Gunshot Detection Technology could be your strongest defense against gun violence. In order to...
So you work in IT, and you’re configuring a managed production network switch, but you don’t exactly know the difference between a TAGGED VLAN and an UNTAGGED VLAN, which ones to put on a port, and why. Your manager is in the room and will probably be looking over your shoulder soon. Do you start crying and damage the switch with your tears? Do you tell your boss you don’t know what you’re doing? NO. Fake it ‘till you make it, Google it, or use this simple analogy to determine when to tag VLANs.
TAGGED = I need to know what you are
UNTAGGED = I don’t need to know what you are
If you’re wondering whether you should TAG VLAN(s) on a port, ask yourself: if something is plugged into this port, will I need to know what type of device is on the other end? In a majority of production environments, the answer is YES.
Some (not all) things you’d probably want to know if they were connected to a port:
- Phone
- Security Camera
- Wi-Fi Access Point
- Server
- Guest Device
- Uplink to another switch
If you think one or more of these devices will connect to this port, TAG the necessary VLAN(s) on the port. Otherwise, DON’T TAG. For example, you don’t need to tag a port on the security camera VLAN if you know that a security camera will not be plugged into that port. Try to configure switch ports on a need-to-know basis.
If a port is UNTAGGED on a VLAN, it means you’re telling the switch not to worry as much about what’s connected on the other end. So, if Jane in Marketing plugs in her PC, laptop, TV, gaming console, streaming player, etc., the switch doesn’t necessarily need to know in order to move that traffic through the network.
Common scenario: A port is plugged into a phone, a PC is plugged into that phone. Common sense might tell you to UNTAG the phone (voice) VLAN and TAG the data (PC) VLAN, because the port is directly plugged into a phone first, then a PC. If you go back to the idea that the port needs to know if a phone is plugged in, but doesn’t need to know that a PC is plugged in, then you know to UNTAG the data VLAN and TAG the phone (voice) VLAN. Why does the port need to know if a phone is plugged in? Phones do different things than PCs. Sending voices over your network requires extra work, and your network needs to know that. TAGGING the phone VLAN on that port will allow the voice traffic to be treated differently (QoS). The same concept and thought process applies to the other previous devices mentioned.
Can I UNTAG the phone VLAN on a port if I know only a phone will be plugged into it?
Yes, but make sure to TAG it on the Uplink port.
Can I UNTAG VLANs and TAG no VLANs if I know what’s plugged into every port?
Yes, that’s inefficient, but make sure to TAG all necessary VLANs on the Uplink port. Also, make sure no one touches that switch but you, and make sure you memorized what’s plugged into every port, and don’t show your boss that config.
Rule of thumb on Uplink ports:
Usually uplinks need to know. UNTAG your default/mgmt VLAN, and TAG the rest. If you know you tagged a VLAN on a port but it’s not behaving as expected, check the TAGs on the Uplink ports at both ends.
ACP CreativIT and CCCP are happy to help your organization navigate the world of IT. Contact us to talk to one of our experts today or visit our information technology page here.
By: Sam, Network Engineer
