Re: Tagged vs Untagged Frames

j-mol · ‎07-11-2025

I am trying to get a better understanding of why something is working. SW1 is another vendors switch which connects there devices, SW2 is my switch which connects devices on my network. SW1 and SW2 are connected via a trunk link that allows VLAN 30 and has a native of 44. On SW2 I have a server on port 1 that is configured as an access port and assigned to VLAN 30. The other vendor is passing data from their network to my server. Everything has been working fine. However, I recently learned that they have no VLANs configured in their system. So that would imply that frames are entering SW1 as untagged frames. They are being passed over the SW1/SW2 trunk untagged over the native vlan. So when they enter SW2 they are untagged. Where I get confused is that these untagged frames are making it to the server via port1 which is a tagged port. Shouldn't untagged frames be dropped before they egress port 1?

Enes Simnica · ‎07-11-2025

When the vendor's switch (SW1) sends untagged traffic over the trunk, ur switch (SW2) receives these frames and, by default, assigns them to the native VLAN (VLAN 44 in ur case). Normally, frames in VLAN 44 shouldn’t exit an access port assigned to VLAN 30, they should be isolated. However in practice some switches handle this differently.

One possibility is that your switch is implicitly translating the native VLAN (44) to VLAN 30 when forwarding traffic over the trunk. This isn’t standard 802.1Q behavior, but some vendors implement relaxed rules, especially when interoperating with non Cisco devices. Another explanation is that the native VLAN setting isn’t being strictly enforced, meaning untagged traffic is being treated as part of VLAN 30 instead of 44.

To troubleshoot, check the actual running configuration on SW2 and verify whether untagged traffic is being classified as VLAN 30 or 44. A quick test would be to temporarily change the server port to an access port in VLAN 44 if traffic still passes, it confirms the native VLAN is effectively acting as VLAN 30. Alternatively, a packet capture on the server port would show whether frames arrive tagged or untagged. While this setup works now, it’s technically inconsistent with strict VLAN segregation. If strict separation is needed, the vendor should properly tag their traffic as VLAN 30, or you should adjust your trunk configuration to match their untagged traffic handling.

also G If u can share the relevant configs from SW2 (particularly the trunk port and server port configurations), that would help pinpoint the exact behavior. hope it helps..

-Enes

more Cisco?!
more Gym?!

Enes Simnica · ‎07-11-2025

i believe ur topology looks something like this, in general fo so.... (check the screenshot)

more Cisco?!
more Gym?!

MHM Cisco World · ‎07-11-2025

Vlan have two job

Tag frame when it pass through trunk

Limit broadcast to only port that assign by vlan

SW receive untag frame in port assign by specific vlan

Then when it pass trunk the SW will tag this frame with that vlan

MHM

MHM Cisco World · ‎07-11-2025

OK
there is missmatch in native vlan
trunk forward frame untag of vlan 44 from SW1 via trunk to SW2
SW2 native vlan 30 so it accept it and forward to Server connect to port vlan 30

it work but risky

MHM

Joseph W. Doherty · ‎07-11-2025

Shouldn't untagged frames be dropped before they egress port 1?

Necessarily dropped (no V44 ports, at all, your side?), no, but, at L2, V44 frames shouldn't be sent to a V30 port.

From what you described, you're correct to wonder how all appears to be working fine

Most likely reason all appears to be working fine is you've missed something in how this data flow works, there's a misconfiguration (e.g. two VLANs have been physically interconnected) or there's a bug.

For example, you note there are two VLANs, 30 and 44. Are they in different subnets? Is there any L3 in place to allow intercommunication between these two VLANs/subnets? (BTW, if the two VLANs are in different subnets, that raises its own host intercommunication considerations.)

j-mol · ‎07-11-2025

44 is the native VLAN on the trunk, so no 44 ports on my switch.

There are no physical interconnects.

Everything is on the same subnet, so no interconnect issues there

Joseph W. Doherty · ‎07-11-2025

44 is the native VLAN on the trunk, so no 44 ports on my switch.

Except on this, one and only, trunk port?

If so, why have V44 then?

What's the actual configuration of this trunk port? Reason I ask, port can be configured with overlapping access port and trunk port statements, but which it uses is an "it depends" answer. (Actual running mode can be determined by various show commands, but off the top of my head, I don't recall what they are. [If you're wondering why not, I've been retired now for about 8 years, so I don't easily recall all the show commands I once used.])