Header Only - DO NOT REMOVE - Extreme Networks

Tagged and untagged traffic in same VLAN on same port


Userlevel 2
Hey,

Is it possible to have tagged and untagged egress on a single port and in the same VLAN?
Apparently not. (The switch sets either tagged or untagged egress.)
Is there a workaround? (like assigning the VLAN once untagged and once tagged to a fixed MAC address or so maybe)

The use case is this:
Usually we have VoIP-phones with PCs behind them connected. Phones and PCs are in different VLANs. Standard stuff.
Now there is an exception where there is a PC running some VoIP-admin thingy which (theoretically at least) belongs nicely into the same VLAN than the phones. But in this scenario it seems we will not be able to cascade phone and PC.....

Any thoughts?

Thanks,
Marki

(EOS B5 v6.81)

15 replies

Userlevel 3
You could use MAC based VLANs and have all the traffic on the port untagged. According to the MAC address the switch will assign the packet to the appropriate VLAN. Having tagged und untagged traffic from the same VLAN on one port is not possible.
Userlevel 4
Hagemann, Olaf wrote:

You could use MAC based VLANs and have all the traffic on the port untagged. According to the MAC address the switch will assign the packet to the appropriate VLAN. Having tagged und untagged traffic from the same VLAN on one port is not possible.

in this case, PC will have one mac on a single port of a switch, so there will be only one vlan
Userlevel 3
Hagemann, Olaf wrote:

You could use MAC based VLANs and have all the traffic on the port untagged. According to the MAC address the switch will assign the packet to the appropriate VLAN. Having tagged und untagged traffic from the same VLAN on one port is not possible.

But then you can assign that VLAN untagged to that port. Am I missing something here?
Userlevel 4
Hagemann, Olaf wrote:

You could use MAC based VLANs and have all the traffic on the port untagged. According to the MAC address the switch will assign the packet to the appropriate VLAN. Having tagged und untagged traffic from the same VLAN on one port is not possible.

switch side:
vlan10 voip
vlan20 ethernet
one port on a switch
different subnets on each vlan

how should he get connectivity on both networks/vlans at the same time?
Userlevel 3
Hagemann, Olaf wrote:

You could use MAC based VLANs and have all the traffic on the port untagged. According to the MAC address the switch will assign the packet to the appropriate VLAN. Having tagged und untagged traffic from the same VLAN on one port is not possible.

What about dynamic VLAN assignment?
Userlevel 4
Hagemann, Olaf wrote:

You could use MAC based VLANs and have all the traffic on the port untagged. According to the MAC address the switch will assign the packet to the appropriate VLAN. Having tagged und untagged traffic from the same VLAN on one port is not possible.

that will not either allow to get connectivity to both vlans from a single pc at the same time
Userlevel 3
Hagemann, Olaf wrote:

You could use MAC based VLANs and have all the traffic on the port untagged. According to the MAC address the switch will assign the packet to the appropriate VLAN. Having tagged und untagged traffic from the same VLAN on one port is not possible.

So you want the PC to be in both VLANs at the same time? This is not possible as long as the PC does not support VLAN tagging. You should consider using a dedicated management PC or upgrading it to a model which supports VLAN tagging.
Hi Marki Typically customers will have the same port added as untagged to the PC vlan and tagged to the voice vlan. This will allow both types of traffic to traverse the same port. Is this what you're trying to do?
Userlevel 2
Brad wrote:

Hi Marki Typically customers will have the same port added as untagged to the PC vlan and tagged to the voice vlan. This will allow both types of traffic to traverse the same port. Is this what you're trying to do?

As I explained, yes but in a special scenario: same VLAN, once tagged, once untagged. Can't configure that on port egress. Either tagged or untagged, not the same VLAN both tagged and untagged.
Userlevel 4
Brad wrote:

Hi Marki Typically customers will have the same port added as untagged to the PC vlan and tagged to the voice vlan. This will allow both types of traffic to traverse the same port. Is this what you're trying to do?

I have configured it once on cisco devices, it is called 'native'
On other devices it may be called 'PVID'
Userlevel 2
Brad wrote:

Hi Marki Typically customers will have the same port added as untagged to the PC vlan and tagged to the voice vlan. This will allow both types of traffic to traverse the same port. Is this what you're trying to do?

PVID is the implicit VLAN for untagged ingress packets. I am talking about the egress of the port.
Userlevel 4
Brad wrote:

Hi Marki Typically customers will have the same port added as untagged to the PC vlan and tagged to the voice vlan. This will allow both types of traffic to traverse the same port. Is this what you're trying to do?

as I wrote 14 hrs ago,
think about getting the tagged VOIP vlan on a different LAN port of pc, or get the VOIP vlan tagged (see if your NIC drivers support 802.1q tagged vlans)
Userlevel 2
Brad wrote:

Hi Marki Typically customers will have the same port added as untagged to the PC vlan and tagged to the voice vlan. This will allow both types of traffic to traverse the same port. Is this what you're trying to do?

Yeah I have seen that 🙂 Thanks. I guess the matter will be resolved when you do e.g. a MAC authentication via NAC, which is probably what Olaf meant with "MAC-based VLANs".
Userlevel 4
think about getting the tagged VOIP vlan on a different LAN port of pc, or get the VOIP vlan tagged (see if your NIC drivers support 802.1q tagged vlans)
Userlevel 7
Hi Marki,

you can try to classify the VoIP-admin thingy frames using a policy, and use that policy to assign them to the voice VLAN. The PC port would be untagged, and you could still use a tagged voice VLAN on the port for all frames (phone, pc data, pc voice-admin thingy).

set policy rule profile-index {ether | icmp6type | ip6dest | ipproto | ipdestsocket | ipsourcesocket | iptos | macdest | macsource | tcpdestport | tcpsourceport | udpdestport | udpsourceport} data [mask mask] {[vlan vlan] [cos cos] | [drop | forward]}

vlan vlan Specifies the action of the rule is to classify to a VLAN ID.

I have not tested this, but it might be worth investigating.

Edit: The above is for frames entering the switch port. For frames exiting the switch port you would need both VLANs configured for untagged egress. Thus you would need to use a policy (e.g. applied dynamically via dot1X) to classify voice frames from the telephone into the voice VLAN and prevent the phone from expecting tagged frames. (I had a customer once who used dot1X, multiuser-auth, and policies to implement a voice VLAN without using tagged frames between phone and switch.)

Edit2: Using a classification rule for VLAN assignment might allow to use two VLANs for frames from/to one "user", i.e. MAC address, as opposed to using user authentication to assign the MAC to one VLAN.

Erik

Reply