Tagged & Untagged traffic on a LAGG interface

stephenw10

Yeah, there's certainly nothing that LAGG specific about that advice.

It is generally said to be better to avoid tagged and untagged traffic on the same interface because it's much easier to end up with a bad config that sends traffic where it shouldn't go by doing that. Usually by untagging something in a switch that shouldn't be.
If your switches are configured correctly (and don't have broken firmware ) it's not a problem.

https://docs.netgate.com/pfsense/en/latest/book/vlan/vlans-and-security.html

Steve

JKnott

@stephenw10 said in Tagged & Untagged traffic on a LAGG interface:

It is generally said to be better to avoid tagged and untagged traffic on the same interface

Actually, it's very common with VoIP phones sharing the same connection with a computer. Same with access points with multiple SSIDs.

johnpoz

^ agreed.. It all depends on the environment and what the admin likes to do, etc.. But agree with JKnott - its not uncommon to see lots of setups where native and tagged on the same interface.

I sure wouldn't go out of my way to make sure there is only tagged on an interface, etc. Unless that is how you want to setup your network.. But from again from tech point of view its fine.

The point of about easier to make mistakes - well that is admin problem, not a tech problem.. Just as easy to F up your config with vlans only or native and vlans on it if you ask me ;)

stephenw10

Indeed, it's not uncommon. But if you can avoid it simply by using all tagged VLANs on a link it's better to do so IMO. It's usually trivial to configure and might save you a heap of time later.

Steve

JKnott

@stephenw10 said in Tagged & Untagged traffic on a LAGG interface:

It's usually trivial to configure and might save you a heap of time later.

How? If you don't have native, you have to configure the interface for none and then create an additional VLAN to make up for it. In the case of VoIP phones or multiple SSIDs, you'd normally have the main LAN on the native connection and use a VLAN for the phone or 2nd SSID. Other than perhaps changing the MAC, is there any difference between configuring for native or VLAN?

johnpoz

I can say for sure I have seen many a tech lock himself out trying to get rid of a native vlan ;)

And then have to go console in ;)

stephenw10

I hate the term 'native VLAN', it's used to mean at least two conflicting things. I assume here you mean untagged traffic.

In pfSense it's trivial to simply not assign the parent interface. You have to create an additional VLAN for that traffic sure.

The difference between using untagged traffic and and tagged VLAN is that it's far more likely traffic will leak from a VLAN to untagged then between tagged VLANs.
There is a while thread on here about a switch that does just that. I have one.

It's entirely up to the user. Just something to be aware of.

Steve

johnpoz

@stephenw10 said in Tagged & Untagged traffic on a LAGG interface:

leak from a VLAN to untagged

If you have such a switch.. replacement would be the correct solution to that problem ;)

stephenw10

Yup. Fortunately I paid almost nothing for it so relegating it to 'unmanaged' status is not really a problem for me.

Steve

JKnott

@stephenw10 said in Tagged & Untagged traffic on a LAGG interface:

There is a while thread on here about a switch that does just that. I have one.

That is a well known defective switch. TP-Link had the same problem with an access point as well. I haven't heard of that happening with any other brand. Again though, if you're running VLANs on a LAN, you're still going to need untagged to talk to many devices that do not work with VLANs.

BTW, you can do what I did with my TP-Link switch. I configured it as a data tap, where that tagged VLAN problem is not an issue.