I am trying to configure a port so that all traffic must be 802.1Q tagged and any untagged traffic is dropped (to replicate the setup of my ancient switch that this one is replacing).
Under VLAN Management | Port Settings, if I select Mode = General and Acceptable Frame Type = Tagged, I still have to enter a PVID!
According to the on-line Help:
PVID: Assigns a VLAN ID to untagged packets. The possible values are 2 to 4094. VLAN 4095 is defined as per standard and industry practice as the discard VLAN. Packets classified to the Discard VLAN are dropped.
However, the input only allows a PVID of 1 - 4094.
Under VLAN Management | VLAN to Ports, selecting 'Join VLAN' against the port in question, pops up a window but it is impossible to remove the untagged VLAN!
How is it possible to configure the port to only allow tagged traffic and drop any untagged traffic?
Many thanks in advance,
Set acceptable frame type to tagged only and you are done. Don't bother the other settings. With tagged only the port won't accept untagged frames.
If you are worried because you can still set the PVID in the web interface just test it if you still can send untagged ports to the PVID VLAN. That's easier and shows you what your switch really does....
Thanks for your suggestion. The odd thing is that if I set the port to Tagged', a PVID is still requested (which I guess is ignored). However, when I go to VLAN Management | VLAN to Ports and then click the 'Join VLAN' button against the port, a window pops up where additional VLANs can be added to the port but the VLAN that has been selected as the PVID is listed as 'Untagged', can't be removed and therefore can't be changed to 'Tagged'.
Does the switch automatically make this VLAN tagged, even though it displays as 'Untagged' or do I have to create a dummy VLAN and assign that as the PVID so I can add all of the necessary VLANs as 'Tagged'? If this is the case, why can't I select 4095 as the PVID which should be possible according to the on-line help?
I had great hopes for this switch and I'm sure that once I've managed to configure it then it'll be fine. It just seems like Linksys haven't really thought through these things and it's a shame that I don't seem to be able to access the lcli on this one :(.
An exceptionally interesting question. This, in a way, crosses paths with another case I am assisting someone with. I like the idea of 4095. I would suggest that you add it before you try and set it as a PVID. I am going to be labing this soon. Hopefully I can document this solution for us.
Setting allow tagged frames only does in fact prevent untagged frames from entering the switch as Gerald stated. I found that I cannot set PVID 4095 as you stated. When assigning a PVID, you will want to be certain that it is a number other than one you will have enter the unit tagged.
One of the problems I am fighting with on this is that I cannot tag the management VLAN. If I cannot tag, I cannot use CoS to mark frames. If I cannot pass CoS values, the next switch in line will not know the priority. Since I cannot CoS tag on egress anyway's, I would have to DiffServ a value on the ingress. This being the case, I would be better off setting DSCP values to prioritize untagged frames. This is not the eloquent solution I wanted. If Small Business switches could at least DSCP tag themselves, this would be better. If they could tag the management VLAN and CoS tag themselves, this would be preferred.
Hope this helps,
On my SRW2008 I am able to set PVID 4095 on a General mode port. I can set Admin Tagged as well. The only thing I cannot add is the management VLAN 1. I can add any VLAN tagged but not the VLAN1. (I have not tested how VLAN1 traffic is handled on that port, yet.)
It seems the firmware in the SRW2008 handles the case a little bit better, accepting 4095 as PVID. But it still has the problem with the management VLAN...
Many thanks for the comments - I was starting to think I was either being a bit thick or just plain going mad!
A couple of days ago I reset the switch back to factory defaults so I could start from fresh so I currently have VLANs defined for 1, 2 and 4094. I created a 'dummy' on 4094 to see if I could use that as the PVID. However, the switch seems to complain if I try to set anything except 1 as the PVID!
When the port is in Trunk mode, the untagged VLAN 1 is not removable, with a terse 'Data is invalid' messgae being returned! Extra tagged VLANs can be added successfully.
When the port is in General mode, additional Tagged and Untagged VLANs can be added but as stated, VLAN 1 can't be removed!
I haven't tried it but does that mean that VLAN 1 has to become the dummy VLAN that is assigned to untagged frames (packets will never actually hit the VLAN as they'll be filtered out if the port is set to only accept tagged frames)? I haven't tried it yet, though. Although I would like to actually use VLAN 1 as I'm trying to mimic the configuration of my ancient switch (made by a third-party, not sure if I'm allowed to mention their name here)!
I'd like management to be on a different VLAN (7) eventually...
I can't believe that no one tested this as part of the QA process! For information, the online help has this to say about the port configuration:
Enables you to configure VLAN behavior for specific interfaces, including
the mode, accepted frame type, VLAN identifier (PVID), and ingress filtering.
Aside from the obvious mistake under 'Acceptable Frame Type', this all sounds reasonable however it's not how the switch works! What can be done so that the switch does operate as described?
Also, is there a hidden CLI on this model? I've read others referring to it but never been able to access it :(
Perhaps you are refering to this? This is not a supported feature by the way ;)
As far as 4095, When the frames are dropped, I feel it is likely that this is where they do go. As long as they are dropped (I did lab this, they are dropped) I'm good.
In general mode, VLAN one can be removed once the PVID is changed.
Add a VLAN that you know you will never use. Set that as the PVID of your general port.
You can certainly change the management/native VLAN under setup ==> network settings.
Thanks for the pointer to that site - I found the instructions on a different site and tried to follow them but this switch just doesn't want to show the chevron prompt! I wasn't sure if it had been disabled in this model :(. I'm running firmware 1.3.1.
I've tried changing the PVID and it just doesn't want to know! I've attached screenshots of how I'm trying to change things and the error message I get when I try! Am I missing something (there's a damn good chance I am!)?
"General" mode is telling the switch that you (the admin) will separately configure each and every possible
VLAN-related setting of the port, as defined by the IEEE VLAN standard.
In particular, you can (and must) set
- VLAN membership (for each VLAN), and if to add or not a VLAN TAG at egress
- Acceptable Frame type (usually Tagged-only and ALL, but some switches allow to set also Untagged-only)
- Ingress Filtering (do you wnat to check that frame and port belong to a common VLAN or no check?)
- Egress Filtering (check/no check for common VLAN at egress?)
- (I think there are some others here ...)
The standard does not have any internal logic to link these settings to each other and see if they make sense
and you are free to configure conflicting or superfluous things. Apparently, the SRW does not add these internal
cross-feature logic links either.
Specifically, a port ALWAYS has a PVID. *IF* Untagged frames are allowed to ingress, the FRAMES will
go to the PVID's VLAN (note that the PORT may or may not belong to it - no check is implied!), but if you set
"tagged only" Untagged frames will be dropped before the PVID can be used so whatever vakue it has is immaterial.
As for VLAN 4095 - it is defined by the standard as "discard VLAN", and the SRW should have allowed us to configure
it as the PVID - but in this case, this would not have any effect anyway.