cancel
Showing results for 
Search instead for 
Did you mean: 

Tagged and untagged traffic in same VLAN on same port

Tagged and untagged traffic in same VLAN on same port

jeronimo
Contributor III
Hey,

Is it possible to have tagged and untagged egress on a single port and in the same VLAN?
Apparently not. (The switch sets either tagged or untagged egress.)
Is there a workaround? (like assigning the VLAN once untagged and once tagged to a fixed MAC address or so maybe)

The use case is this:
Usually we have VoIP-phones with PCs behind them connected. Phones and PCs are in different VLANs. Standard stuff.
Now there is an exception where there is a PC running some VoIP-admin thingy which (theoretically at least) belongs nicely into the same VLAN than the phones. But in this scenario it seems we will not be able to cascade phone and PC.....

Any thoughts?

Thanks,
Marki

(EOS B5 v6.81)

15 REPLIES 15

Erik_Auerswald
Contributor II
Hi Marki,

you can try to classify the VoIP-admin thingy frames using a policy, and use that policy to assign them to the voice VLAN. The PC port would be untagged, and you could still use a tagged voice VLAN on the port for all frames (phone, pc data, pc voice-admin thingy).
set policy rule profile-index {ether | icmp6type | ip6dest | ipproto | ipdestsocket | ipsourcesocket | iptos | macdest | macsource | tcpdestport | tcpsourceport | udpdestport | udpsourceport} data [mask mask] {[vlan vlan] [cos cos] | [drop | forward]}
vlan vlan Specifies the action of the rule is to classify to a VLAN ID.
I have not tested this, but it might be worth investigating.

Edit: The above is for frames entering the switch port. For frames exiting the switch port you would need both VLANs configured for untagged egress. Thus you would need to use a policy (e.g. applied dynamically via dot1X) to classify voice frames from the telephone into the voice VLAN and prevent the phone from expecting tagged frames. (I had a customer once who used dot1X, multiuser-auth, and policies to implement a voice VLAN without using tagged frames between phone and switch.)

Edit2: Using a classification rule for VLAN assignment might allow to use two VLANs for frames from/to one "user", i.e. MAC address, as opposed to using user authentication to assign the MAC to one VLAN.

Erik

Nick_Yakimenko
New Contributor II
think about getting the tagged VOIP vlan on a different LAN port of pc, or get the VOIP vlan tagged (see if your NIC drivers support 802.1q tagged vlans)

BradP
Extreme Employee
Hi Marki Typically customers will have the same port added as untagged to the PC vlan and tagged to the voice vlan. This will allow both types of traffic to traverse the same port. Is this what you're trying to do?

jeronimo
Contributor III
Yeah I have seen that  Thanks. I guess the matter will be resolved when you do e.g. a MAC authentication via NAC, which is probably what Olaf meant with "MAC-based VLANs".
GTM-P2G8KFN