mixed: don't tag the main vlan + do tag additional vlans
full: tag both the main vlan + additional vlans
Does a mixed setup have certain pros or cons ? Ie.
is the mixed setup good for fallback in case a managed switch dies and you want to swap with a spare unmanaged switch? (keeping at least the main vlan functioning)
is the mixed setup causing issues for some switch brands/models?
What you call full is named trunk.
That is a port where all incoming and outgoing data have vlans and all vlan are tagged.
A port with no vlan tag is often called access port.
There is no main vlan or fallback vlan. A port can handle at most one untagged vlan.
But a trunk port don’t have any untagged vlan.
The whole idea is that you can control L2 dataflow on ports in a switch, so a trunk port can move a lot of different network (normally 255 or 4092) data flows on a single ethernet line between two trunk ports.
In comparison with a access port that can only handle one single network.
This isn't quite true... a trunk can have (per the 802.1q spec) 2 or more networks consisting of:
zero or one untagged VLAN
1 or many tagged VLANs
There are strong opinions about if the untagged VLANs should ever be used on a trunk vs keeping all VLANs tagged. Much of this comes down to personal/professional opinion or experience, and sometimes context of the network itself. On a human level, there is a greater chance of mistakes and confusion with the untagged network since it does not carry an explicit tag to identify which VLAN it is.
There are some situations where the untagged VLAN is either useful or necessary. And it can certainly get you out of a bind if a managed switch is configured incorrectly.
But there are some hardware devices that indeed do freak out when there is an untagged VLAN on a trunk port. For that reason, the pragmatic approach is to never include an untagged VLAN.
Usually this question about untagged vlan in trunk is all about data control.
Do you want uncontrolled data in a controlled data environment?
The switch could in theory become uncontrollable by a missconfig if you do it remotely.
But since the normal and sane way of controlling a network equipment with multi vlan setup through the network is to use the admin vlan.
So any untagged vlan on the incoming trunk port won’t save you anyway if you make a missconfig on L2 level.
If you make a misstake on L2 there are two solutions. Reset by pushbutton or serial/other connection to reconfigure.
I'm not arguing that using an untagged network is always a good thing, but there are specific circumstances where it can be helpful, especially in small home networks.
I wouldn't call untagged "uncontrolled", but I would agree that it is not explicit and may be prone to certain types of mistakes or misconfigurations that are more rare (or non-existant) in an all-tagged environment.
This is often a hotly debated topic, and I don't personally want to get into any debates -- I honestly see arguments on both side as valid. Like I said upthread, it is often a matter of personal/professional opinion and/or context of the network itself that dictates if/when an untagged VLAN exists on a trunk.
On top of the simple basics with the ‘q’ (the 802.1Q is often called ‘q’) and simple L2 data handling, we also have double-q or Q-Q.
That is really a double edge sword in vlan. But the idea is to have data with two vlan tags that is used sequentially every time a port is passed.
With normal q, when a port receives a tagged data it reads the tag and strips the tag and move the data to where it is supposed to go. With q-q the data have another secondary tag left when the first tag has been stripped so the secondary tag becomes primary tag and outgoing vlan on next port passage. This makes it possible to make lateral data jumps between networks in a switch.
This can be an idea sometimes in some networks but this has also become a big security breach on L2 data handling.
Q-q is pretty much the biggest isolation security risk with vlan when an attacker can guess your other vlan ID and put that number in the secondary tag when injecting data packages and then they are inside.
QinQ would come handy with roaming and overcoming possible dhcp-snooping issues. Then you would only need to allow one VLAN to AP and that's it.
I miss something like RouterOS CAP-MAN "registration table" so i could see ALL stations on ALL APs in one table.
And one should not use QinQ for extranet access.
I am talking stritcly intranet (inhouse L2).
Thanks all for the input; I tried out both a mixed- and full tagged setup on a Netgear SG308PE switch.
It looks like the trunk port on this switch in a 802.1Q config does not process untagged frames so I will stick with full tagged for now.
I need to correct my previous post as it turns out that mixed setup is actually possible - only not within Basic 802.1Q VLAN
When you select Advanced 802.1Q VLAN you can configure a mixed setup as follows
It kinda depends aswell on your topology and also how the software is written in for example a switch.
so if you would question if managed vlan/default vlan should be untagged vs not.
Well i have tried running both situations from a router to a managed switch (one 30meter cable) and found out that with a tagged vlan i would create a more increasing chance of making a one point of failure than with untagged 1.
So what i realized is and also more if you use more switches than one, its alot better to threat managed/default vlan 1 only as untagged on the ports acting as wan from the switch perspective, given that each switch gets part of you management subnet or lan, and for other ports on those switches you use either bogus untags or different vlans to prevent vlan hopping, again one thing you cannot change is that switches can failover to other ports and still can become sorta rogue, though one switch handles this better than others, sometimes switches can also react on the default gateway setting when failing over so for me its only enabled on the managed lan interface 1 and not on other interfaces.
And for untagging traffic you may only choose one direction downstream or upstream, i noticed quite alot of issues on some switches if the ports where from both sides untagged, it can do weird things like becomming rogue or sending double source mac address packets, some switches can be really unstable too!.
But maybe this helps awnserwing some questions you have?
