Smart Managed Plus geek able answer almost any VLAN related question here in the community!
NETGEAR Academy
Boost your skills with the Netgear Academy - Get trained, certified and stay ahead with the latest Netgear technology!
Join Us!
