Wired Intelligent Edge (Campus Switching and Routing)

Reply
Highlighted
Occasional Contributor II

Difference b/w tagged, untagged, no tagged

Hi All,

 

Can someone please explain a clear difference between these below in Hpe terms, I know in cisco but as people told me terminology is bit different than other vendors.

 

  1. Tagged
  2. Untagged
  3. No tagged

 

Also I have to assign a port to wifi, Printers and User machine. So they all will be going in as untagged or no tag.

 

I have 3 vlans, 101- Wifi, 102-Printers and 103 for user machine.

 

How would the configuration look like.

 

Thanks,

Rish


Accepted Solutions
Highlighted
MVP Guru

Re: Difference b/w tagged, untagged, no tagged

Hi!

 

Cisco and HPE (HP, HPE and Aruba) VLAN related terminology differs with regards to port aggregation (Cisco (IOS): EtherChannel, HPE (ProVision/ArubaOS-Switch): Trunk) and tagging (Cisco (IOS): Trunk(ing) an interface with VLAN ids, HPE(ProVision/ArubaOS-Switch): tagging/untagging a port with VLAN ids). The main source of confusion is a Cisco used network administrator creates Trunks (aggregated port) on HPE thinking he/she would create a tagged interface...which is not.

 

With regards to untagged/tagged terminology a source could be this one.

 

Generally Access ports/interfaces need to be configured as untagged members of a specific (only one is admitted) VLAN id. Say you have VLAN 1000 "Data" and you want to assign port 15 to it, the ArubaOS-Switch command will be:

 

vlan 1000 (enter the VLAN 1000 context)

untagged 15 (assign the port 15 the untagged membership for the VLAN context you're in).

 

Viceversa to configure a port that will carry more VLAN Ids (Cisco: Trunk) supposing its purposes will be to act as an uplink/downlink port to other switch peer or to a VLAN aware server you have basically two ways:

 

  1. set that port (a physical port or a logical one, doesn't matter) to be concurrently an:
    1. untagged member of a VLAN id (the PVID Port VLAN ID, AKA the native VLAN id)
    2. tagged member of various other VLAN ids (as needed)
  2. set that port (a physical port or a logical one, doesn't matter) to be concurrently a tagged member of various other VLAN ids (as needed) making it "orphaned" of its untagged membership (so traffic admitted will be ONLY the one it carries VLAN tags, traffic without VLAN tag will be dropped).

To do that (both cases) the port need to simply be untagged/tagged as needed, example:

 

vlan 2000

untagged port 15

exit

vlan 1000

tagged port 15

 

that way port 15 will be untagged member of VLAN 2000 and tagged member of VLAN 1000, in Cisco terms PVID = 2000 and trunk permit VLAN Ids 2000 and 1000.

 

The no untagged chimes in to specify that a port can be removed from being member of VLAN 1 (Default), so when you see:

 

vlan 1

no untagged 15

 

it means that port 15 is "orphaned" of VLAN id 1...but to work it needs to be at least tagged or untagged member of another VLAN Id otherwise it will not be accepted (a port can't be orphaned of any VLAN, it needs to be member of a VLAN Id - tagged or untagged - at worst).

 

In the end the first source of confusion (Cisco: EtherChannel --> HPE: Port Trunking = Link Aggregation) chimes in too because, often, is needed to tag/untag an aggregated interface (Trk<x> where x is the port trunking Id)...suppose to have port 1 and 15 aggregated together by using LACP...that is:

 

trunk ethernet 1,5 trk1 lacp

 

so the (logical) interface you will need to manage now on is the trk1 (forget about ports 1 and 15), at this point to apply tagging/untagging the configuration is identical to those seen above:

 

vlan 2000

untagged trk1

exit

vlan 1000

tagged trk1

exit

 

There is a nice Aruba presentation that explains the Aruba ArubaOS-Switch (ProVision of HP ProCurve) versus Cisco IOS here.

 

More or less it's enough to start your journey with HP ProCurve / HPE Aruba switches.

 

Please note that some HPE Switch series (Comware 5/7 OS driven) use Cisco terminology for VLAN related configurations (so access/trunk) but EtherChannels are called LAGs (Link Aggregation Groups).

View solution in original post

Highlighted
Aruba Employee

Re: Difference b/w tagged, untagged, no tagged

Hi,

 

To make it simple, Cisco usually uses Access Ports to connect to end-user devices and trunk ports to connect a switch to another switch and support multiple vlans.

 

Access Ports are assigned a specific vlan from the switch side but from the end user side the device is not configured to specify a vlan. This is equivalent to specifying untagged vlan.

