Learn BGP for $6.99 for My Patreons

This content is for Patreon subscribers of the j2 blog. Please consider becoming a Patreon subscriber for as little as $1 a month. This helps to provide higher quality content, more podcasts, and other goodies on this blog.
To view this content, you must be a member of Justin Wilson's Patreon
Already a qualifying Patreon member? Refresh to access this content.

Switch VLAN configuration de-mystified

There seems to be a great deal of confusion when it comes to VLAN configuration across different platforms. In this article, I am going to clarify some often misunderstood terms and bad configurations I see.

Let’s start with some terms

Tagged Frame – A tagged frame includes a VLAN ID in the header.

Untagged Frame – A frame that does not include and VLAN ID in the header.

If you are unfamiliar with ethernet frame here is a good definition https://www.ionos.com/digitalguide/server/know-how/ethernet-frame/ or https://en.wikipedia.org/wiki/Ethernet_frame

These are often misunderstood and intermixed with ports which can be referred to as tagged or untagged. This is a term that is not entirely accurate. using the term “tagged port” is one of those misleading terms.

Switch ports are identified in the following ways. These definitions have to do with how the port handles frames. To understand how frames get handled, we must explain the two camps. The first is the cisco-like way and how almost everyone else does it. We will go over both philosophies.

Cisco Terms

Cisco has two port definitions.
Access Port
The first is an access port. If the port is in access mode, any frames coming into it will get marked with whatever VLAN the port is a member of. This configuration is reflected in the following configuration

switchport mode access
switchport access vlan 10

Another way to put this is the switch dumps all traffic coming into this port into the VLAN. In our example above, this would be VLAN 10.

Trunk Port
A trunk port is a port that only accepts tagged frames. If you forgot above, these frames have a VLAN id in the header. A trunk port can allow specific VLANs, which are referred to as pruning or allowing all VLANs. The following configuration puts the port in trunking mode and allows all tagged frames with a VLAN id to pass.

switchport mode trunk
switchport trunk allowed vlan all

So what does a Cisco port do when it gets an untagged frame? By default, it drops it. A cisco port will not pass untagged traffic by default. Learn this. Remember this! So what do you do if you need to pass untagged traffic across a trunk port? Cisco has what is called a native VLAN. Any untagged frame get dumped into this native VLAN.

switchport mode trunk
switchport trunk allowed vlan all
switchport trunk native vlan 10

The above code puts any untagged traffic into VLAN10. This configuration is a trunk with a native VLAN. There are a few things to remember about this.

  1. All untagged frame are turned into tagged frame on VLAN 10
  2. Only one VLAN can be the native VLAN.

Just about everyone else

The majority of the switch manufacturers are where folks start to get fuzzy. Many switch manufacturers have “hybrid” ports that can pass untagged and tagged traffic without a native VLAN. There are several caveats to this\ which we will discuss throughout this article.

A port that is a member of just one VLAN (aka access port)
This is normally done with the following command

switchport 0/1
pvid 10

This command can vary based upon the switch manufacturer, but most are similar. When you think of configuring these types of switches, consider whether the VLAN is tagged or untagged on the particular port. This port configuration is where the misnomer of a tagged or untagged port can confuse people. It’s not the port; it’s how the VLAN is addressed. the following is the same result but from a different switch platform requiring the PVID command.

switchport 0/1
switchport add vlan add 10 untagged
pvid 10

PVID Notes.
On some switches, if you set a port as untagged on VLAN 10 and excluded from all others, the switch will automatically tag the untagged incoming frames with the same VLAN id without requiring you to set the PVID. Other platforms require you to set the PVID. Some of the switches that don’t need you to set the PVID will allow you to set the PVID even if you don’t have to. This loose use of the pVID is where confusion in example configs can be an issue. It highly depends on the switch platform.

Port that passes multiple tagge VLANS (aka Trunk)

interface 0/15
switchport allowed vlan add 101, 102, 310 tagged

The example above allows the port to pass multiple tagged VLANs. This method is similar to a Cisco Trunk port. Only the VLANs defined are allowed to pass as tagged over the port.

