Comware

Hi,

Can someone clarify this for me please  ... below is output from "sh int status"

 

Port A2  -  Status UP    config-mode AUTO     tagged 1000   untagged No

Port B5  -  Status UP    config-mode AUTO     tagged NO       untagged 1000

 

my understanding is A2 belongs to Vlan 1000 and can only recieve data from Vlan 1000(correct me if im wrong) but not sure about B5, does it belong to vlan 1000 or not? if it does not to which Vlan does it belong.

Thank you,

 

 

 

Hello

Both ports belong to VLAN 1000 but they handle incomming and outgoing frames differently. Typically it also depends on what type of device is connected on the port.

Port A2 is tagged member of VLAN 1000. That means that it will only accept frames containing a 802.1q VLAN tag with the number 1000. Any other frames, without a tag or with a tag containing different number will be ignored. The port will also only send out frames belonging to VLAN 1000 and include a VLAN tag with the number 1000 in all the frames. This configuration can only work if the device on the other side of the link also supports 802.1q VLAN tagging. Typically this are switches, IP phones also support it, maybe also some other device.  Adventage of this configuration is that there is strict control and configuration errors are less likely. The switch accepts only frames which were tagged by the device on the other side with the correct VLAN ID and it is not possible to forward a frame to the wrong VLAN. Another important adventage is that VLAN tagging allows packets for multiple VLANs to be carried via the same port because the tag allows the frames to be mapped correctly on the receiver side.

Drawback is that this configuration cannot be used to connect device which dont support VLAN tags.

Port B5 is untagged member of VLAN 1000.  The port will accept all frames without VLAN tag received on this port and map them internally to VLAN 1000. Some models may also accept frames tagged with VLAN 1000 but frames tagged with other VLANs will be ignored.

In the outbound direction the port will also send out only frames of VLAN 1000 but will not include a VLAN tag in the Ethernet frame. Advantage is that this type of configuration can be used to connect devices which are not aware of VLANs and dont include VLAN tags in the frame, this are typically most of the end devices.

Drawback is that there is less control and in some situations traffic can leak between VLANs. For example if someone makes a mistake and connects a switch port untagged in VLAN 1000 to another's switch port untagged in VLAN 2000, the users in VLAN 1000 will be able to see the users in VLAN 2000. The switches will not have any means to recognize that there is a VLAN mismatch because the Ethernet frames are not tagged with a VLAN ID and no way to correct it. Untagged ports can be members of a single VLAN only.

A physical interface or a link aggregation can be untagged member of one VLAN only and tagged member of multiple VLANs.

Hope didnt forget something important. 

Emil_Gogushev, 

Thank you very much for this detailed walk through. In a Cisco world where I come from,  I always used to set different groups in separate vlans and use trunk-links between switches to send data from one valn to the same vlan on another switch and then configure intervlan (IP routing in HP world) if needed, Do you recommend doing this over using Tagging to making ports members of multiple? and why?

Thank you in advance.

 

Never mind, I was just reading that trunk for HP switches does not curry multiple vlans trafic it basicly mean linking multiple physical link to a one logical link. I guess the question now is ... does it matter if I have the ports tagged or untagged if I have IP ROUTING on ?

 

Hello, 

Sorry for the delayed answer! I was away during the weekend.

Exactly, trunk means different things for HPE and Cisco switches. But the logic for carrying multiple VLANs over one interface is the same. Let me see if I can describe the analogy with Cisco.

On a Cisco switch you can configure an access port in a single VLAN. This is the same as making the port an untagged member of a VLAN on the HPE switch. The port can have only a single VLAN. This is the typical configuration for end devices.

On a CIsco switch you can configure a port as trunk port. A trunk port carries multiple or all VLANs configured on the switch. The native VLAN is carried without an 802.1c VLAN tag and the rest of the allowed VLANs with a VLAN tag. On the HPE switch you dont call it a trunk but the logic is the same. You can configure only one VLAN as untagged on a port and all other VLANs as tagged. This is the typical configuration for switch-to-switch links because only this configuration allows multiple VLANs to be carried via the same link. And yes, this configuration is required if one of the switches or a router has to be configured for inter VLAN routing. 

