Tagged, Untagged, and Native VLANs - Nikola's Digital Garden

#readwise # Tagged, Untagged, and Native VLANs ![rw-book-cover](https://networkdirection.net/wp-content/uploads/Banners/Banner_Stars.jpg) ## Metadata - Author: [[Network Direction]] - Full Title: Tagged, Untagged, and Native VLANs - URL: https://networkdirection.net/articles/network-theory/taggeduntaggedandnativevlans/ ## Highlights Basic switches, called ‘unmanaged switches’ have only simple functionality. They have no configurable VLAN support. This means that all hosts on the switch are still part of the same broadcast domain. Managed switches allow for traffic separation by using VLANs. While managed switches are common today, unmanaged switches are still plentiful. ([View Highlight](https://read.readwise.io/read/01hxvp2pvghp66wpw184yrhsf0)) --- The primary function of a VLAN is to separate layer 2 traffic. Hosts in one VLAN cannot communicate with hosts in another VLAN without extra services. ([View Highlight](https://read.readwise.io/read/01hxvp39qrjk74hjewy0b0j289)) --- ### Untagged VLANs A switchport may be a ‘tagged’ or ‘untagged’ port. An untagged port, or access port on a Cisco switch, connects to hosts (such as a server). The host is unaware of any VLAN configuration. The connected host sends its traffic without any VLAN tag on the frames. When the frame reaches the switch port, the switch will add the VLAN tag. The switch port is configured with a VLAN ID that it will put into the tag. Most switch ports will use this mode by default, with VLAN ID 1. When a frame leaves an untagged port, the switch strips the VLAN tag from the frame. The traffic is then forwarded as normal. ... The traffic flows like this: 1. Host A sends traffic to the switch. The traffic does not have a VLAN tag 2. The frame is received on port 1 of the switch. This is an untagged port, configured with VLAN ID 10. The switch then inserts the VLAN tag into the frame 3. The switch determines that the frame needs to be forwarded out of port 2. This is also an untagged port, so The VLAN tag is stripped from the frame 4. Host B receives the untagged frame as normal --- ### Tagged VLANs A port is a ‘tagged port’ when the interface is expecting frames containing VLAN tags. An example of this is when two switches are connected, and pass tagged traffic. Cisco switches use the term ‘trunk’ to refer to a tagged port. The sender will send a frame with a VLAN tag. The receiving switch will see the VLAN tag, and if the VLAN is allowed, it will forward the frame as required. For example, a broadcast may be received on VLAN 10. In this case, the switch will flood the frame to all other ports configured with VLAN 10. ... In this case, the following will happen: 1. A host will send a frame without a tag 2. The frame enters an untagged port on switch 1, configured with VLAN 10 in this case. The switch adds the VLAN tag to the frame 3. Switch 1 determines that port 2 should send this frame to switch 2. This is a tagged port, so it checks that VLAN 10 is allowed on this port. If it is, it leaves the tag intact, and sends the frame. If VLAN 10 is not allowed, it drops the frame 4. Switch 2 receives the frame on tagged port 1. This switch also determines if VLAN 10 is allowed on this port, and drops it if it is not. Switch 2 determines that port 2 should send the frame 5. Since port 2 is an untagged port, it strips the tag from the frame, and then sends it 6. Host B receives the untagged frame --- ### Native VLANs In some cases, an untagged frame will arrive on a tagged port. To handle this, tagged ports have a special VLAN configured on them called the untagged VLAN. This is also known as the ‘native VLAN’. The switch assigns any untagged frame that arrives on a tagged port to the native VLAN. If a frame on the native VLAN leaves a trunk (tagged) port, the switch strips the VLAN tag out. In short, the native VLAN is a way of carrying untagged traffic across one or more switches. Consider this Example. The ports that the hosts connect to are trunk ports, with native VLAN 15 configured. 1. Host A sends a frame with no VLAN tag 2. Switch 1 receives the frame on the trunk port. It does not have a tag, so it adds the VLAN ID 15 tag to the frame 3. The switch sends the frame out of port 2. The frame has a tag for VLAN 15, which matches the native VLAN on port 2, so the switch strips the tag out 4. Host B receives the frame ([View Highlight](https://read.readwise.io/read/01hxvpdd8kn4z0ykckhsgk9ktw)) ---