Topic: Unexplained: Tagged, Untagged and PVID with DLINK 1210 - seeking clarification (Read 16336 times)

AndreaB · « **on:** August 21, 2017, 10:12:29 AM »

[Newbie here]

Well, they are currently unexplained for me, but hopefully things will change with this thread

Ok, here's my current understanding (I am talking about a DGS-1210-52):

TAGGED TRAFFIC enters port which is NOT MEMBER = Stopped
TAGGED TRAFFIC enters port which is TAGGED = Passed if VID matches (with preserved VID), Stopped otherwise (actually same case as line above)
TAGGED TRAFFIC enters port which is UNTAGGED = Passed if VID matches (with preserved VID), Stopped otherwise (again, same as before)
UNTAGGED TRAFFIC enters port which is NOT MEMBER = Passed (?)
UNTAGGED TRAFFIC enters port which is TAGGED = Passed as PVID-TAGGED TRAFFIC
UNTAGGED TRAFFIC enters port which is UNTAGGED = Passed as PVID-TAGGED TRAFFIC

I am quite sure there are mistakes there. Can anyone please help?
Thank you very much...

PacketTracer · « **Reply #1 on:** August 21, 2017, 01:03:44 PM »

TAGGED TRAFFIC enters port which is NOT MEMBER = Stopped
--> correct
TAGGED TRAFFIC enters port which is TAGGED = Passed if VID matches (with preserved VID), Stopped otherwise (actually same case as line above)
--> correct. Tagged ingress traffic can only pass, if the port is a tagged member of the VID, that is coded in the traffic's frame header.
TAGGED TRAFFIC enters port which is UNTAGGED = Passed if VID matches (with preserved VID), Stopped otherwise (again, same as before)
--> wrong: only untagged traffic can enter an untagged port. Any tagged traffic will be discarded. Ingress untagged traffic will be assigned to the port's PVID.
UNTAGGED TRAFFIC enters port which is NOT MEMBER = Passed (?)
--> It will pass and internally be assigned to the port's PVID
UNTAGGED TRAFFIC enters port which is TAGGED = Passed as PVID-TAGGED TRAFFIC
--> correct
UNTAGGED TRAFFIC enters port which is UNTAGGED = Passed as PVID-TAGGED TRAFFIC
--> correct

Note1: A port can be simultaneously member of several VLANs ("VLAN trunk port") in which case it can only be an untagged member of at most one VLAN while all other memberships for additional VLANs must be tagged! So in principle, you can only say a port is a tagged or an untagged member of a VLAN, but not that the port itself is tagged or untagged. This is only true, if the port is a member of only a single (tagged or untagged) VLAN.

Note2: Any untagged traffic can always enter any port, it will be internally assigned to the port's PVID.

Note3: A port's untagged membership of a VID is only relevant for egress traffic: Only traffic that is internally assigned to the VID, the port is an untagged member of, may exit the switch via that port - it will be sent as untagged traffic. In practice the PVID of a port should match the VID, the port is an untagged member of.

May be these explanations may also be helpful to you, if you are used to configure Cisco switches.

EDIT:

See also here. It explains these things quite well but doesn't handle the case of several VLAN memberships of a port.

FurryNutz · « **Reply #2 on:** August 21, 2017, 02:12:04 PM »

Thank you Sir.

AndreaB · « **Reply #3 on:** August 24, 2017, 10:57:44 AM »

Guys,

thank you. Both what you wrote and the links you provided were really clarifying.
To sum things up, and to eventually check my understanding:

IF THE DEVICE ATTACHED TO THE PORT IS NOT VLAN-AWARE
a) the switch port must be set as UNTAGGED so that the VLAN info of traffic exiting the switch is removed.
b) In case we want the device to participate in more than one VLAN, further VLANs will be set as TAGGED. In this way, traffic for these VLANs will be accepted as well (because of the TAGGED setting), but VLAN info will still be removed (because of the UNTAGGED setting) so that the device can handle it.
c) the PVID defines which VID must be set for traffic originating from the device. Tipically, this is the VLAN matching the IP of the device.

IF THE DEVICE ATTACHED TO THE PORT IS VLAN-AWARE
d) the port should not be set as UNTAGGED (at least, I cannot think of a case where it could be).
e) the port should be set to TAGGED for any VLAN the device participates in.
f) I'm not so sure what the PVID rules in this case, since traffic originating from the device already is VLAN-tagged and PVID shoul only rule untagged traffic. However, as I understand it usually is set to the native VLAN of the device (the VLAN matching the IP of the device), or any other VID of a VLAN the device participates in.
g) the PVID can also be set to a "dummy" VLAN (in case of the DGS 1210 this means a VLAN defined but with no port set to it) in order for the port to act as a "trunk" (a pass-through port).

