Wednesday, November 20, 2013

VLANs: tagged, untagged -- what's the difference?

I know this topic has probably been beaten to death elsewhere. . . What can I say? I can't help myself.

When there is an untagged VLAN on a switch or port, it means the VLAN information is private to the switch. No VLAN information is added to packets leaving the switch. This has a lot of important implications. A machine connecting to an untagged VLAN port does not need to know (and will not know) what VLAN it is in. If I'm connecting two switches together using a cable connected to untagged VLAN ports, each end of the cable could be in a different VLAN and the switches will not care. So, for example, I could send untagged VLAN 1 from one switch and bring it into another switch as untagged VLAN 20.

Tagged VLAN means that the switch does insert the VLAN information into the header of each packet. In fact, this information is called a "tag", hence the term "tagged VLAN", which means "VLAN where packets contain VLAN tags". Assuming I'm sending tagged VLAN packets (and no untagged ones) on a port, if I connect the eth0 interface of a vanilla-installed PC to that port, and give the interface an address in the tagged VLAN's range, the network will not work over that interface. Of course, I will be able to 'see' the packets using wireshark or tcpdump, but I won't be able to make TCP, UDP, ICMP, etc. connections.

No comments:

Post a Comment