Comware

Can anyone explain the true purpose of tagged vs. untagged members of a VLAN? A real world example would be very helpful. I have read the documentation, but it is not really clear.

Any help with this will be greatly appreciated.

The terminology of tagging is confusing if you don't have some understanding of how the protocol works. Have a look and see whether this clears up anything for you:

http://en.wikipedia.org/wiki/IEEE_802.1Q

But anyways, an untagged port in a VLAN is a physical member of that VLAN, ie. when you plug your host into that port it is physically connected to that VLAN (also known as an "access port" in Cisco terminology).

A tagged port will normally carry traffic for multiple VLANs from the switch to other network devices such as an upstream router or an edge switch (In Cisco terminology this is called trunking, HP have no specific term for it).

Hope this clears any confusion for you!

Hi Robert,

In the simplest form, I used to remember a 'Tagged' port as an inter-switch link and an 'Untagged' port as a host port.

Basically, its all about the VLAN information that gets 'tagged'into the Ethernet frame.

When you configure a port as 'Tagged' you are telling the switch to place an 802.1q tag in the frame that can identify the VLAN that the frame came from.


That way, the switch that receives the frame knows which VLAN to send the Frame to.

So if you have 2 switches, each with ports 1-10 in VLAN 10 and ports 11-22 in VLAN 20.

You want PC's to be in VLAN 10 and Servers to be in VLAN 20, so you would :

VLAN10 untag ports 1-10 on each switch
VLAN20 untag ports 11-22 on each switch

This sets your hosts up. You want to use interface 24 to connect the switches.

VLAN10 tag port 24
VLAN20 tag port 24

So, the Interswitch links are TAGGED and the hosts are UNTAGGED...

Real World Example :

I think of it as baggage at an airport, if you only have one destination you don't need a luggage tag, therefore untagged. If it needs to transit through then it will need a label to show the destination and therefore tagged. Switches are your airports, so every uplink or downlink transits between airports and therefore will have tagged vlans. Every switch to switch link generally has the default vlan untagged and all others tagged for transit.

Computers rarely understand vlans (not servers) and so their ports will untagged in a single vlan. IP Phones and other smart devices generally know about vlans so if you have a daisy chain of an IP phone and then a computer the port will most likely have a tagged VoiP vlan and an untagged computer vlan. I generally use the default vlan as a management vlan with it's own separate IP range, in our case 192.168.xxx.xxx and the work vlans in a class B subnet, if you use a flat IP range for all then you are wasting the power of the HP Procurve.

Thank you for taking the time to respond.

I just want to be clear.

Are you saying that a physical ethernet cable is needs to be connected from port 20 to port 10 on the same switch to enable communication between VLAN 10 and VLAN 20? If so, I am assuming a physical cable would only be needed if IP Routing was not enabled on the switch?

Thank you for your help.

Disregard the last question. I read the last response again and now I am clear.

Thanks to all who responded.

Hello,

if you want that a port only belongs to one VLAN, set the port to UNTAGGED. If you want a port in more then one VLAN, you need to set it to TAGGED. If a host should belong to more than one VLAN, the port must be TAGGED (for example an VMware ESX Server with guests that belongs to different VLANs). If you want to uplink a switch to another, you need to set the uplink port to TAGGED, for each VLAN which should be acccessable over the uplink.

Kind regards,
Patrick

Please I have a problem of inter-vlan routing, I have a core and two switches in each room floor.  
I created a vlan 11 and I give him an IP address and i enabled the ip routing in the core and in the switches in each room floor and I can not have the router with another VLAN and most all other vlan are not router, please how do ???  
Below config core and a switch to floor,
Please, I'am blocked, plz i need help  
I can not have access to the other sub networks  with the ip 11.11.1.25  
========================================
show running-config
Running configuration:
; J4819A Configuration Editor; Created on release #E.11.38
hostname "HP ProCurve Switch 5308xl"  
snmp-server contact "test"  
mirror-port D11  
module 6 type J4907A  
module 5 type J4907A  
module 4 type J4907A  
module 1 type J4878B  
module 2 type J4878B  
module 3 type J4878B  
ip routing  
snmp-server community "public" Unrestricted  
vlan 1  
name "DEFAULT_VLAN"  
untagged A1-A4,B1-B4,C1-C4,D15-D16,E1-E16,F3-F4,F6-F9,F11-F16  
ip address 172.16.X.1 255.255.0.0  
ip address 10.10.X.250 255.255.255.0  
no untagged D1-D14,F1-F2,F5,F10  
exit  
vlan 2  
name "WIFI"  
untagged F1-F2,F5,F10  
tagged A4,B4  
exit  
vlan 100  
name "DMZ"  
untagged D6-D7,D13-D14  
ip address 192.168.X.254 255.255.255.0  
exit  
vlan 200  
name "INTERNET"  
untagged D1-D5,D8-D12  
ip address 192.168.X.254 255.255.255.0  
monitor  
exit  
vlan 3  
name "MANAGEMENT"  
ip address 172.17.X.1 255.255.0.0  
exit
 
