Tagged and untagged traffic in same VLAN on same port

  • 0
  • 1
  • Question
  • Updated 1 year ago
  • Answered
Hey,

Is it possible to have tagged and untagged egress on a single port and in the same VLAN?
Apparently not. (The switch sets either tagged or untagged egress.)
Is there a workaround? (like assigning the VLAN once untagged and once tagged to a fixed MAC address or so maybe)

The use case is this:
Usually we have VoIP-phones with PCs behind them connected. Phones and PCs are in different VLANs. Standard stuff.
Now there is an exception where there is a PC running some VoIP-admin thingy which (theoretically at least) belongs nicely into the same VLAN than the phones. But in this scenario it seems we will not be able to cascade phone and PC.....

Any thoughts?

Thanks,
Marki

(EOS B5 v6.81)
Photo of jeronimo

jeronimo

  • 1,198 Points 1k badge 2x thumb

Posted 1 year ago

  • 0
  • 1
Photo of Hagemann, Olaf

Hagemann, Olaf, Employee

  • 1,234 Points 1k badge 2x thumb
You could use MAC based VLANs and have all the traffic on the port untagged. According to the MAC address the switch will assign the packet to the appropriate VLAN. Having tagged und untagged traffic from the same VLAN on one port is not possible.
Photo of Hagemann, Olaf

Hagemann, Olaf, Employee

  • 1,234 Points 1k badge 2x thumb
But then you can assign that VLAN untagged to that port. Am I missing something here?
Photo of Nick Yakimenko

Nick Yakimenko

  • 2,374 Points 2k badge 2x thumb
switch side:
vlan10 voip
vlan20 ethernet
one port on a switch
different subnets on each vlan

how should he get connectivity on both networks/vlans at the same time?
Photo of Hagemann, Olaf

Hagemann, Olaf, Employee

  • 1,234 Points 1k badge 2x thumb
What about dynamic VLAN assignment?
Photo of Nick Yakimenko

Nick Yakimenko

  • 2,374 Points 2k badge 2x thumb
that will not either allow to get connectivity to both vlans from a single pc at the same time
Photo of Hagemann, Olaf

Hagemann, Olaf, Employee

  • 1,234 Points 1k badge 2x thumb
So you want the PC to be in both VLANs at the same time? This is not possible as long as the PC does not support VLAN tagging. You should consider using a dedicated management PC or upgrading it to a model which supports VLAN tagging.
Photo of Brad Parker

Brad Parker, Technical Support Engineer

  • 3,266 Points 3k badge 2x thumb
Hi Marki

Typically customers will have the same port added as untagged to the PC vlan and tagged to the voice vlan. This will allow both types of traffic to traverse the same port. Is this what you're trying to do?
Photo of jeronimo

jeronimo

  • 1,198 Points 1k badge 2x thumb
As I explained, yes but in a special scenario: same VLAN, once tagged, once untagged. Can't configure that on port egress. Either tagged or untagged, not the same VLAN both tagged and untagged.
Photo of Nick Yakimenko

Nick Yakimenko

  • 2,374 Points 2k badge 2x thumb
I have configured it once on cisco devices, it is called 'native'
On other devices it may be called 'PVID'
Photo of jeronimo

jeronimo

  • 1,198 Points 1k badge 2x thumb
PVID is the implicit VLAN for untagged ingress packets. I am talking about the egress of the port.
Photo of Nick Yakimenko

Nick Yakimenko

  • 2,374 Points 2k badge 2x thumb
as I wrote 14 hrs ago,
think about getting the tagged VOIP vlan on a different LAN port of pc, or get the VOIP vlan tagged (see if your NIC drivers support 802.1q tagged vlans)
Photo of jeronimo

jeronimo

  • 1,198 Points 1k badge 2x thumb
Yeah I have seen that :) Thanks. I guess the matter will be resolved when you do e.g. a MAC authentication via NAC, which is probably what Olaf meant with "MAC-based VLANs".
Photo of Nick Yakimenko

Nick Yakimenko

  • 2,404 Points 2k badge 2x thumb
think about getting the tagged VOIP vlan on a different LAN port of pc, or get the VOIP vlan tagged (see if your NIC drivers support 802.1q tagged vlans)
(Edited)
Photo of Erik Auerswald

Erik Auerswald, Embassador

  • 12,782 Points 10k badge 2x thumb
Hi Marki,

you can try to classify the VoIP-admin thingy frames using a policy, and use that policy to assign them to the voice VLAN. The PC port would be untagged, and you could still use a tagged voice VLAN on the port for all frames (phone, pc data, pc voice-admin thingy).
set policy rule profile-index {ether | icmp6type | ip6dest | ipproto | ipdestsocket | ipsourcesocket | iptos | macdest | macsource | tcpdestport | tcpsourceport |  udpdestport | udpsourceport} data [mask mask] {[vlan vlan] [cos cos] | [drop | forward]}
vlan vlan       Specifies the action of the rule is to classify to a VLAN ID.
I have not tested this, but it might be worth investigating.

Edit: The above is for frames entering the switch port. For frames exiting the switch port you would need both VLANs configured for untagged egress. Thus you would need to use a policy (e.g. applied dynamically via dot1X) to classify voice frames from the telephone into the voice VLAN and prevent the phone from expecting tagged frames. (I had a customer once who used dot1X, multiuser-auth, and policies to implement a voice VLAN without using tagged frames between phone and switch.)

Edit2: Using a classification rule for VLAN assignment might allow to use two VLANs for frames from/to one "user", i.e. MAC address, as opposed to using user authentication to assign the MAC to one VLAN.

Erik
(Edited)