Next example

interface 0/15
switchport allowed vlan add 101,102,310 tagged

In the above example, two things are going on. The first is that VLANS 101,102,and310 are allowed to pass through the port as tagged. Second, All other tagged traffic gets dropped. This dropping of non-specified VLANS is referred to as VLAN pruning.

An important thing to step and discuss is the VLAN database. In order for a switch to pass a tagged VLAN that VLAN must be understood by the switch. This can be referred to as adding it to the VLAN database or creating the VLAN. Even if the VLAN is not used on any ports on the switch, for the switch to pass it through the VLAN must be added. Creating the VLAN varies from switch to switch.

Tagged and Untagged commands on the same port

Up to now, this is all been pretty simple. We have done trunk ports, allowed VLANs on those trunk ports, done access ports, and done a single VLAN per port (access port/pvid). Let us get onto where I see people go wrong. Let’s take an example configuration and pick it apart

interface 0/15
switchport allowed vlan 101,102,310 tagged
switchport allowed vlan 10 untagged

So what is going on here? Are we allowing VLAN10 as untagged and VLANs 101,102, and 310 as tagged? No. There is no way to know what frames are VLAN 10 because those frames do not have a VLAN id in them. Otherwise, they would be tagged frames. With me? The confusing part is in the “allowed” command. You cannot allow multiple VLANs as untagged because there are no such things. Remember, an untagged frames does not carry a VLAN header. So you can’t pass VLAN 10,20, and 30 untagged because they do not exist as untagged VLANs. If they did, they would have a VLAN tag. We can pass untagged traffic on some platforms, but again, that has no vlan ID. This is the number one misconception I see.

The critical thing to remember is each port can only have ONE untagged VLAN. Untagging is almost the same as setting a native VLAN (more on this shortly). Any good switch manufacturer will only let you attach ONE VLAN as untagged to a port. If you have a Netonix, Dell, FS, Netgear, or any other switch which is configured the non-Cisco way, it will not let you assign more than one untagged VLAN to a port. This is the second thing I see in thinking. In practical use, the switch manufacturers, will not let you configure more than one untagged VLAN per port. Some will allow you to pass untagged traffic, but this is not the same. Why? No VLAN info in the frames header to distinguish VLANS.

Configurations can go wrong when an untagged vlan is defined as well as a PVID. This gets worse if these are separate IDs.

On some platforms this is configured as

interface 0/15
vlan particpation include 101,102,310
vlan tagging 101,102,310

Look familiar? “VLAN participation” means you allow VLANs 101,102, and 310 to pass through the port. VLAN tagging means it understands frames with tags of 101,102, 310, and no others. There is a subtle difference here that can confuse some. The port does not generate the tag; it understands it (tagging) and allows it to pass (include). I mention this because it is a subtle difference in how platforms change the syntax to do the same thing.

Even confusing more is how some switch platforms treat the following. This was explained under the PIVID Notes above

interface 0/15
switchport allowed vlan 101,102,310 tagged
switchport allowed vlan 10 untagged
pvid 10

PVID vs Native VLAN vs untagged
A native VLAN is not the same as a PVID, but it’s close. A PVID is the assigned VLAN of an access port. A native VLAN is configured in a trunk, if needed. In theory, when you would connect a trunk port from one switch to an access port with a defined PVID of another, communication for the native VLAN would be possible. In such a scenario, the native VLAN-ID doesn’t have to match the PVID. Native VLAN is mainly a cisco thing and not always compatible with other platforms. Native VLANs are also not mentioned in the 802.1q standard from what I read, only tagged vs. untagged.

To further complicate things, on some platforms, PVID has to do with ingress to a port while the untagged command has to do with egress. If an untagged frame comes in, on these platforms, the PVID puts it into the appropriate VLAN. If the frame leaves the interface the untagged command puts it into that VLAN. On other platforms, ingress and egress are not an issue.

Where configurations go wrong.

Here is a scenario I see a lot. The customer has a network of tagged and untagged traffic. Say they have a management VLAN of 10 like in our previous examples. they may have a port configured as the following

interface 0/15
switchport allowed vlan 101,102,310 tagged
switchport allowed vlan 10 untagged
pvid 10

In the above example, on most platforms, the PVID 101 command will cancel out the switch port allowed VLAN 10 and cancel out the 101 tag. This configuration will result in undesired behavior. All untagged traffic will be dumped into VLAN 101. On other switch platforms, the behavior will be different. The key takeaway here is don’t do your configurations like this.

The problem is compounded when the exit port on the switch looks like

interface 0/1
switchport allowed vlan 310 tagged
switchport allowed vlan 10 untagged
pvid 10

So what happens to our traffic tagged with VLAN 101 on interface 0/15? On some switches, it gets dropped by 0/1 because there is no allowed statement referencing 101. However, on other switches, the tag is not understood, but the software sees there is a PVID. it then strips the 101 VLAN tag and replaces it with 10. By doing this we are rewriting the VLAN IDs on the frames. This rewriting can cause looping and other weird things within the switch. Suddenly, we switched up which ports have which VLANs due to misconfiguration. Traffic may enter ports it is not supposed to.

Configuration Examples

Scenario 1
We have customers on a wireless access point. I want to pass a management VLAN of 10 to the customer CPE/SM, but I want to put customers into an untagged VLAN of 11. The router to the internet is in port 1. The AP, the customer is connected to is in port 2 of my switch. The following is my config.


interface ethernet 0/1
switchport mode trunk
switchport trunk allowed vlan 10
switchport trunk native vlan 11

interfacce ethernet 0/2
switchport mode trunk
switchport trunk allowed vlan 10
switchport trunk native vlan 11

Non Cisco

interface 0/1
switchport allowed vlan 10 tagged
switchport allowed vlan 11 untagged
pvid 11

#(note pvid 11 could or could not be required due to your platform

interface 0/2
switchport allowed vlan 10 tagged
switchport allowed vlan 11 untagged
pvid 11

#(note pvid 11 could or could not be required due to your platform

Closing notes

Most WISPs will want any switch ports facing the customers to be a truck with tagged VLAN(s) and an untagged/native VLAN. This is so you can have a management VLAN that is tagged for your CPE/SMs/ONTS and an untagged for the customer router. The untagged VLAN means the customer can plug in a router without any special configuration.

A bridge is not the same as a switch. I see these used in the same context. A bridge does not understand mac addresses, VLANs, or Ip addresses. A switch understands all of this. bridging ports together is different than adding VLANs to a switch.

One of the reasons I am a Cisco fan is the port is either access or a trunk. You can’t add a configuration that will make it ambitious. This can happen on other platforms where you add a tagged command, an untagged command, and a PVID. Now you have conflicting configurations producing undesired results.






Arin 2Factor Authentication statistics

Recently, Arin sent out an email with the following statement.

In 2015, ARIN deployed a Time-Based One-Time password (TOTP) implementation of Two-Factor Authentication (2FA). Since the time of implementing that login security feature, 3.2 percent of ARIN Online users have opted to use 2FA with their accounts.

AVG has a great article on what 2Factor authentication is and why you should be using it.


Foundations weekly e-mail

Christian Koch has a great weekly e-mail about Data Centers, Interconnection, and other topics. If you are in these spaces it’s worth the subscription.

The primary weekly briefing newsletter is delivered by email every Monday at 7:30 AM (ET/New York), keeping readers up-to-date with top news and developments, analysis, and expert commentary on the technology and business of digital infrastructure, including Cloud, Connectivity, and Data Centers.

Patreon Edition of ISP news

This content is for Patreon subscribers of the j2 blog. Please consider becoming a Patreon subscriber for as little as $1 a month. This helps to provide higher quality content, more podcasts, and other goodies on this blog.
To view this content, you must be a member of Justin Wilson's Patreon
Already a qualifying Patreon member? Refresh to access this content.

