16 September 2010

Cisco VLANs

I had a customer who was confused on what constituted tagged and untagged on a Cisco switch. I tried to explain it to him, but I could see that he was not quite grasping it. After doing some research, I found this great description and thought I would re-post Cisco Home Community user gv's post for anyone else that is fuzzy on Cisco nomenclature.

Generally, do not use General mode. In most cases it is not necessary. Use access mode and trunk mode and nothing else. If you think you must use General mode you probably have an issue with your network design. For instance, you can configure a port to be untagged member of multiple VLANs although this is in most cases not what you want and will create very confusing situations.

Access mode is for client devices, like normal desktops, printers, etc, An access mode port only sends and accepts untagged frames. The association of the traffic on this port to a VLAN happens through configuration on the switch. An access mode port in VLAN 5 belongs to VLAN 5 and no other VLAN. It will only send and receive traffic on VLAN 5.

Trunk mode uses tagged and untagged frames. The fact that it uses 802.1q tagged frames implies that it is connected to a device which is capable of dealing with 802.1q frames. Managed VLAN switches are one example. But very often Ethernet cards in server machines can be configured for 802.1q as well, i.e. you can run a trunk mode port to a server connecting it directly into multiple VLANs.

You can specify which VLANs are carried on a trunk mode port and which not. Thus you are also able to exclude some VLANs from a trunk port. Using tagging the switch sends 802.1q tagged frames for all VLANs on which it is tagged member. The "tag" contains the number of the VLAN to which this particular frame belongs to. Due to that, the receiving side is able to correctly assign each received frame to the correct VLAN. If the switch send a VLAN 5 tagged frame through a trunk port the receiving side knows that this frame belongs to VLAN 5 and thus can forward it correctly to the next hop maintaining separation of VLANs etc.

The untagged VLAN on a trunk port is the "default" native VLAN for all frames on a trunk port which are send or received untagged. All untagged frames only belong to this native VLAN. If you configured both ends of the trunk connection identically that both ends use the same VLAN for each frame received and send, tagged or untagged. It is highly recommended that the configuration on both ends of a trunk connection is identical, i.e. the native VLAN is the same and both ends use the same set of tagged VLANs or accept any possible tagged VLAN.

As mentioned before, General mode is more flexible in that you can choose any native VLAN you want or even multiple untagged VLANs. However, this is usually not what you want. For instance, if you configure a general mode port to be untagged member of VLANs 2 and 3 the switch will send any frame from VLAN 2 or VLAN 3 untagged through the general mode port. The receiver on the other side is not able to distinguish which VLAN the frame belongs to: it could be VLAN 2 or VLAN 3.

Some people think they could use general mode to connect a "shared" device to multiple VLANs. This again, is not true. The problem is the reverse direction, i.e. untagged frames received on the general mode port. You have to configure a single VLAN on the general port for all untagged frames. Otherwise the switch would not know exactly to which VLAN it should assign an untagged frame received. Thus, although you can send the frames for multiple VLANs untagged through a general mode port you can only receive untagged frames for a single VLAN on that same port.

Just another reason why I like Extreme Networks gear better.

Good luck to everyone out there.