VLAN tagging considerations

  • Since the purpose of VLAN tagging is to allow multiple VLANs on the same port, any port that has only one VLAN assigned to it can be configured as "Untagged" (the default) if the authorized inbound traffic for that port arrives untagged.

  • Any port with two or more VLANs of the same type can have one such VLAN assigned as "Untagged." All other VLANs of the same type must be configured as "Tagged," that is:

    Port-Based VLANs

    Protocol VLANs

    A port can be a member of one untagged, port-based VLAN. All other port-based VLAN assignments for that port must be tagged.

    A port can be an untagged member of one protocol-based VLAN of each protocol type. When assigning a port to multiple, protocol-based VLANs sharing the same type, the port can be an untagged member of only one such VLAN.

    A port can be a tagged member of any port-based VLAN.

    A port can be a tagged member of any protocol-based VLAN.

    A given VLAN must have the same VID on all 802.1Q-compliant devices in which the VLAN occurs. Also, the ports connecting two 802.1Q devices should have identical VLAN configurations.

  • If all end nodes on a port comply with the 802.1Q standard and are configured to use the correct VID, you can configure all VLAN assignments on a port as "Tagged" if doing so either makes it easier to manage your VLAN assignments, or if the authorized, inbound traffic for all VLANs on the port will be tagged.

For example, in a network, switches X and Y and servers S1, S2, and the AppleTalk server are 802.1Q-compliant. (Server S3 could also be 802.1Q-compliant.)This network includes both protocol-based (AppleTalk) VLANs and port-based VLANs.

  • The VLANs assigned to ports X4 - X6 and Y2 - Y5 can all be untagged because there is only one VLAN assigned per port.

  • Port X1 has two AppleTalk VLANs assigned, which means that one VLAN assigned to this port can be untagged and the other must be tagged.

  • Ports X2 and Y1 have two port-based VLANs assigned, so one can be untagged and the other must be tagged on both ports.

  • Ports X3 and Y6 have two port-based VLANs and one protocol-based VLAN assigned. Thus, one port-based VLAN assigned to this port can be untagged and the other must be tagged. Also, since these two ports share the same link, their VLAN configurations must match.

Switch X

Switch Y

Port

AT-1 VLAN

AT-2 VLAN

Red VLAN

Green VLAN

Port

AT-1 VLAN

AT-2 VLAN

Red VLAN

Green VLAN

X1

Untagged

Tagged

No

No1

Y1

No1

No1

Untagged

Tagged

X2

No1

No1

Untagged

Tagged

Y2

No1

No1

No1

Untagged

X3

No1

Untagged

Untagged

Tagged

Y3

No1

Untagged

No1

No1

X4

No1

No1

No1

Untagged

Y4

No1

No1

No1

Untagged

X5

No1

No1

Untagged

No1

Y5

No1

No1

Untagged

No1

X6

Untagged

No1

No1

No1

Y6

No

Untagged

Untagged

Tagged

1

No means that the port is not a member of that VLAN. For example, port X3 is not a member of the Red VLAN and does not carry Red VLAN traffic. Also, if GVRP were enabled (port-based only), Auto would appear instead of No.

NOTE:

VLAN configurations on ports connected by the same link must match. Because ports X2 and Y5 are opposite ends of the same point-to-point connection, both ports must have the same VLAN configuration, configuring the Red VLAN as "Untagged" and the Green VLAN as "Tagged.”