 

So for example, you want to connect a PC to ports 1 to 2 and be part of VLAN 103, ports 3-4 will be connected to printers (VLAN 102), you can use the below

 

Spoiler

VLAN 103

  untagged 1-2

vlan 102
 untagged 3-4

or you can go to each port and specify that they are untagged

 

Spoiler

interface 1

  untagged vlan 103

 

interface 2

  untagged vlan 103

interface 3
 untagged vlan 102

interface 4
 untagged vlan 102

Cisco's Trunk ports are used to pass multiple vlans between switches (This is like 802.1Q trunk). In HPE's terminology, these are tagged vlans.  All the vlans over this link must be tagged. You can only have 1 untagged vlan (like a native vlan in Cisco terminology). So as an example, you want connect the uplink (port 24) to another switch and pass vlans 101-103 as tagged vlans and you want to use vlan 40 as native vlan (untagged)

 

Spoiler
interface 24
  untagged 40
  tagged 101-103

Finally, no tagged simply removes the tag vlan from that specific port.

 

 

 

View solution in original post


All Replies
Highlighted
MVP Guru

Re: Difference b/w tagged, untagged, no tagged

Hi!

 

Cisco and HPE (HP, HPE and Aruba) VLAN related terminology differs with regards to port aggregation (Cisco (IOS): EtherChannel, HPE (ProVision/ArubaOS-Switch): Trunk) and tagging (Cisco (IOS): Trunk(ing) an interface with VLAN ids, HPE(ProVision/ArubaOS-Switch): tagging/untagging a port with VLAN ids). The main source of confusion is a Cisco used network administrator creates Trunks (aggregated port) on HPE thinking he/she would create a tagged interface...which is not.

 

With regards to untagged/tagged terminology a source could be this one.

 

Generally Access ports/interfaces need to be configured as untagged members of a specific (only one is admitted) VLAN id. Say you have VLAN 1000 "Data" and you want to assign port 15 to it, the ArubaOS-Switch command will be:

 

vlan 1000 (enter the VLAN 1000 context)

untagged 15 (assign the port 15 the untagged membership for the VLAN context you're in).

 

Viceversa to configure a port that will carry more VLAN Ids (Cisco: Trunk) supposing its purposes will be to act as an uplink/downlink port to other switch peer or to a VLAN aware server you have basically two ways:

 

  1. set that port (a physical port or a logical one, doesn't matter) to be concurrently an:
    1. untagged member of a VLAN id (the PVID Port VLAN ID, AKA the native VLAN id)
    2. tagged member of various other VLAN ids (as needed)
  2. set that port (a physical port or a logical one, doesn't matter) to be concurrently a tagged member of various other VLAN ids (as needed) making it "orphaned" of its untagged membership (so traffic admitted will be ONLY the one it carries VLAN tags, traffic without VLAN tag will be dropped).

To do that (both cases) the port need to simply be untagged/tagged as needed, example:

 

vlan 2000

untagged port 15

exit

vlan 1000

tagged port 15

 

that way port 15 will be untagged member of VLAN 2000 and tagged member of VLAN 1000, in Cisco terms PVID = 2000 and trunk permit VLAN Ids 2000 and 1000.

 

The no untagged chimes in to specify that a port can be removed from being member of VLAN 1 (Default), so when you see:

 

vlan 1

no untagged 15

 

it means that port 15 is "orphaned" of VLAN id 1...but to work it needs to be at least tagged or untagged member of another VLAN Id otherwise it will not be accepted (a port can't be orphaned of any VLAN, it needs to be member of a VLAN Id - tagged or untagged - at worst).

 

In the end the first source of confusion (Cisco: EtherChannel --> HPE: Port Trunking = Link Aggregation) chimes in too because, often, is needed to tag/untag an aggregated interface (Trk<x> where x is the port trunking Id)...suppose to have port 1 and 15 aggregated together by using LACP...that is:

 

trunk ethernet 1,5 trk1 lacp

 

so the (logical) interface you will need to manage now on is the trk1 (forget about ports 1 and 15), at this point to apply tagging/untagging the configuration is identical to those seen above:

 

vlan 2000

untagged trk1

exit

vlan 1000

tagged trk1

exit

 

There is a nice Aruba presentation that explains the Aruba ArubaOS-Switch (ProVision of HP ProCurve) versus Cisco IOS here.

 

More or less it's enough to start your journey with HP ProCurve / HPE Aruba switches.

 

Please note that some HPE Switch series (Comware 5/7 OS driven) use Cisco terminology for VLAN related configurations (so access/trunk) but EtherChannels are called LAGs (Link Aggregation Groups).

View solution in original post

Highlighted
Aruba Employee

Re: Difference b/w tagged, untagged, no tagged

Hi,

 

To make it simple, Cisco usually uses Access Ports to connect to end-user devices and trunk ports to connect a switch to another switch and support multiple vlans.

