VLANs: Tagged, Untagged and PVIDs

Coming from a Cisco background, VLANs were pretty straight forward–especially from a switching perspective. Once you get your Router On a Stick setup, you decide which ports are access and which are trunks. It looks a little something like this:

Interface FastEthernet 0/1

switchport mode access

switchport access vlan 20

Now, port 0/1 is configured for access mode VLAN 20. This would be an endpoint like a PC, printer, etc. If we wanted to configure a trunk, it would look something like this:

Interface gigabitethernet 0/1

switchport mode trunk

If you’re using this as a trunk uplink to a router/firewall, that’s basically it. If this is a trunk link to another switch, you would configure the correct port on the other device as trunk, and that’s it. Trunk mode will carry all VLANs configured on that switch automatically between networking devices. If you want to restrict VLAN traffic you can even do:

switchport mode trunk allowed vlan 10-20

Now, once you get out into the field you realize not everyone likes Cisco, and most vendors don’t treat their equipment the way Cisco does. On an HP switch, Trunking does not mean Trunking. Trunking means port aggregation–which is equivalent to Etherchannel in Cisco. A lot of switches don’t even have Trunking options. Even worse, Allworx switches have a Hybrid mode. So, when you have to configure a device, and you are stuck with something unfamiliar, what’s the best option? Get down to basics and get down to the packet level. Enter, Tagged and Untagged VLANs.

Tagged VLAN = Packets keep VLAN ID over that port

Untagged VLAN = Packets are directed to their VLAN port membership, but the VLAN ID is removed

Why keep the VLAN ID, or why remove the VLAN ID? Let’s start with the easier one, untagged VLAN.

Endpoint devices don’t care about VLANs. They don’t know they’re in one and if you try to tell them different, they don’t like it. So in Cisco world, when you tell a port that it’s an Access Port, then assign the VLAN, you’re telling the Switch to send VLAN tagged traffic to that VLAN port, but to remove the VLAN ID. We don’t want to upset our users; ahem, I mean devices.

Can we assign an access port to more than one VLAN? Nope. Why? Broadcast domains. Enter Tagged VLANs.

A Tagged VLAN is equivalent to a Trunked VLAN. Why tag a VLAN or put it into Trunk mode? We are sending our VLAN ids to the next (network) device. If all that untagged traffic goes to the next device, it won’t know where to send it next.

For example: Switch 1 sends VLANs 1, 10, 20, 30, 40 to Switch 2 all untagged on the same port/link. How does Switch 2 know which ports to forward the traffic to? It doesn’t because none of the packets came in with an identifier/VLAN ID. A lot of devices won’t even let you try this configuration, but it’s good to know why.

Now, let’s say you have a ten port switch, and you are configuring an access port. There’s no access port mode. But you can tag or untag a VLAN on each port. You untag (let’s say) VLAN 10 on port 8. Is that everything? Depends on the vendor. Enter PVID.

Depending on the vendor–especially if they don’t have Trunk or Access mode–PVID (Port VLAN ID) will tell you what VLAN your port belongs to. This only works with untagged traffic–remember access ports can only be a part of one VLAN. So, if you setup port 8 with untagged VLAN 10 remember to check and/or change its PVID to the same VLAN. There’s a chance the port’s PVID could still be in the default VLAN which is VLAN 1. Some vendors do not adjust this automatically.

Now, networks can be large and very complex. This does not cover all situations, vendors and devices. It’s not meant to. IP Phones are an example of end devices that can expect VLAN tagged traffic. I did not cover ingress and egress VLAN tagging and removal, Private VLANs or Spanning Tree. Some of these features are vendor specific. For example, Hybrid mode in Allworx switches are very unique and allow manual VLAN tagging based on egress and ingress traffic (the documentation states its a semi-trunk style configuration). A lot of other devices don’t support this. At the end of the day, check your vendors documentation. It will tell you the modes, configuration methods and how it handles traffic. This is the definitive way of knowing your network.

Lastly, I try not to point to other articles and websites here. My job is to translate what I’ve learned into my own words. However, networking can be very complicated and visuals can help. I wanted this article to be as basic and dumbed down as possible. Here is another author who goes into more details with some visuals. I also like their writing writing style.

https://forflukesake.co.za/wp/vlan-pvid-explained-quick-and-dirty/

Thanks for reading and happy Networking.