Dropping untagged traffic on a SRW224G4P

Unanswered Question
Nov 21st, 2009
User Badges:

I am trying to configure a port so that all traffic must be 802.1Q tagged and any untagged traffic is dropped (to replicate the setup of my ancient switch that this one is replacing).


Under VLAN Management | Port Settings, if I select Mode = General and Acceptable Frame Type = Tagged, I still have to enter a PVID!


According to the on-line Help:


PVID: Assigns a VLAN ID to untagged packets. The possible values are 2                to 4094. VLAN 4095 is defined as per standard and industry practice                as the discard VLAN. Packets classified to the Discard VLAN are                dropped.


However, the input only allows a PVID of 1 - 4094.


Under VLAN Management | VLAN to Ports, selecting 'Join VLAN' against the port in question, pops up a window but it is impossible to remove the untagged VLAN!


How is it possible to configure the port to only allow tagged traffic and drop any untagged traffic?


Many thanks in advance,



Neil.

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Loading.
Gerald Vogt Sat, 11/21/2009 - 06:10
User Badges:
  • Bronze, 100 points or more

Set acceptable frame type to tagged only and you are done. Don't bother the other settings. With tagged only the port won't accept untagged frames.


If you are worried because you can still set the PVID in the web interface just test it if you still can send untagged ports to the PVID VLAN. That's easier and shows you what your switch really does....

neil.hillard@ag... Sat, 11/21/2009 - 14:50
User Badges:

Thanks for your suggestion.  The odd thing is that if I set the port to Tagged', a PVID is still requested (which I guess is ignored).  However, when I go to VLAN Management | VLAN to Ports and then click the 'Join VLAN' button against the port, a window pops up where additional VLANs can be added to the port but the VLAN that has been selected as the PVID is listed as 'Untagged', can't be removed and therefore can't be changed to 'Tagged'.


Does the switch automatically make this VLAN tagged, even though it displays as 'Untagged' or do I have to create a dummy VLAN and assign that as the PVID so I can add all of the necessary VLANs as 'Tagged'?  If this is the case, why can't I select 4095 as the PVID which should be possible according to the on-line help?


I had great hopes for this switch and I'm sure that once I've managed to configure it then it'll be fine.  It just seems like Linksys haven't really thought through these things and it's a shame that I don't seem to be able to access the lcli on this one :(.


Many thanks.

chrcoope Tue, 11/24/2009 - 07:07
User Badges:
  • Bronze, 100 points or more

Neil,


An exceptionally interesting question. This, in a way, crosses paths with another case I am assisting someone with. I like the idea of 4095. I would suggest that you add it before you try and set it as a PVID. I am going to be labing this soon. Hopefully I can document this solution for us.


Regards,

Christopher

chrcoope Tue, 11/24/2009 - 08:24
User Badges:
  • Bronze, 100 points or more

Neil,


Setting allow tagged frames only does in fact prevent untagged frames from entering the switch as Gerald stated. I found that I cannot set PVID 4095 as you stated. When assigning a PVID, you will want to be certain that it is a number other than one you will have enter the unit tagged.


One of the problems I am fighting with on this is that I cannot tag the management VLAN. If I cannot tag, I cannot use CoS to mark frames. If I cannot pass CoS values, the next switch in line will not know the priority. Since I cannot CoS tag on egress anyway's, I would have to DiffServ a value on the ingress. This being the case, I would be better off setting DSCP values to prioritize untagged frames. This is not the eloquent solution I wanted. If Small Business switches could at least DSCP tag themselves, this would be better. If they could tag the management VLAN and CoS tag themselves, this would be preferred.


Hope this helps,

Christopher

Gerald Vogt Tue, 11/24/2009 - 08:32
User Badges:
  • Bronze, 100 points or more

On my SRW2008 I am able to set PVID 4095 on a General mode port. I can set Admin Tagged as well. The only thing I cannot add is the management VLAN 1. I can add any VLAN tagged but not the VLAN1. (I have not tested how VLAN1 traffic is handled on that port, yet.)


It seems the firmware in the SRW2008 handles the case a little bit better, accepting 4095 as PVID. But it still has the problem with the management VLAN...

neil.hillard@ag... Tue, 11/24/2009 - 11:13
User Badges:

Many thanks for the comments - I was starting to think I was either being a bit thick or just plain going mad!


A couple of days ago I reset the switch back to factory defaults so I could start from fresh so I currently have VLANs defined for 1, 2 and 4094.  I created a 'dummy' on 4094 to see if I could use that as the PVID.  However, the switch seems to complain if I try to set anything except 1 as the PVID!


When the port is in Trunk mode, the untagged VLAN 1 is not removable, with a terse 'Data is invalid' messgae being returned!  Extra tagged VLANs can be added successfully.


When the port is in General mode, additional Tagged and Untagged VLANs can be added but as stated, VLAN 1 can't be removed!