Any comment is appreciated

PacketTracer · « **Reply #4 on:** August 24, 2017, 12:45:32 PM »

IF THE DEVICE ATTACHED TO THE PORT IS NOT VLAN-AWARE
a) the switch port must be set as UNTAGGED so that the VLAN info of traffic exiting the switch is removed.
--> correct
b) In case we want the device to participate in more than one VLAN, further VLANs will be set as TAGGED. In this way, traffic for these VLANs will be accepted as well (because of the TAGGED setting), but VLAN info will still be removed (because of the UNTAGGED setting) so that the device can handle it.
---> No, this is wrong. If a device isn't VLAN-aware, it can't participate in more than one VLAN! Those devices can only be attached to ports that are untagged members of exactly one VID, where the port's PVID should also be set to that VID. While it isn't forbidden to define additional tagged VLAN memberships for that port, it is useless, because it will never receive tagged frames from the device and tagged frames sent by the switch will be discarded by the device.
c) the PVID defines which VID must be set for traffic originating from the device.
----> yes, within the switch an ingress untagged frame is tagged according to the ingress port's PVID. The frame then can leave the switch via ports that are either untagged or tagged members of the ingress port's PVID, where it is sent untagged in the first case and tagged in the second case.
Tipically, this is the VLAN matching the IP of the device.
----> ? A VLAN and a device's IP address have nothing to do with each other. But in general, any defined VLAN corresponds to an IP network and the device has an IP address belonging to that IP network. VLAN-unaware devices send and receive untagged frames, hence the VLAN corresponding to the device's IP network is the port's PVID (ingress) and the VID (egress) the port is an untagged member of, where usually VID = PVID.

IF THE DEVICE ATTACHED TO THE PORT IS VLAN-AWARE
d) the port should not be set as UNTAGGED (at least, I cannot think of a case where it could be).
---> not in general. If a device is VLAN-aware, it can handle one ore more VLANs sent and received with a corresponding tag. In addition (or even instead of) it should be able to handle untagged frames (which the switch internally assigns the PVID (ingress) and the VID the port is an untagged member of (egress); usually VID=PVID and it is called the "native" VLAN). In practice the device will assign the untagged frames and the tagged frames to different IP subnetworks. For example you can operate a router with a single physical ethernet interface, by assigning the first IP network to the main interface (valid for frames sent and received untagged) and then defining subinterfaces (one per different VLAN, traffic sent and received tagged), where each subinterface belongs to another IP network. With Linux you can configure a network interface this way. With Windows you would need a VLAN configurable network driver from the NIC's vendor (e.g. Broadcom or Intel)
e) the port should be set to TAGGED for any VLAN the device participates in.
---> yes, eventually except for the native VLAN, see d). From the device's point of view frames sent and received untagged can be regarded like belonging to an "unnumbered" VLAN. The concept of the native VLAN (which is a concrete VLAN ID) is unknown to the device. It is the switch that is responsible to add (ingress: PVID) and remove (egress: VID (=PVID) the port is an untagged member of) the defined native VLAN VID internally.
f) I'm not so sure what the PVID rules in this case, since traffic originating from the device already is VLAN-tagged and PVID shoul only rule untagged traffic. However, as I understand it usually is set to the native VLAN of the device (the VLAN matching the IP of the device), or any other VID of a VLAN the device participates in.
---> Yes, if a VLAN-aware device only sends tagged traffic, the PVID of the port, the device is attached to, is useless. In those cases you should assign the port's PVID a dummy value, that isn't used elsewhere. Hence, if ever an untagged frame enters such a port it is sent to nowhere ...
g) the PVID can also be set to a "dummy" VLAN (in case of the DGS 1210 this means a VLAN defined but with no port set to it) in order for the port to act as a "trunk" (a pass-through port).
---> correct

istvan · « **Reply #5 on:** January 30, 2022, 02:14:09 AM »

Hi all,

I'd like to understand one thing, I think I'm missing something.
I have one port on my Dlink and that port is an untagged member of VLAN 10.
Device connected to this port is a VLAN unaware computer.
Why do I need to set the port also to PVID 10 in order for the communication to work?
Why isn't any untagged port automatically assigned PVID of the VLAN it is a part of?

I see how old this thread is but maybe someone will answer, thanks

PacketTracer · « **Reply #6 on:** January 30, 2022, 01:10:31 PM »

Hi istvan,

it's quite obvious to ask your question, because in both usual cases (access ports and native VLAN of trunk ports) you would always have to set the port's PVID to the VLAN ID the port is an untagged member of.

It is just a question of implementation, and other vendors (e.g. Cisco) or even D-Link (for some switch models) handle it the way you suggest for their products. A port feature called "PVID" isn't even known for those products, because ingress and egress isn't seen different - it is handled symmetrically by design.

On the other hand, when it comes to "asymmetric" VLANs (a name used by D-Link for something that resembles a technique called "private" VLANs by other switch vendors) the asymmetry of configuring a port's ingress (via PVID) different from its egress (via untagged membership) becomes essential: With asymmetric VLANs (if enabled for the switch), a port is an untagged member of at least two VLANs. Hence, there is no 1:1 relationship any more between a port's untagged VLAN-ID and its PVID. Instead you have to set a port's PVID to a VLAN-ID that is selected from the set of (two or more) untagged memberships that are configured for the port.

PT

D-Link Forums

News:

Author Topic: Unexplained: Tagged, Untagged and PVID with DLINK 1210 - seeking clarification (Read 16336 times)

AndreaB

Unexplained: Tagged, Untagged and PVID with DLINK 1210 - seeking clarification

PacketTracer

Re: Unexplained: Tagged, Untagged and PVID with DLINK 1210 - seeking clarification

FurryNutz

Re: Unexplained: Tagged, Untagged and PVID with DLINK 1210 - seeking clarification

AndreaB

Re: Unexplained: Tagged, Untagged and PVID with DLINK 1210 - seeking clarification

PacketTracer

Re: Unexplained: Tagged, Untagged and PVID with DLINK 1210 - seeking clarification

istvan

Re: Unexplained: Tagged, Untagged and PVID with DLINK 1210 - seeking clarification

PacketTracer

Re: Unexplained: Tagged, Untagged and PVID with DLINK 1210 - seeking clarification