View Single Post
Old 05-10-2019, 02:56 PM   #5
Retro-Hipster
Tinkerer
 
Retro-Hipster's Avatar
 
Join Date: Apr 2019
City & State: Salt Lake City
My Country: United States
Line Voltage: 120VAC 60Hz
I'm a: Hobbyist Tech
Posts: 105
Default Re: Questions about VLANs and Cisco Hardware

So, when you mark an interface as untagged as a member of a vlan, it means that the vlan tags themselve (headers that say, "this data is for vlan 25!") won't be passed by that interface but that the port will just act like any normal switch port. It would just be a switch port on that vlan. So say you have management on vlan 30 and you set interface 0/0/1 as untagged on vlan 30, then it would make port 0/0/1 only pass data for vlan 10 and would strip all the vlan tags from being passed. The vlan tag encasulates the data, so when it is stripped you are left with the 'normal' network data observed by computers most of the time. This is not the same thing as a port having no membership to a vlan.

Take this example below.

Company X has two switches for two floors in their building. They want the phones to be on a separate vlan from the data. They do not want the devices that are getting plugged into the network to have to read vlan tags and place themselves on a specific vlan. Instead, they just want it to look like two completely separate network. (There should be no vlan Tags presented to the devices, just the data.)

vlan 10 = Data Network.
vlan 20 = Phone Network.
vlan 30 = managment

Both switches and and be will be configured like this.
Ports -- vlan -- tagged/untagged/neither -- Notes
0 -- 10,20 -- tagged -- This is a trunk port. It is tagged because it needs to pass the vlan data AND the tags to the next switch so the switches can keep things separate.
1 -- 10 -- untagged -- This port is a part of vlan 10 but doesn't pass any tags, just the data on vlan 10.
2 -- 10 -- untagged -- This is like port 1. Devices on this port and port 1 can talk fine, like the other vlans don't exist. It can also talk to things on the other switch that are on vlan 10.
3 -- 20 -- untagged -- This port is like port 2, except that it only sees the data on vlan 20 instead of 10. It doesn't see any tags.
4 -- 20 -- untagged -- This port is just like port 3.
5 -- 30 -- untagged -- This port is the only port on the switch that is a member of vlan 30. The management interface has been assigned to this vlan and, as such, no other interfaces have access to this management interface. Since the Trunk Port doesn't have vlan 30 tagged, it won't pass this vlan over to the other switch. Each switch would need to be plugged into individually to access the management network.

This can be useful in more high-security installations or in small installations where there are only a few switches. There is no reason why you can't have "vlan 30" tagged at the trunk ports so that you can manage all your switches from a single switch port. The important thing is just keeping management interfaces away from the normal user network.

I hope that explains the difference between tagged and untagged. A note is that, a machine that is on a port that has been tagged on a vlan may look pretty much like one with an untagged port. That is only because the vlan tag is getting discarded though. The tag is actually getting sent to the machine, but the machine isn't doing anything with it unless it is told to use it. It is generally cleaner to mark things like workstations as Untagged on their designated network so that they don't have to deal with tags for no reason. Some devices don't like dealing with tags. If a machine is getting a tag, it kind of should have a reason for it, such as with esxi hosts where you want to tag multiple vlans for use on that host. Ports tagged on multiple vlans should have that machines nic configured to handle the vlans/act as two distinct networks.
__________________


“Men always seem to think about their
past before they die, as though they were
frantically searching for proof that they
truly lived.”
– Jet (Cowboy Bebop) -

Last edited by Retro-Hipster; 05-10-2019 at 03:03 PM..
Retro-Hipster is online now   Reply With Quote