 

Access Ports are assigned a specific vlan from the switch side but from the end user side the device is not configured to specify a vlan. This is equivalent to specifying untagged vlan.

 

So for example, you want to connect a PC to ports 1 to 2 and be part of VLAN 103, ports 3-4 will be connected to printers (VLAN 102), you can use the below

 

Spoiler

VLAN 103

  untagged 1-2

vlan 102
 untagged 3-4

or you can go to each port and specify that they are untagged

 

Spoiler

interface 1

  untagged vlan 103

 

interface 2

  untagged vlan 103

interface 3
 untagged vlan 102

interface 4
 untagged vlan 102

Cisco's Trunk ports are used to pass multiple vlans between switches (This is like 802.1Q trunk). In HPE's terminology, these are tagged vlans.  All the vlans over this link must be tagged. You can only have 1 untagged vlan (like a native vlan in Cisco terminology). So as an example, you want connect the uplink (port 24) to another switch and pass vlans 101-103 as tagged vlans and you want to use vlan 40 as native vlan (untagged)

 

Spoiler
interface 24
  untagged 40
  tagged 101-103

Finally, no tagged simply removes the tag vlan from that specific port.

 

 

 

View solution in original post

Highlighted
Occasional Contributor II

Re: Difference b/w tagged, untagged, no tagged

Hi Ayman,

 

Thanks for your explanation though what you all have explained is pretty clear but I have got a question here. Lets say we have 2 vlans vlan 109 for Support team and vlan 113 which is for HP-Nonstop. Now on switch, port 1/3 is assigned to user in Support team well in this case vlan 109 should go as untagged while 113 should go as tagged,correct  me If I'm wrong. Similarly we have vlan 146 and 149 for wireless and guest there is a port 1/9 which connects to 146 and 149 vlan as well how do i determine which port should go as tagged and untagged. Its an aruba wireless ap running dhcp on vlan 146.

 

Thanks,

Rish

Highlighted
Aruba Employee

Re: Difference b/w tagged, untagged, no tagged

Hi Rish,

 

Here is my reply on the below request..

 

"Lets say we have 2 vlans vlan 109 for Support team and vlan 113 which is for HP-Nonstop. Now on switch, port 1/3 is assigned to user in Support team well in this case vlan 109 should go as untagged while 113 should go as tagged"

 

This 109 part is correct. As for vlan 113, I am not sure if you need to have tagged or untagged. In your case, if whatever your are connecting, is sending a tagged vlan then you need to configure the tagged vlan on the switch port. If it is not configured to send a vlan then you don't need to tag the port.

 

As for the below request,

 

"Similarly we have vlan 146 and 149 for wireless and guest there is a port 1/9 which connects to 146 and 149 vlan as well how do i determine which port should go as tagged and untagged. Its an aruba wireless ap running dhcp on vlan 146."

 

What type of Aruba wireless setup do you have? Is it controller based on Unified/Instant? If it is instant, then you usually configure the port as a trunk with native vlan as untagged and you configure the other vlans as tagged since the instant AP will send tagged traffic if the SSIDs are mapped to different vlans. If it is controller based, then you usually configure port as untagged and traffic is tunneled all the way to the controller..

Highlighted
Occasional Contributor II

Re: Difference b/w tagged, untagged, no tagged

Hi Ayman,

 

Its Aruba IAP-315 which has guest ssid and wireless ssid(for internal) both running on different vlans. Now the confusion happens due to things on avaya has different compared to Aruba. On Avaya I can see one port is in 2 vlans now I cant say which is tagged or untagged based on their commands and output I have never seen such a crap switch in my career. I need help in setting up wireless Ap with wireless and guest ssid on different vlans do you have any approach or suggestion I should follow to achieve this. For wireless we have 146vlan and 149 for guests. 

 

Thanks,

Rish

Highlighted
Aruba Employee

Re: Difference b/w tagged, untagged, no tagged

Hi Rish,

 

Usually, we recommend one separate VLAN for management and two vlans for users (corporate and guest). Make sure all the ports where the IAPs are connected have the same configuration to avoid any issues..

 

interface X

 untagged 50 <-- This is your management vlan

 tagged 146,149 <-- These are your wireless vlans

 

In your case, it seems you are only using 2 vlans (less recommended) so it should be like this

interface X

 untagged 146 <-- This is your management vlan & corporate wireless

 tagged 149 <-- These is your guest wireless vlan

 

I recommend you check the Avaya user guide to understand how to configure vlans at their end.

 

If you have doubt regarding the untagged vlan, you can confirm which vlan is configured as untagged as follows. You can connect your laptop to that port and check from which IP subnet do you get an IP. If the native vlan (untagged) is set to 146, you should be getting from that subnet.