Free Microsoft exam credit

Microsoft.com offers a Microsoft Certification Exam for Free when you Complete One Challenge within the Microsoft Build Cloud Skills Challenge May 2022.

Thanks to Community Member CleverCheetah1749 for finding this deal.


  1. Go to Microsoft Build Cloud Skills Challenge May 2022
  2. Complete one challenge of your choice by June 21
    • To complete a challenge, finish all of the modules in the selected challenges Microsoft Learn collection.
  3. By June 30, a free exam credit will be applied to your Microsoft Learn account
  4. Redeem your exam credit to take a Microsoft Certification Exam by December 31, 2022.

Eligible Exams:

  • AI-102: Designing and Implementing a Microsoft Azure AI Solution
  • AZ-204: Developing Solutions for Microsoft Azure
  • AZ-220: Microsoft Azure IoT Developer
  • AZ-400: Designing and Implementing Microsoft DevOps Solutions
  • DP-420: Designing and Implementing Cloud – Native Applications Using Microsoft Azure Cosmos DB
  • MS-600: Building Applications and Solutions
  • PL-100: Microsoft Power Platform App Maker
  • PL-200: Microsoft Power Platform Functional Consultant
  • PL-300: Microsoft Power BI Data Analyst
  • SC-200: Microsoft Security Operations Analyst
  • SC-300: Microsoft Identity and Access Administrator

ISP News for the week ending April29th, 2022

Cloudflare blocks a 15rps DDOs Attack.

Good news regarding the chip shortage.
“America’s ambitions to rebuild its semiconductor manufacturing industry took a step forward on Monday with the opening of a specialty chip fabrication plant in central New York.”

The United States joins 55 nations to set Internet rules

Will a re-brand of Frontier help its image?

New on Californias Net Neutrality Law
California’s net neutrality law is similar to the federal rules repealed under former FCC Chairman Ajit Pai. California prohibits ISPs from blocking or throttling lawful traffic. It also prohibits requiring fees from websites or online services to deliver or prioritize their traffic to consumers, bans paid data cap exemptions (so-called “zero-rating”), and says that ISPs may not attempt to evade net neutrality protections by slowing down traffic at network interconnection points.

Mikrotik releases 7.3Beta37
*) bonding – fixed LACP flapping for RB5009 and CCR2004-16G-2S+ devices;
*) bridge – fixed packet marking for IP/IPv6 firewall;
*) dot1x – improved server stability when using re-authentication;
*) fetch – improved full disk detection;
*) gps – fixed minor value unit typo;
*) l3hw – improved offloading for directly connected hosts on CRS305, CRS326-24G-2S+, CRS328, CRS318, CRS310;
*) led – fixed QSFP+, QSFP28 activity LEDs when using 40Gbps modules (introduced in v7.3beta33);
*) lte – disabled wait for LTE auto attach;
*) mpls – fixed MPLS MTU and path MTU selection;
*) ovpn – fixed hardware offloading support on CHR;
*) ovpn – improved Windows client disconnect procedure in UDP mode;
*) ovpn – moved authentication failure messages to “info” logging level;
*) ppp – added warning when using prefix length other than /64 for router advertisement;
*) ppp – fixed “remote-ipv6-prefix” parameter unsetting;
*) ppp – fixed issue with multiple active sessions when “only-one” is enabled;
*) routerboot – properly reset system configuration when protected bootloader is enabled and reset button used;
*) rsvp-te – improved stability when “Resv” received for non-existing session;
*) sfp – improved QSFP/SFP interface initialization for 98DXxxxx switches;
*) switch – fixed missing stats from traffic-monitor for 98DXxxxx and 98PX1012 switches;
*) system – fixed RouterOS bootup when wifiwave2 package is installed (introduced in v7.3beta34);
*) system – fixed rare partial loss of RouterOS configuration after package upgrade/downgrade/install/uninstall;
*) user-manager – improved stability when received EAP attribute with non-existing state attribute;
*) vpls – fixed “pw-l2mtu” parameter usage;