Tagged Port Behavior

OK, so this might not be a CCNA question necessarily but I can't think of another place to post this. Plus I'm so used to Cisco terminology that I'm struggling to get my head around Tagged and Untagged ports. More particularly, how Tagged ports respond to untagged traffic coming in. I currently have this setup as we speak and it works. But I have a sneaking suspicion something it isn't right.

How would Switch B's trunk handle an untagged frame from a different VLAN?

NOTE The trunk port on Switch B has it's PVID set to 35 and PVID on Switch A's trunk port is set to 1.

Image: https://us.v-cdn.net/6030959/uploads/editor/qc/t90t1qqhukal.png

In the Cisco world I would just only allow the VLANs I needed across the trunk ports but every other vendor doesn't seem (to me, at least) make this very obvious.
Anyway, if someone could shed a little light on this for me I would appreciate it.

Find more posts tagged with

Accepted answers

All comments

willieb

The short answer to your question is the frames would be dropped.

You are correct in saying that something isn't right. There are some things wrong with the diagram and question, but that's ok since you are here to understand it and that's awesome.

It would be very helpful to post both interface configs, but based on what info you have given me here's a longer explanation:

Assuming that when you say PVID on a trunk you are referring to the native VLAN, and assuming these are Cisco switches (CCNA forum), the reason that untagged frames would be dropped is because of a native VLAN mismatch. CDP recognizes this and tells STP. STP depends on the native VLAN for operation so having a native VLAN mismatch, STP will block at least untagged frames. You will see NATIVE_VLAN_MISMATCH in the terminal. Native VLANs should match on both sides of a trunk. Other vendors may handle this differently.

I know exactly what you are trying to say, but you can't say "UNTAGGED VLAN 1 FRAME". It's either an untagged frame or a tagged frame.

The term PVID is mostly used by other vendors but generally means what VLAN an untagged frame is inserted into when entering an interface, or what VLAN has its tag stripped when exiting the interface. This can apply to access (the access VLAN) and trunk ports (the native VLAN). JMO but I wouldn't even use the acronym PVID as it can be confusing. When discussing trunks, just say native VLAN.

The way Cisco uses Trunk and Access to describe tagged and untagged ports can be confusing for sure. I've used several other vendor switches and it's much easier to just refer to and configure ports to be "tagged" or "untagged". Another difference is on a trunk Cisco typically allows all VLANs by default. Other vendor's default I've seen is to allow no VLANs and you have to specify tagged and which VLANs you want to allow.

Hopefully this explanation helps. If I interpreted your post wrong post the interface configs and I'll have another go at it.

Gngogh

Hi Fulcrum45,

I don't understand exactly what is your question, but i will share my knowledge with you hopping it will answer your question.

I had the opportunity to work with other vendors specially with Extreme Networks, and the way you configure ports on Extreme switch is totally different from Cisco. You don't define a port as trunk or access, to do so you must know what differentiates a trunk port from an access port.

Access port are untagged ports, all traffic ingressing an access port is untagged it will be tagged if it has to travel through a trunk port.

Trunk ports must have at least one tagged vlan, otherwise they wont be a trunk port. (native vlan can be tagged if needed)

Configuring Cisco Vs Extreme Networks

Cisco:
interface g0/10
switchport mode access
switchport access vlan 20

int g0/11
switchport mode trunk (by default vlan 1 is the native vlan / untagged vlan)
switchport allowed vlan 20

Extreme networks:
configure vlan 20 add port 10 untagged

configure vlan 1 add port 11 tagged
configure vlan 20 add port 11 tagged

In your scenario if switch B is not using the same untagged vlan as switch A than you will have an native vlan mismatch

Hope my explanation was helpfull

Regards

Fulcrum45

@willieb @Gngogh I appreciate the feedback. I was hoping to make the question as straight and to the point as possible but it seems I made it worse, lol. To answer a few questions however: These are actually Netgear ProSafe switches- but since it was network related this seemed to be the most suitable place to put it.

I'm trying to isolate the two VLANs - default VLAN 1 and VLAN 35 as they traverse the same backbone. SWITCH B hangs off the end and is downstream from SWITCH A and needs to go through A in order to get to its Gateway. I know Traffic leaving SWITCH B will be tagged as VLAN 35 since the trunk port here is tagged only for that VLAN and excluded from all others. What I'm not sure about is whether any untagged broadcast traffic generated from any VLAN 1 ports (Switch A) can make its way over onto SWITCH B. SWITCH A's link is a hybrid port because VLAN 1 is left untagged and VLAN 35 is tagged. However on the other side of the link SWITCH B is tagged for VLAN 35 only and is excluded from VLAN 1.

Does this seem to work because SWITCH A's trunk has VLAN 1 untagged and thus not forwarding the untagged frames unless already tagged with VLAN 35 or is this working due to a Native VLAN mismatch? I can see how there should be a native vlan mismatch here but I'm not sure how other vendors like Netgear handle them. I wonder if I have inadvertently achieved a desired result in an improper way.

I hope this helps a bit. Once again I really appreciate you guys shedding some light on this particular question.

Gngogh

Hi,

In regards to the native vlan, it is only a cisco thing. :-)

I had spin up on my Gns3 a Cisco switch and an Extreme network switch where on one side of trunk all vlans were tagged and on the other vlan 1 was untagged. The switches didn't complain and I was able to ping between switches.

Regarding to your question if you don't want to forward traffic from vlan 1 on Switch A to Switch B and if you explicit must exclude a vlan from the trunk I would do it on Switch A, just because, think its more logic.

Another option would be not to use Vlan 1, and configure a vlan that only exists on Switch A.

There is also something else that you could look into it which is called on Cisco vlan prunning. I have no idea if the manufacturer you work with have their own implementation, you could check their document. Basically what prunning does is to disable vlans that r not in use from the trunk, thus preventing broadcast from spreading.

HTH

Regards

Fulcrum45

I think my main concern was that the Switch B trunk would automatically assume any ingress untagged frames were destined for its own PVID of 35 even though they originated from VLAN 1. But it doesn't seem to work that way in practice even though I think it should in theory. I agree on not using VLAN 1 however and perhpaps the port on Switch A simply needs to be exlcuded on Vlan 1 as well.

willieb

Fulcrum45 said:

@willieb @Gngogh
...
I know Traffic leaving SWITCH B will be tagged as VLAN 35 since the trunk port here is tagged only for that VLAN and excluded from all others. What I'm not sure about is whether any untagged broadcast traffic generated from any VLAN 1 ports (Switch A) can make its way over onto SWITCH B. SWITCH A's link is a hybrid port because VLAN 1 is left untagged and VLAN 35 is tagged. However on the other side of the link SWITCH B is tagged for VLAN 35 only and is excluded from VLAN 1.
...

You mentioned in your OP that the PVID on SWITCH B is VLAN 35. If that's the case then any VLAN 35 frames leaving that interface would have the tag removed and any untagged frames entering that interface will be placed into VLAN 35, at least in a Cisco world. Not sure about Netgear.