 

So, if I have a server that I want multiple Vlans to access I should tag the switch port connected to that server to these vlans, any vlan that is not tagged on that port wont be able to access the server even if IP Routing (interVlan) is configered. Correct ? 

Hello, 

Every VLAN usually corresponds to an IP subnet. Typically a server has only one IP address in only one subnet. In this case the port of the server has to be only untagged in the VLAN corresponding with its IP subnet. The access from multiple VLANs happens via the switch actings as default gateway and not directly between the hosts. The default gateway switch has IP interfaces in all VLANs and is able to route traffic received on one interface out of another interface. The end devices that need to access the server and the server itself remain in their own VLANs (based on their IP subnet) and dont need to be connected to ports tagged in all the VLANs. 

The port of the server should only be tagged if the server NIC or sofrware supports 802.1q VLANs. For example if it hosts a virtualization software which has its own virtual switch placing different virtual machines with different IP addresses in different VLANs.

HI, 

That is exactly my case, all my servers are virtual servers. let me explain the situation here.... I have a server named VM5 has several instances on it ... There are 3 ports connected to this server from my core switch ... port1 is untagged 2 ... port2 is tagged 1000 .. port3 is tagged 2, 1100. 

that tells me .. (correct me if im wrong)

only untagged and 2-tagged frame thorugh port1 will be routed to vlan2 and be able to access the server 

only 1000-tagged frame through port2 will be routed for vlan 1000 and be able to access the server 

only 2-tagged and 1100-tagged frame through port3 will be routed to vlan 2 and be able to access the server 

if an end host port is 5-untagged then it has no way to access the server, right?

 

Hello, 

I am afraid I was not able to explain good to you the purpose of the VLANs.  The configuration of the VLANs on the switch depends on the VLAN configuration on the server. If the server has a virtual switch which is sending traffic out of the physical interfaces in different VLANs then the VLAN configuration on the switch has to match in order to assure proper forwarding in the LAN. Basically you need different VLANs for the server only if you have VMs that should be separated in different VLANs. 

The fact that VLAN 5 is missing from the ports connecting the server doesnt mean that users in VLAN 5 dont have access to the server. If you have enabled inter-VLAN-routing between VLAN 5 and the VLANs of the server, access will still be possible because the routing switch will be routing between all the connected VLANs by default.  The routing switch will receive the packet in VLAN 5, perform a lookup of the destination IP address and determine that it should be sent out to VLAN 2 for example. The routing switch will rewrite the Ethernet frame and send it out of interface VLAN 2 to the server. So access to the server will be possible altough VLAN 5 is not configured on the ports connecting to the server.

The usual way to restrict access from one VLAN resp subnet to another is to configure ACL (Access Control Lists) on the routing switch. 

Hi, 

sorry just got back to work since last week, and thank you very much for your answers. the best thing I heard so far is that I need to use ACL to restrict access between vlans there is no ACL list in place now and everyone can access everything. but going back to my scenario about the VM server, I understand hosts sitting in vlan5 can still access the server because of the IP routing, but vlan5 did not get assigned an IP address so it should not be routable and therefore hosts there will not be able to reach the server with this config, correct ?

Hello, Yes, it could be correct. If this switch doesn’t have IP address in VLAN 5 which is configured as default-gateway for the hosts in VLAN 5 it will be not able to route for VLAN 5 and the hosts won’t be able to reach the server. But it is good to know if the hosts in VLAN 5 don’t have any default-gateway at all or the default-gateway is another switch or router in the network? If their default-gateway is another device it should be checked if this device has a route pointing to the ip subnet of the router. If this is true routing will still be possible. If the hosts in VLAN 5 don’t have default-gateway because they need to communication only among each other and not to any remote subnets, they want be able to reach the server.

Hey, 

Thank you for clearing that,I believe now im clear about the whole tagged & untagged VLAN.