Tagged & Untagged traffic on a LAGG interface


  • Hello,

    There is advice around suggesting that Netgate do not recommend having tagged and untagged traffic mixed on the same LAGG interface.
    Does anyone know if this is still valid ?

    BRgds/Alan


  • @alan-t

    Why is there a problem? The only significant difference between tagged and untagged frames is the contents of the Ethertype/Length field.

  • LAYER 8 Global Moderator

    There is no such recommendation.. Now some people are of the mindset that hey if your going to do vlans on an interface, don't do native on it.

    But from a tech point of view there is nothing wrong with having "1" untagged vlan on an interface and any other vlans tagged.

    Whatever you feel most comfortable with.. I personally always run native on interface, and then if need to add vlans to that interface they are tagged. If I was only going to use 1 network on an interface - why would I bother tagging it?

    But then again if your then going to run vlans on an interface, sure if you want to tag them all - so you know hey this is a vlan interface.. That is fine too, and I can see sure why not. So whatever way you want to do it.. The nice thing about running a native vlan on an interface is hey you know you can always just plug anything into that interface and talk to that untagged IP.

    if the only networks on that port are tagged.. You can not ust plug a laptop into and say get a dhcp IP and talk to it. You have to know what tag to use.. So do whatever you want - just ya can't run more than 1 untagged network on an interface.. That not good! ;)


  • Thanks for the input everyone.

  • Netgate Administrator

    Yeah, there's certainly nothing that LAGG specific about that advice.

    It is generally said to be better to avoid tagged and untagged traffic on the same interface because it's much easier to end up with a bad config that sends traffic where it shouldn't go by doing that. Usually by untagging something in a switch that shouldn't be.
    If your switches are configured correctly (and don't have broken firmware ๐Ÿ˜‰ ) it's not a problem.

    https://docs.netgate.com/pfsense/en/latest/book/vlan/vlans-and-security.html

    Steve


  • @stephenw10 said in Tagged & Untagged traffic on a LAGG interface:

    It is generally said to be better to avoid tagged and untagged traffic on the same interface

    Actually, it's very common with VoIP phones sharing the same connection with a computer. Same with access points with multiple SSIDs.

  • LAYER 8 Global Moderator

    ^ agreed.. It all depends on the environment and what the admin likes to do, etc.. But agree with JKnott - its not uncommon to see lots of setups where native and tagged on the same interface.

    I sure wouldn't go out of my way to make sure there is only tagged on an interface, etc. Unless that is how you want to setup your network.. But from again from tech point of view its fine.

    The point of about easier to make mistakes - well that is admin problem, not a tech problem.. Just as easy to F up your config with vlans only or native and vlans on it if you ask me ;)

  • Netgate Administrator

    Indeed, it's not uncommon. But if you can avoid it simply by using all tagged VLANs on a link it's better to do so IMO. It's usually trivial to configure and might save you a heap of time later.

    Steve


  • @stephenw10 said in Tagged & Untagged traffic on a LAGG interface:

    It's usually trivial to configure and might save you a heap of time later.

    How? If you don't have native, you have to configure the interface for none and then create an additional VLAN to make up for it. In the case of VoIP phones or multiple SSIDs, you'd normally have the main LAN on the native connection and use a VLAN for the phone or 2nd SSID. Other than perhaps changing the MAC, is there any difference between configuring for native or VLAN?

  • LAYER 8 Global Moderator

    I can say for sure I have seen many a tech lock himself out trying to get rid of a native vlan ;)

    And then have to go console in ;)

  • Netgate Administrator

    I hate the term 'native VLAN', it's used to mean at least two conflicting things. I assume here you mean untagged traffic.

    In pfSense it's trivial to simply not assign the parent interface. You have to create an additional VLAN for that traffic sure.

    The difference between using untagged traffic and and tagged VLAN is that it's far more likely traffic will leak from a VLAN to untagged then between tagged VLANs.
    There is a while thread on here about a switch that does just that. I have one.

    It's entirely up to the user. Just something to be aware of.

    Steve

  • LAYER 8 Global Moderator

    @stephenw10 said in Tagged & Untagged traffic on a LAGG interface:

    leak from a VLAN to untagged

    If you have such a switch.. replacement would be the correct solution to that problem ;)

  • Netgate Administrator

    Yup. Fortunately I paid almost nothing for it so relegating it to 'unmanaged' status is not really a problem for me. ๐Ÿ˜‰

    Steve


  • @stephenw10 said in Tagged & Untagged traffic on a LAGG interface:

    There is a while thread on here about a switch that does just that. I have one.

    That is a well known defective switch. TP-Link had the same problem with an access point as well. I haven't heard of that happening with any other brand. Again though, if you're running VLANs on a LAN, you're still going to need untagged to talk to many devices that do not work with VLANs.

    BTW, you can do what I did with my TP-Link switch. I configured it as a data tap, where that tagged VLAN problem is not an issue.