Description:Tag-based VLAN is required when multiple networks have to communicate through a single physical interface, such as a switch port. Each network is assigned its own individual VLAN ID. The VLAN IDs are used to uniquely identify the communication.
Tagging modes are used to control the communication of inbound and outbound packets. There are three different VLAN tagging modes.
Access,
Trunk and
Hybrid.
This article describes how the various VLAN tagging modes work.
Access (never):This tagging mode is used when connecting a network device that cannot process VLAN IDs itself (such as a notebook).
Info:For the sake of simplicity, the fact that an increasing number of network cards and even Windows offer partial support of VLAN is not considered in this document.The access port must have been given the appropriate
port VLAN ID (PVID). This controls which network a device may communicate with.
Trunk (always):This tagging mode is used to interconnect routers, access points or switches.
Network devices such as notebooks cannot be connected. Hybrid (mixed):This tagging mode is used to interconnect routers, access points or switches.
Since the
PVID is assigned to untagged packets,
network devices like notebooks are also able to communicate in the network tagged with the
PVID.
Info:
Typically, the PVID used for the Hybrid tagging mode corresponds to the VLAN ID of the management networkExample scenario 1: - A router is set up with an INTRANET and a Guest network. The INTRANET is assigned VLAN 1 and the Guest network is assigned VLAN 2.
- A managed switch is connected to the router. The two VLANs were created on the switch.
- The router and the switch each have a port that is set to the Hybrid tagging mode.
- On the switch, a further port was set to the Access tagging mode and a notebook was connected to this port.
- The router and the switch use the PVID 1 on the ports tagged as Hybrid.
- The switch port operating the tagging mode Access was assigned the PVID 1, so that the notebook in the INTRANET is able to communicate.
The
router sends a packet from the
INTRANET to the
notebook connected to the switch in the same network. The
VLAN tag 1 is removed at the router port because VLAN ID 1 is the PVID, so the packet arrives at the
switch untagged. The switch
attaches the PVID 1 and forwards the packet to the port tagged as
Access, which is
connected to the notebook. The
VLAN tag is removed when outbound to the notebook.
In the other direction, a
packet is sent without a VLAN tag from the notebook to the router (
INTRANET). The
switch attaches the PVID 1 to the incoming packet and forwards it to the next
switch port that is
tagged as Hybrid. This
removes the VLAN tag 1 for outbound packets as this corresponds to the
PVID. The
packet arrives untagged at the router, which then
attaches the PVID 1 to inbound packets on the port tagged as Hybrid.
Example scenario 2: - A router is set up with an INTRANET and a Guest network. The INTRANET is assigned VLAN 1 and the Guest network is assigned VLAN 2.
- A managed switch is connected to the router. The two VLANs were created on the switch.
- The router and the switch each have a port that is set to the Hybrid tagging mode.
- On the switch, a further port was set to the tagging mode Access and a notebook was connected to this port.
- The router and the switch use the PVID 1 on the ports tagged as Hybrid.
- The switch port with the tagging mode Access was assigned the PVID 2, so that the notebook is able to communicate on the Guest network.
The
router sends a packet from the
Guest network to a
notebook connected to the switch in the same network. The
packet is passed through the router port, as VLAN ID 2 does not match the PVID and it arrives at the
switch with
VLAN tag 2. The packet is forwarded to the port tagged as
Access, which is
connected to the notebook. The
port tagged as Access then
removes the VLAN tag for packets that are outbound to the notebook.
In the other direction, a
packet is sent from the notebook to the router without a VLAN tag (
Guest network). The
switch attaches the PVID 2 to the incoming packet and forwards it to the next
switch port that is
tagged as Hybrid. The
switch forwards the
packet with the VLAN tag 2 to the
router. The
packet with VLAN tag 2 arrives at the router (
Guest network).
Example scenario 3: - A router is set up with an INTRANET and a Guest network. The INTRANET is assigned VLAN 1 and the Guest network is assigned VLAN 2.
- A managed switch is connected to the router. The two VLANs were created on the switch.
- The router and the switch each have a port set to the tagging mode Trunk.
- On the switch, a further port was set to the tagging mode Access and a notebook was connected to this port.
- The switch port with the tagging mode Access was assigned the PVID 2, so that the notebook is able to communicate on the Guest network.
The
router sends a packet from the
Guest network to a
notebook connected to the switch in the same network. The
packet passes through the router port with the VLAN tag 2 outbound and arrives at the switch with the same VLAN tag. The packet is forwarded to the port tagged as
Access, which is
connected to the notebook. The
port tagged as Access then
removes the VLAN tag for packets that are outbound to the notebook.
In the other direction, a
packet is sent from the notebook to the router without a VLAN tag (
Guest network). The
switch attaches the PVID 2 to incoming packets and forwards them to the next
switch port that is
tagged as Trunk. The
switch forwards the
packet with the VLAN tag 2 to the
router. The
packet with VLAN tag 2 arrives at the router (
Guest network).
Example scenario 4: - A router is set up with an INTRANET and a Guest network. The INTRANET is assigned VLAN 1 and the Guest network is assigned VLAN 2.
- On the router, a port has been set to the tagging mode Hybrid.
- The port tagged as Hybrid on the router was assigned PVID 1.
- A notebook is connected to the port tagged as Hybrid on the router.
The
router sends a packet from the
INTRANET to the
notebook connected to the router in the same network. The
VLAN tag 1 is removed on the router port because VLAN ID 1 is the PVID, so the packet arrives at the
notebook untagged.
In the other direction, a
packet is sent without a VLAN tag from the notebook to the router (
INTRANET). The
packet arrives untagged at the router, which then
attaches the PVID 1 to inbound packets on the port tagged as Hybrid.