Buy or Renew
Buy or Renew
Cisco + Splunk: It’s a new day for your data. Learn more.
 
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
2737
Views
0
Helpful
1
Replies

VLAN tagging and non-trunked ports for dummies

zacc04
Level 1
Level 1

‎02-22-2022 11:42 AM

Good afternoon all,

 

I have been working in a 100% Cisco space since 2010 and never once heard or saw the term VLAN tagging in the real world; I saw it once or twice in a CBT Nuggets video years ago and that was the extent of my exposure to the concept. Now, in a new gig with non-Cisco switches, as well as lower-end non-Catalyst switches that don't use the full "normal" cisco IOS, I'm stuck trying to fully figure out the concept of VLAN tagging while doing configuration cleanup on about a hundred remote locations and plan a design for their lifecycle replacements. I understand the concept when talking trunks (or LAG in non-Cisco, apparently) but I'm fairly confused when porting it over to access and 'general' ports. 

 

1) What are tagged and untagged and what do they actually mean?

2) What is the difference between a general port and an access port? I see that a general port can pass traffic from multiple vlans but how does this differ from a trunk?

3) How does #2 apply to #1?

 

I have a small lab at my desk that includes a Cisco CL220 switch I am tapping away at that uses some kind of non-standard IOS. I have figured out how to add tagged vlans but after blocking VLAN 1 it says that the ingress untagged VLAN is now 4095. I know 4095 isn't a normal VLAN number, so I'm stuck trying to deduce what this actually "means." Should there be an 'untagged' vlan if multiple vlans are configured on a non-trunk port?

 

Any help is appreciated. I attached the output of the show switchport command and its output showing the VLAN 4095 thing

Labels:
Preview file
1 KB
0 Helpful
1 Reply 1

Martin L
VIP
VIP

‎02-22-2022 07:26 PM - edited ‎02-22-2022 07:40 PM

 

not sure what is a general port; maybe it means a port is not configured yet.  A port could be access or trunk port. You could use a general rule that by default almost all L2 switches have ports configured as access ports; while most of L3 switches have those ports as trunk ones.  However, today the same Cisco switch can be either access or trunk one.   There were some specific models of switches per-configured as either access or trunk ports in the past. Today, Cisco switch ports are likely negotiate state; this means it depends on the other guy; if you connect a PC, port operates as access port and is put in the default vlan 1. The idea here is a "plug-and-play" approach.  All ports are in vlan 1 and are access ports or will become trunk if the other guy ask for.  Normally, traffic that belongs to vlan X cannot communicate with one that belongs to vlan Y. you will need some help like L3 SVI or ROAS, aka router-on-a-stick. This is known as Vlan domain, Broadcast domain and separation.  

 

tagging traffic is significant and much needed on trunk ports in order to be able to identify traffic to which vlan is belongs to. aka not to loose vlan id when packets/frames move to another switch.  Internally, switch keeps vlan id "pathways" so that traffic moves freely within the same vlan id.  Some call that internal tagging but terms "tag or no tag" are most often refer as a process of adding an external tag to frames as they move over the trunk links.

 

Switches will use its MAC tables to figure out which ports belong to which vlans and to forward frames within and out of switch ports. You can see details with show mac-address-table command.  So, PCA sends untagged traffic to switch via access port that belongs to vlan X. Switch will tag this traffic internally as vlan X.  Once switch figures out that traffic needs to cross over to another switch via trunk, it will keep (or add) a tag X meaning vlan X. On the other end, switch will take traffic vlan X and send it to port(s) that belongs to vlan X. Similarly traffic that comes on port Y, is tagged as Y and moves to port Y on the other switch.  This also depends on type of traffic; i.e. Broadcast frames will reach all ports in vlan x and move as tagged vlan x over the trunk to reach ports in vlan x on the other switch.

untagged frames are either access ones or belong to special Native vlan (vlan 1 in Cisco) which is untagged vlan and allows frames to move over trunks without any tags.  This Native vlan concept and vlan trunking is described as 802.1Q vlan specification which became the standard tagging for Cisco and non-Cisco industry (as opposite to Cisco proprietary ISL vlan trunking specification which becomes more obsolete everyday). This default vlan 1 and Native vlan helps moving traffic via switches when they are not configured at all (using default configurations; aka "plug-play concept).

So, what is difference between a general port and an access port? I guess your general port is actually trunk port in order to differentiate port from access port.  Trunking port will add a tag in order to ID the frames; Such vlan tag is needed in order to be able recognize vlan on the other end. In case of special Native vlan ID, frames are not tag when they come across the trunk lines.  

 

Regards, ML
**Please Rate All Helpful Responses **

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card