Monday, December 7, 2015

VLANS - Tagged, untagged, what do they all mean?

VLANS - Tagged, untagged, what do they all mean?

in short words this is what it means:

"Not member": This port is not a member of the VLAN.

"Tagged": The packets have already a VLAN-tag, i.e. they are tagged by the network device connected to this port.

"Untagged": The packets at this port have no VLAN-tags, so the incoming packets are tagged by the switch and the outgoing packets are untagged by the switch.

Regarding your question for configuration 2 simple VLANs, you have to configure the specified ports as untagged.

Any other of the above options depends on your network architecture, e.g. if you've 2 switches with your 2 VLANs then the 2 ports connecting both switches must be "tagged".


In the simplest form, I used to remember a 'Tagged' port as an inter-switch link and an 'Untagged' port as a host port.

Basically, its all about the VLAN information that gets 'tagged'into the Ethernet frame.

When you configure a port as 'Tagged' you are telling the switch to place an 802.1q tag in the frame that can identify the VLAN that the frame came from.

That way, the switch that receives the frame knows which VLAN to send the Frame to.

So if you have 2 switches, each with ports 1-10 in VLAN 10 and ports 11-22 in VLAN 20.

You want PC's to be in VLAN 10 and Servers to be in VLAN 20, so you would :

VLAN10 untag ports 1-10 on each switch
VLAN20 untag ports 11-22 on each switch

This sets your hosts up. You want to use interface 24 to connect the switches.

VLAN10 tag port 24
VLAN20 tag port 24

So, the Interswitch links are TAGGED and the hosts are UNTAGGED...

Where there is a will there is a way...


Tagged ports should be connected to switches or devices with multiple VLANs.


The basic idea is that most of the time you don't want tagged unless you are connecting the port in question to a router/firewall that understands the tags as well. Basically if you have a single port on the router connected to a single port on the switch and need multiple vlans to transit that port on both devices you want tagging, otherwise no.


You would use tagging with a router if you were doing router on a stick. E.G. You have a virtual interface per vlan on the router.

I know you didn't say that wasn't true, but your post could be misconstrued.


You can also use tagging wtih servers (not just switches or routers). This is typically a server branded NIC feature. Most useful with VMs since you can run multiple VMs each with their own VLAN.


No comments: