EdgeSwitch - VLANs and Tagged / Untagged Ports

 Overview


This article describes the steps needed to create VLANs and define ports to be either untagged (access) or tagged (trunk) for specific VLANs. There are currently two methods to assign Port VLANs on EdgeSwitches (ES):

General Method

  • Configured using the GUI or CLI
  • Uses vlan participation and vlan tagging / pvid statements 

Switchport Method

  • Configured using the CLI only
  • Uses switchport mode access / trunk and switchport access / trunk statements 

The switchport method is identical to Cisco IOS. When you use this method then all configuration related to the general method will be ignored. Keep your port VLAN configuration consistent across the device and do NOT configure both of these methods on the same port!

book_25x25.png  Notes & Requirements:

Applicable to EdgeSwitch 1.7.1 + firmware in all EdgeSwitch models. Knowledge of the Command Line Interface (CLI) and basic networking knowledge is required. Please see the Related Articles below for more information and see the attachments for the configurations used in this article.

 

Equipment used in this article:

- EdgeSwitch-8-150W (ES-8-150W)

- EdgeRouter-X (ER-X)

- UniFi AC-Lite (UAP-AC-Lite)

- Test clients (Host, Phone and Server)


Table of Contents


  1. Network Diagram
  2. Steps - VLAN Configuration using the General Method
  3. Steps - VLAN Configuration using the Switchport Method
  4. Steps - Testing & Verification
  5. Related Articles

Network Diagram


Back to Top

The network topology is shown below. The following interfaces are in use on the EdgeSwitches (ES) and the EdgeRouter (ER).

ER-X

  • eth0 (WAN)
  • eth1.10 (VIF 10) - 10.0.10.1/24
  • eth1.20 (VIF 20) - 10.0.20.1/24
  • eth1.99 (VIF 99) - 10.0.99.1/24

ES-Left

  • 0/1 (tagged) - VLAN10
  • 0/1 (untagged) - VLAN99
  • 0/2 (untagged) - VLAN20
  • 0/7 (tagged) - VLAN10 / VLAN20 / VLAN99
  • 0/8 (tagged) - VLAN10 / VLAN20 / VLAN99

ES-Right

  • 0/1 (untagged) - VLAN10
  • 0/2 (untagged) - VLAN20
  • 0/7 (tagged) - VLAN10 / VLAN20 / VLAN99

The UAP will tag the wireless network with VLAN10. The management traffic of the UAP itself will arrive untagged on the 0/1 port and will be placed in VLAN99 (native VLAN). The hosts and the server will be placed in VLAN10 and VLAN20. Each client will receive a DHCP address from the ER and will route all traffic through the switch to the ER. For more information on how to configure the EdgeRouter as a 'router-on-a-stick' please see the EdgeRouter - Router-on-a-Stick with Inter-VLAN Firewall Limiting article.

diagram.png


Steps - VLAN Configuration using the General Method


Back to Top

In this example the ES is running in the default configuration with the addition of SSH management access. The first step is to create the VLANs and associate them to specific ports (tagged or untagged). The configuration will mostly focus on ES-Left, as the two switches are almost identical with the exception of the port VLANs and management IP addresses.

CLI_circle.png  CLI STEPS: Access the command line interface (CLI). You can do this by using a program such as PuTTY to connect via SSH, Telnet or the console.

1. Enter privileged mode.

enable

2. Define the network protocol, parameters and VLAN-id for the management VLAN.

network protocol none
network parms 10.0.99.2 255.255.255.0 10.0.99.1
network mgmt_vlan 99

2. Create the VLANs.

vlan database 
vlan 10,20,99
exit

3. Enter configuration mode.

configure

4. Assign the ports to the VLANs created above.

The configuration below untags port 0/2 for VLAN20 (pvid). Port 0/1 will be tagged for VLAN10 (tagging) with VLAN99 as the native VLAN (pvid) Afterwards unneeded VLANs are excluded from participating on the ports.

interface 0/1
description UAP
vlan tagging 10
vlan pvid 99
vlan participation exclude 1,20
vlan participation include 10,99
exit

interface 0/2
description Server
vlan pvid 20
vlan participation exclude 1,10,99
vlan participation include 20
exit

interface 0/7
description ES-Right
vlan tagging 10,20,99
vlan participation exclude 1
vlan participation include 10,20,99
exit

interface 0/8
description ER-X
vlan participation exclude 1
vlan participation include 10,20,99
vlan tagging 10,20,99
exit

www.png   (ALTERNATIVE) GUI STEPS: Access the switch Web-Management Portal (GUI).

1. Define the network protocol, parameters and VLAN-id for the management VLAN.

System > Connectivity > IPv4

Network Configuration Protocol: None
IP Address: 10.0.99.2
Subnet Mask: 255.255.255.0
Default Gateway: 10.0.99.1
Management VLAN ID: 99

2. Create the VLANs.

Basic > VLAN > VLAN Wizard > Add VLAN  

Enter 10,20,99 and select 'Add' 

2. Assign the ports to the VLANs created above using the wizard.

Port 0/1: Excluded (E) for VLAN1 / VLAN20
Port 0/1: Untagged (U) for VLAN99
Port 0/1: Tagged (T) for VLAN10

Port 0/2: Excluded (E) for VLAN1 / VLAN10 / VLAN99
Port 0/2: Untagged (U) for VLAN20

Port 0/7: Excluded (E) for VLAN1
Port 0/7: Tagged (T) for VLAN10 / VLAN20 / VLAN99

Port 0/8: Excluded (E) for VLAN1
Port 0/8: Tagged (T) for VLAN10 / VLAN20 / VLAN99

Steps - VLAN Configuration using the Switchport Method


Back to Top

Reminder. Do not configure both the general and the switchport method on the same port!

CLI_circle.png  CLI STEPS: Access the command line interface (CLI). You can do this by using a program such as PuTTY to connect via SSH, Telnet or the console.

1. Enter privileged mode.

enable

2. Define the network protocol, parameters and VLAN-id for the management VLAN.

network protocol none
network parms 10.0.99.2 255.255.255.0 10.0.99.1
network mgmt_vlan 99

2. Create the VLANs.

vlan database 
vlan 10,20,99
exit

3. Enter configuration mode.

configure

4. (Optional) If you have previously configured the general method, first remove the existing configuration.

interface 0/1,0/2,0/7,0/8
no vlan pvid
no vlan tagging 1-4093
vlan participation auto 1-4093
vlan participation include 1
exit

4. Assign the ports to the VLANs created above.

The configuration below untags port 0/2 for VLAN20 (access). Port 0/1 will be tagged for VLAN10 (trunk) with VLAN99 as the native VLAN (native). Unneeded VLANs can be excluded from being allowed on the trunk ports (but not from the access ports).

interface 0/1
description UAP
switchport mode trunk
switchport trunk allowed vlan 10,99
switchport trunk native vlan 99
exit

interface 0/2
description Server
switchport mode access
switchport access vlan 20
exit

interface 0/7
description ES-Right
switchport mode trunk
switchport trunk allowed vlan 10,20,99
exit

interface 0/8
description ER-X
switchport mode trunk
switchport trunk allowed vlan 10,20,99
exit

Steps - Testing & Verification


Back to Top

After configuring the ports and VLANs, verify the connections/state using the following commands:

1. The VLAN port state of the switchport interfaces (general method):

show interfaces switchport general 
Intf PVID Ingress Acceptable Untagged Tagged Forbidden Dynamic
Filtering Frame Type Vlans Vlans Vlans Vlans
--------- ----- ---------- ---------- --------- --------- --------- ---------
0/1 99 Disabled Admit all 99 10 1,20
0/2 20 Disabled Admit all 20 1,10,99
0/7 1 Disabled Admit all 10,20,99 1
0/8 1 Disabled Admit all 10,20,99 1

show interfaces switchport 0/1

VLAN Membership Mode: General
General Mode PVID: 99
General Mode Untagged VLANs: 99
General Mode Tagged VLANs: 10
General Mode Forbidden VLANs: 1,20

show interfaces switchport 0/2
VLAN Membership Mode: General
General Mode PVID: 20
General Mode Untagged VLANs: 20
General Mode Tagged VLANs:
General Mode Forbidden VLANs: 1,10,99

show interfaces switchport 0/7
Port: 0/7
VLAN Membership Mode: General
General Mode PVID: 1 (default)
General Mode Untagged VLANs:
General Mode Tagged VLANs: 10,20,99
General Mode Forbidden VLANs: 1

show interfaces switchport 0/8
Port: 0/8
VLAN Membership Mode: General
General Mode PVID: 1 (default)
General Mode Untagged VLANs:
General Mode Tagged VLANs: 10,20,99
General Mode Forbidden VLANs: 1

2. The VLAN port state of the switchport interfaces (switchport method):

show interfaces switchport trunk 
Intf PVID Allowed Vlans List
--------- ----- -------------------
0/1 99 10,99
0/7 1 10,20,99
0/8 1 10,20,99

show interfaces switchport access
Intf PVID
--------- ----
0/2 20

show interfaces switchport 0/1
Port: 0/1
VLAN Membership Mode: Trunk
Trunking Mode Native VLAN: 99
Trunking Mode VLANs Enabled: 10,99

show interfaces switchport 0/2
Port: 0/2
VLAN Membership Mode: Access
Access Mode VLAN: 20

show interfaces switchport 0/7
Port: 0/7
VLAN Membership Mode: Trunk
Trunking Mode Native VLAN: 1 (default)
Trunking Mode VLANs Enabled: 10,20,99

show interfaces switchport 0/8
Port: 0/8
VLAN Membership Mode: Trunk
Trunking Mode Native VLAN: 1 (default)
Trunking Mode VLANs Enabled: 10,20,99

 


Related Articles


Back to Top

EdgeSwitch - VLANs and Limiting Inter-VLAN Routing (Access-Lists)

EdgeRouter - Router-on-a-Stick with Inter-VLAN Firewall Limiting

EdgeSwitch - VLANs and Inter-VLAN Routing (Layer 3 Switching)

EdgeSwitch - VLANs and VLAN-Aware DHCP Server

EdgeSwitch - Management Access using HTTPS and SSH

EdgeSwitch - Command Line Interface (CLI) and Admin Guides