VLAN tagging considerations
Since the purpose of VLAN tagging is to allow multiple VLANs on the same port, any port that has only one VLAN assigned to it can be configured as "Untagged" (the default) if the authorized inbound traffic for that port arrives untagged.
- Any port with two or more VLANs of the same type can have one such VLAN assigned as "Untagged." All other VLANs of the same type must be configured as "Tagged," that is:
Port-Based VLANs
Protocol VLANs
A port can be a member of one untagged, port-based VLAN. All other port-based VLAN assignments for that port must be tagged.
A port can be an untagged member of one protocol-based VLAN of each protocol type. When assigning a port to multiple, protocol-based VLANs sharing the same type, the port can be an untagged member of only one such VLAN.
A port can be a tagged member of any port-based VLAN.
A port can be a tagged member of any protocol-based VLAN.
A given VLAN must have the same VID on all 802.1Q-compliant devices in which the VLAN occurs. Also, the ports connecting two 802.1Q devices should have identical VLAN configurations.
If all end nodes on a port comply with the 802.1Q standard and are configured to use the correct VID, you can configure all VLAN assignments on a port as "Tagged" if doing so either makes it easier to manage your VLAN assignments, or if the authorized, inbound traffic for all VLANs on the port will be tagged.
For example, in a network, switches X and Y and servers S1, S2, and the AppleTalk server are 802.1Q-compliant. (Server S3 could also be 802.1Q-compliant.)This network includes both protocol-based (AppleTalk) VLANs and port-based VLANs.
The VLANs assigned to ports X4 - X6 and Y2 - Y5 can all be untagged because there is only one VLAN assigned per port.
Port X1 has two AppleTalk VLANs assigned, which means that one VLAN assigned to this port can be untagged and the other must be tagged.
Ports X2 and Y1 have two port-based VLANs assigned, so one can be untagged and the other must be tagged on both ports.
Ports X3 and Y6 have two port-based VLANs and one protocol-based VLAN assigned. Thus, one port-based VLAN assigned to this port can be untagged and the other must be tagged. Also, since these two ports share the same link, their VLAN configurations must match.
Switch X |
Switch Y |
||||||||
---|---|---|---|---|---|---|---|---|---|
Port |
AT-1 VLAN |
AT-2 VLAN |
Red VLAN |
Green VLAN |
Port |
AT-1 VLAN |
AT-2 VLAN |
Red VLAN |
Green VLAN |
X1 |
Untagged |
Tagged |
No1 |
No1 |
Y1 |
No1 |
No1 |
Untagged |
Tagged |
X2 |
No1 |
No1 |
Untagged |
Tagged |
Y2 |
No1 |
No1 |
No1 |
Untagged |
X3 |
No1 |
Untagged |
Untagged |
Tagged |
Y3 |
No1 |
Untagged |
No1 |
No1 |
X4 |
No1 |
No1 |
No1 |
Untagged |
Y4 |
No1 |
No1 |
No1 |
Untagged |
X5 |
No1 |
No1 |
Untagged |
No1 |
Y5 |
No1 |
No1 |
Untagged |
No1 |
X6 |
Untagged |
No1 |
No1 |
No1 |
Y6 |
No |
Untagged |
Untagged |
Tagged |
No means that the port is not a member of that VLAN. For example, port X3 is not a member of the Red VLAN and does not carry Red VLAN traffic. Also, if GVRP were enabled (port-based only), Auto would appear instead of No.
VLAN configurations on ports connected by the same link must match. Because ports X2 and Y5 are opposite ends of the same point-to-point connection, both ports must have the same VLAN configuration, configuring the Red VLAN as "Untagged" and the Green VLAN as "Tagged.”