 
Vlan 11
name "test"
11.11.1.254 255.255.255.0
exit
 
banner motd "This is a private system maintained by the Allied Widget Corporatio
n.
Unauthorized use of this system can result in civil and criminal penalities !"
spanning-tree
spanning-tree priority 2
router rip
exit
vlan 1
ip rip
ip rip receive V1-only
ip rip send V1-only
exit
vlan 100
ip rip
ip rip receive V1-only
ip rip send V1-only
exit
 
 
 
============================================
floor switch:
 
 
ProCurve 2910al-48G-1E-2#  
ProCurve 2910al-48G-1E-2#  
ProCurve 2910al-48G-1E-2#  
ProCurve 2910al-48G-1E-2# sh running-config
Running configuration:
; J9147A Configuration Editor; Created on release #W.14.70
hostname "ProCurve 2910al-48G-1E-2"  
module 1 type J9147A  
ip routing  
vlan 1  
name "DEFAULT_VLAN"  
untagged 1-48  
ip address 172.16.X.5 255.255.0.0  
exit  
gvrp  
banner motd "This is a private system maintained by the Allied Widget Corporation.\nUnauthorized use of this system can result in ci
vil and criminal penalities !"
snmp-server community "public" unrestricted
spanning-tree force-version rstp-operation
password manager
password operator
ProCurve 2910al-48G-1E-2

plz help me

Hi all

I have some more questions about this.

Here is the configuration I have :

 

vlan 1

 name "DATA"

 untagged 1-28

vlan 2

 name "TEL"

 tagged 1-28

vlan 3

 name "GUEST"

 tagged 25-28

vlan 4

 name "INTERCO"

 tagged 25-28

vlan 5

 name "INTERNET"

 tagged 25-28

 

Which port is in Cisco access mode ?

Which port is is Cisco trunk mode ?

 

Thanks for your answers

In your case, they are all trunk ports with a native VLAN 1.

 

An access port is a port that only carries untagged traffic. It could be untagged traffic in any VLAN.

 

A trunk port is a port that carries more than one VLAN. All VLANs can be tagged on the port or you can have a up to one untagged VLAN, called the native VLAN in Cisco.

So, a followup clarification, Eric:

Any given physical switchport can have

• Zero to many tagged VLANs

*and*

• Zero or one untagged VLANs

at the same time; that is correct?

Well this no secret :9

 

Its just like this:

 

tagged - means that packets that have a valid vlan tag for this vlan id will be accepted on this port. packets without vlan tag will not be accepted. The Switch will not change anything on the vlan tagging of the packet.

This means that the client is responsible for the tagging.

 

untagged - means that if there is packets on this port that have no vlan id set will have their vlan id tag set to this vlan by the switch. Packets that do have a vlan tag with this vlan id will bei ignored.

This means that the client must not tag packets for this vlan.

 

no/forbid means that any packets tagged for this vlan will be ignored. Packets without tag will be handled by the untagged vlan on this port like said above.

 

Due to this any Port must be untagged in one vlan!

Thus any port can be tagged in various vlans!

 

hth

Sebastian

In your reply you say "untagged - means that if there is packets on this port that have no vlan id set will have their vlan id tag set to this vlan by the switch. Packets that do have a vlan tag with this vlan id will bei ignored." Do you mean dropped when you say ignored or passed on as received with the VLAN tagging intact?

Hi. Ignored packets will be DROP without communication. 

Can some one please explain this. 

int range fa0/1-22

Switchprot mode access 

switchport access vlan 10

switchport voice vlan 20

int fa0/23

switchmode mode turnk

switchport trunk allowed vlan 10, 20

 

Can some one please help me it's equivlant in HP switches.

 

 

1- int fa 0/23........ means you have entered into port configuration(port 23 on switch ) of switch.

2- switchport model access.......means you have activited access mode on port.

3-switchport access vlan 10....... means you have configured vlan 10 on port 0/23.

4-switchport voice vlan 20.......means now you have configured vlan 20 for VOIP(Voice Over IP) phones on same port(0/23).

1- int fa 0/23 means you have entered into port configuration of switch.

2- switchport mode trunk...means now u are using trunk port and u are configuring trunk mode on port 23(trunk mode allow more than 1 vlan to pass through 1 port of swtich to pc(computer))..

3 switchport trunk allowed vlan 10 ,20.......means now u are configuring vlan 10 and vlan 20 on port 23 of switch...and allow the port to send two vlans(10,20) to another switch.....

 

->>>  must go through the trunk and access mode on google....make your concepts clear before start of this

 

Moreover.....

int fa0/23 stands for.....interface fastethernet 0/23..

 

explaination.....infaceface means which bport on switch......fastethernet means you are using port of fastethernet which gives u speed of 100mpbs means normal speed not more than GigabitEthernet port.........0/23 means 0 means nothing here but 23 means swtich port number ....like now u have switch of cisco that having 24 lan ports...and u are using 23 port no for configuration.....

 

Glad to help u ,If further help needed

contact here,

I will delight to help u.