Testing my Understanding of the Tagged Port to Router

This thread has been locked for further replies. You can start a new thread to share your ideas or ask questions.

Testing my Understanding of the Tagged Port to Router

This thread has been locked for further replies. You can start a new thread to share your ideas or ask questions.
Testing my Understanding of the Tagged Port to Router
Testing my Understanding of the Tagged Port to Router
2024-03-03 15:14:48 - last edited 2024-03-17 18:54:52
Model: SG2008P  
Hardware Version: V3
Firmware Version: Original

Good day!

 

I used a TP link guide in setting up my VLANs. The setup uses a router, a switch, and an access point connected to the switch to give wifi for vlans.

https://www.tp-link.com/ae/support/faq/418/

 

According to the guide, port 1 on the switch is connected to the access point and is "tagged" on each of the vlans set up (excluding the default vlan). As for port 2 on the switch, it is connected to the router/gateway and is "untagged" for each of the vlans created on the gui.

 

1- After changing the VLAN pvids for each port associated with a vlan to reflect the id of that particular vlan, I realized that the ports connected to the access point as well as the router/gateway were left unchanged. They have pvid 1.

Can i not change that to 666? The guide only mentions that "The PVID of Port 1 and Port 2 should be“1” and PVID of the other ports should be consistent with the corresponding VLAN ID."

I ask because the whole point of the setup is to isolate traffic and not use vlan1 in any way. Yes, I know vlan 10 traffic has to be forwarded to port 2 to reach the switch, but why does the port 2 need to have a pvid 1?

 

2- I'm confused over the following:

The uplink port in this setup is the port going to the router/gateway, and thus is Port 2, right? My understanding is that it is also a "trunk" port. However, almost every forum thread I go through labels the switch port connected to the router as a "tagged" port. But our above-mentioned guide clearly states the opposite- that Port 2 is "Untagged" while Port 1 (connected to AP is Tagged).

 

I really appreciate your help! Note that I'm a beginner but have been reading for months actually, so I know some basic stuff.

  0      
  0      
#1
Options
1 Accepted Solution
Re:Testing my Understanding of the Tagged Port to Router-Solution
2024-03-04 09:06:06 - last edited 2024-03-17 18:54:52

Hi @Matt677 

Thanks for posting in our business forum.

A1: only when you connect a computer to that port, in that case, you should set this port with the VLAN ID and PVID.

If it is a trunk, you don't have to set the PVID.

AP, no need to change the PVID.

 

A2: It can be untagged, however, you should note that if it is untagged, it can only carry one VLAN.

If you want it to be a "trunk", then you should set multiple VLANs to it. It must be a tagged port in which you can carry multiple VLAN IDs.

When it is untagged, PVID determines what VLAN it belongs to.

Best Regards! If you are new to the forum, please read: Howto - A Guide to Use Forum Effectively. Read Before You Post. Look for a model? Search your model NOW Official and Beta firmware. NEW features! Subscribe for the latest update!Download Beta Here☚ ☛ ★ Configuration Guide ★ ☚ ☛ ★ Knowledge Base ★ ☚ ☛ ★ Troubleshooting ★ ☚ ● Be kind and nice. ● Stay on the topic. ● Post details. ● Search first. ● Please don't take it for granted. ● No email confidentiality should be violated. ● S/N, MAC, and your true public IP should be mosaiced.
Recommended Solution
  1  
  1  
#2
Options
6 Reply
Re:Testing my Understanding of the Tagged Port to Router-Solution
2024-03-04 09:06:06 - last edited 2024-03-17 18:54:52

Hi @Matt677 

Thanks for posting in our business forum.

A1: only when you connect a computer to that port, in that case, you should set this port with the VLAN ID and PVID.

If it is a trunk, you don't have to set the PVID.

AP, no need to change the PVID.

 

A2: It can be untagged, however, you should note that if it is untagged, it can only carry one VLAN.

If you want it to be a "trunk", then you should set multiple VLANs to it. It must be a tagged port in which you can carry multiple VLAN IDs.

When it is untagged, PVID determines what VLAN it belongs to.

Best Regards! If you are new to the forum, please read: Howto - A Guide to Use Forum Effectively. Read Before You Post. Look for a model? Search your model NOW Official and Beta firmware. NEW features! Subscribe for the latest update!Download Beta Here☚ ☛ ★ Configuration Guide ★ ☚ ☛ ★ Knowledge Base ★ ☚ ☛ ★ Troubleshooting ★ ☚ ● Be kind and nice. ● Stay on the topic. ● Post details. ● Search first. ● Please don't take it for granted. ● No email confidentiality should be violated. ● S/N, MAC, and your true public IP should be mosaiced.
Recommended Solution
  1  
  1  
#2
Options
Re:Testing my Understanding of the Tagged Port to Router
2024-03-06 15:57:33

  @Clive_A 

 

Super helpful!! I took the time to research your answers thoroughlyy and it makes sense now.

 

1- I have a follow up question: So let's say I wanted to create a vlan 666 and make it untagged on the port connected to my router. And I give that port a PVID of 666. This way, untagged traffic goes to that Vlan 666 rather than vlan 1. Is my intuition flawed? Yes/No

 

2- If correct so far, then the question is whether this untagged traffic will be dropped inside Vlan 666 or will it then be forwarded out to a trunk or other? I ask since Vlan 666 is not tagged nor untagged on any other ports. What do you think?

 

 

Bunch of thanks, have a good one!

  1  
  1  
#3
Options
Re:Testing my Understanding of the Tagged Port to Router
2024-03-07 03:46:32

Hi @Matt677 

Thanks for posting in our business forum.

Matt677 wrote

  @Clive_A 

 

Super helpful!! I took the time to research your answers thoroughlyy and it makes sense now.

 

1- I have a follow up question: So let's say I wanted to create a vlan 666 and make it untagged on the port connected to my router. And I give that port a PVID of 666. This way, untagged traffic goes to that Vlan 666 rather than vlan 1. Is my intuition flawed? Yes/No

 

2- If correct so far, then the question is whether this untagged traffic will be dropped inside Vlan 666 or will it then be forwarded out to a trunk or other? I ask since Vlan 666 is not tagged nor untagged on any other ports. What do you think?

 

 

Bunch of thanks, have a good one!

A1: Correct. No.

A2: Forward at the port. Because you configure the VLAN 666 on the router, it will forward.

If there is no other port in VLAN666, and you have the interface, it will be forwarded to the router.

It should stay in VLAN 666 and find its DST based on the table on the router. If there is no DST, will be dropped.

Best Regards! If you are new to the forum, please read: Howto - A Guide to Use Forum Effectively. Read Before You Post. Look for a model? Search your model NOW Official and Beta firmware. NEW features! Subscribe for the latest update!Download Beta Here☚ ☛ ★ Configuration Guide ★ ☚ ☛ ★ Knowledge Base ★ ☚ ☛ ★ Troubleshooting ★ ☚ ● Be kind and nice. ● Stay on the topic. ● Post details. ● Search first. ● Please don't take it for granted. ● No email confidentiality should be violated. ● S/N, MAC, and your true public IP should be mosaiced.
  1  
  1  
#4
Options
Re:Testing my Understanding of the Tagged Port to Router
2024-03-07 10:30:39

  @Clive_A 

 

Thanks for your kind follow up!

 

My final follow up question on the topic. I need to know whether there is a way to disallow that untagged traffic that ended up in Vlan 666 from ever leaving that vlan. Sorta like a black hole vlan in case of untagged traffic on the trunk port (of course, for tagged traffic the trunk port will forward the traffic of any particular vlan to the router, no problem there). But how can we not get untagged traffic in Vlan 666 forwarded to the router?


My guesses below. I appreciate a comment on each so I solidify my understanding whether it may break something or achieve the goal.

1- Creating the Vlan 666 as a Vlan with no associated Interface (no IP range etc- just a Vlan defined as untagged on that single port).

2- Use ACLs on Vlan 666 to stop the untagged traffic on that port from reaching the router. But for that we need an interface with an IP range for Vlan 666 and after that a Deny All ACL.

3- Last option is Remove the layer 3 Static Routing default route entry which is the router’s IP (from 0.0.0.0 hop to router's IP). This way ip packets whose destination is undefined do not get forwarded to router.

 

 

Thanks, have a good day!

 

  1  
  1  
#5
Options
Re:Testing my Understanding of the Tagged Port to Router
2024-03-08 01:35:16

Hi @Matt677 

Thanks for posting in our business forum.

Matt677 wrote

  @Clive_A 

 

Thanks for your kind follow up!

 

My final follow up question on the topic. I need to know whether there is a way to disallow that untagged traffic that ended up in Vlan 666 from ever leaving that vlan. Sorta like a black hole vlan in case of untagged traffic on the trunk port (of course, for tagged traffic the trunk port will forward the traffic of any particular vlan to the router, no problem there). But how can we not get untagged traffic in Vlan 666 forwarded to the router?


My guesses below. I appreciate a comment on each so I solidify my understanding whether it may break something or achieve the goal.

1- Creating the Vlan 666 as a Vlan with no associated Interface (no IP range etc- just a Vlan defined as untagged on that single port).

2- Use ACLs on Vlan 666 to stop the untagged traffic on that port from reaching the router. But for that we need an interface with an IP range for Vlan 666 and after that a Deny All ACL.

3- Last option is Remove the layer 3 Static Routing default route entry which is the router’s IP (from 0.0.0.0 hop to router's IP). This way ip packets whose destination is undefined do not get forwarded to router.

 

 

Thanks, have a good day!

 

You probably find this helpful. So, stop this from the switch. Not on the router. Router is supposed to look them up in the tables if they arrive at the router. That's what a router is supposed to do.

ACL does not work on VLAN.

Last question does not make sense if you read the above lines.

 


 

 

 

Best Regards! If you are new to the forum, please read: Howto - A Guide to Use Forum Effectively. Read Before You Post. Look for a model? Search your model NOW Official and Beta firmware. NEW features! Subscribe for the latest update!Download Beta Here☚ ☛ ★ Configuration Guide ★ ☚ ☛ ★ Knowledge Base ★ ☚ ☛ ★ Troubleshooting ★ ☚ ● Be kind and nice. ● Stay on the topic. ● Post details. ● Search first. ● Please don't take it for granted. ● No email confidentiality should be violated. ● S/N, MAC, and your true public IP should be mosaiced.
  1  
  1  
#6
Options
Re:Testing my Understanding of the Tagged Port to Router
2024-03-17 18:56:25

  @Clive_A 

 

Excuse me for the delay, I get it now, thanks a lot!!

  2  
  2  
#7
Options