I haven't tried it but does that mean that VLAN 1 has to become the dummy VLAN that is assigned to untagged frames (packets will never actually hit the VLAN as they'll be filtered out if the port is set to only accept tagged frames)?  I haven't tried it yet, though.  Although I would like to actually use VLAN 1 as I'm trying to mimic the configuration of my ancient switch (made by a third-party, not sure if I'm allowed to mention their name here)!


I'd like management to be on a different VLAN (7) eventually...


I can't believe that no one tested this as part of the QA process!  For information, the online help has this to say about the port configuration:


Port Settings:
          Enables you to configure VLAN behavior for specific interfaces, including
          the mode, accepted frame type, VLAN identifier (PVID), and ingress filtering.
         

         

  • Mode:
                  Indicates the port mode. Possible values are:

                 
    • Access:
                        The port belongs to a single untagged VLAN. When a port is in
                        Access mode, the packet types which are accepted on the port
                        (packet type) cannot be designated. It is also not possible
                        to enable/disable ingress filtering on an access port.
    • General:
                        The port belongs to one or more VLANs, and each VLAN is user-defined
                        as tagged or untagged (full 802.1Q mode).
    • Trunk:
                        The port belongs to VLANs in which all ports are tagged (except
                        for an optional single native VLAN).

               
  • Acceptable
                  Frame Type:
    Packet type accepted on the port. Possible
                  values are:

                 
    • Tagged:
                        Indicates that only tagged packets are accepted on the port.
    • Tagged:
                        Indicates that both tagged and untagged packets are accepted
                        on the port.

               
  • PVID:
                  Assigns a VLAN ID to untagged packets. The possible values are 2
                  to 4094. VLAN 4095 is defined as per standard and industry practice
                  as the discard VLAN. Packets classified to the Discard VLAN are
                  dropped.
  • Ingress
                  Filtering:
    Enables or disables Ingress filtering on the
                  port. Ingress filtering discards packets which do not include an
                  ingress port.



Aside from the obvious mistake under 'Acceptable Frame Type', this all sounds reasonable however it's not how the switch works!  What can be done so that the switch does operate as described?


Also, is there a hidden CLI on this model?  I've read others referring to it but never been able to access it :(


Many thanks.

chrcoope Tue, 11/24/2009 - 12:56
User Badges:
  • Bronze, 100 points or more

Neil,


Perhaps you are refering to this? This is not a supported feature by the way ;)


As far as 4095, When the frames are dropped, I feel it is likely that this is where they do go. As long as they are dropped (I did lab this, they are dropped) I'm good.


Trunk mode ports are "easy mode" and assume you will be using the native/management VLAN. A post was made by MikeLight about this here.


In general mode, VLAN one can be removed once the PVID is changed.


Add a VLAN that you know you will never use. Set that as the PVID of your general port.


You can certainly change the management/native VLAN under setup ==> network settings.

neil.hillard@ag... Tue, 11/24/2009 - 14:07
User Badges:

Chris,


Thanks for the pointer to that site - I found the instructions on a different site and tried to follow them but this switch just doesn't want to show the chevron prompt!  I wasn't sure if it had been disabled in this model :(.  I'm running firmware 1.3.1.


I've tried changing the PVID and it just doesn't want to know!  I've attached screenshots of how I'm trying to change things and the error message I get when I try!  Am I missing something (there's a damn good chance I am!)?


Many thanks.

Attachment: 
neil.hillard@ag... Tue, 11/24/2009 - 14:10
User Badges:

I should have added that I receive the same error appears whichever VLAN I choose that isn't VLAN 1!

MikeLight Tue, 11/24/2009 - 15:30
User Badges:

Guys -

"General" mode is telling the switch that you (the admin) will separately configure each and every possible
VLAN-related setting of the port, as defined by the IEEE VLAN standard.

In particular, you can (and must) set

- VLAN membership (for each VLAN),  and if to add or not a VLAN TAG at egress

- Acceptable Frame type (usually Tagged-only and ALL, but some switches allow to set also Untagged-only)

- Ingress Filtering (do you wnat to check that frame and port belong to a common VLAN or no check?)

- PVID

- Egress Filtering (check/no check for common VLAN at egress?)

- (I think there are some others here ...)


The standard does not have any internal logic to link these settings to each other and see if they make sense

and you are free to configure conflicting or superfluous things.  Apparently, the SRW does not add these internal

cross-feature logic links either.


Specifically, a port ALWAYS has a PVID. *IF* Untagged frames are allowed to ingress, the FRAMES will

go to the PVID's VLAN (note that the PORT may or may not belong to it - no check is implied!), but if you set
"tagged only" Untagged frames will be dropped before the PVID can be used so whatever vakue it has is immaterial.


As for VLAN 4095 - it is defined by the standard as "discard VLAN", and the SRW should have allowed us to configure

it as the PVID - but in this case, this would not have any effect anyway.


Mike

Actions

This Discussion

Related Content