Cisco switches and access VLANs.

I ran into an interesting issue today and figured I would share, as well as in hopes that someone else may be able to shed some light on this for me.

I learned VLAN's when studying for my CCNA, so all "hands on" practice with VLAN's has been on Cisco gear prior to the last few months. I'm used to creating a VLAN, setting it to access or trunk, then adding a VLAN to the port.

I've been working with all 3Com equipment lately and apparently in all worlds besides Cisco, trunk ports are considered "tagged" ports. Same concept, different name.

I ran into an interesting issue today while setting up a VLAN across various switches for IP cameras. I was using VLAN 3 as my camera VLAN. Initially, I was trying to place the ports "tagged" in VLAN 3 and untagged in VLAN 1, which essentially makes it a trunk port. After realizing that wouldn't work, I moved on...

Which led me to the conclusion that the only way to get these switchports set to the equivilent of an access port in another VLAN, is to actually place them into that VLAN untagged, which removes them from sending traffic in VLAN 1. Essentially what this does is make that port's default VLAN whatever you specify.

In fact, if you add a VLAN to any port on these switches as "tagged", the switch will automatically place that port back into the native VLAN 1, untagged. Which kind of makes sense, since if you're tagging, you're trunking, and trunks pass traffic for multiple VLAN's.

I spoke with a tech from 3Com and he assured me, 100%, that the traffic being sent from a port that is placed untagged in a VLAN is NOT being tagged, but still remains in another VLAN.

I have a router which is routing between VLAN's via subinterfaces (router on a stick) and the setup I just describe works flawlessly, though I'm not sure how, which brings me to my question.

If you create an access port on a Cisco switch and place it into VLAN 3, for example. Does that switchport actually tag it's frames, or is it simply assumed that whatever connects to that port must be in VLAN 3, since an access port can only belong to one VLAN?

I was always under the assumption that access ports actually tagged their traffic, unless they were in the native VLAN, and running into this issue today has made me question that.

Find more posts tagged with

Comments

kalebksp

/usr wrote: »

If you create an access port on a Cisco switch and place it into VLAN 3, for example. Does that switchport actually tag it's frames, or is it simply assumed that whatever connects to that port must be in VLAN 3, since an access port can only belong to one VLAN?

I was always under the assumption that access ports actually tagged their traffic, unless they were in the native VLAN, and running into this issue today has made me question that.

The only situation that a packet will actually be tagged is when it is sent out a trunk port. Switches know which of their ports are in which VLAN, tagging is only used for communicating VLAN membership between devices.

networker050184

Yep what kalebksp said. Its and 802.1q tag which is only carried on 802.1q trunks.

It can be a bit confusing when working on other vendors switches if you are only used to Cisco. As you have figured out tagged ports are trunks and untagged ports are access. So for some Foundry, 3Com and the like you usually make a list of VLANs and then add tagged or untagged ports to the VLAN rather than adding the VLAN to the port like when configuring a Cisco switch.

/usr

That makes sense and was actually my suspicion as I was typing that post, because my next question was "how does the next switch know what frame the VLAN is in, if it's untagged?", but I wanted to hear what you guys had to say first.

So on a switch with an access port in VLAN 3, that frame would actually get tagged on the trunk (tagged) port as it leaves the switch, assuming the frame has to cross multiple switches to reach it's final destination, correct?

Basically, I knew my frames were reaching the router subinterface tagged in VLAN 3 or else they would have been dropped, I just wasn't sure where they were getting tagged and the whole tagged/untagged taking the place of access/trunk ports kind of threw me.