Hello everyone, can I ask a simple question?Can an interface be both tagged and untagged
I can configure it, but I don't know if it will take effect.
Well the general rule around untagged vs tagged interface is this:
Untagged = 1 VLAN per interface
Tagged = 802.1q tagging (multiple VLANS on an interface), or a TRUNKED interface in Cisco terms.
However, it is possible to configure an interface as both Tagged and Untagged. This is actually something that is not that uncommon. The VLAN tag is just a header that the network device will match on. If it matches, then it will continue the processing of the packet up the OSI layers. To give you some examples:
Interface have the following configuration:
1. When traffic arrives on the intermediary device (for instance a switch) with either VLAN10 or VLAN20, the traffic will leave the switch with the VLAN tag of VLAN10 or VLAN20. Since the traffic has the VLAN header assigned, the BIG-IP will try and match the VLAN tag with the ones configured on the Tagged Interface. If it does not match, it will drop the traffic. It it matches it will continue the processing up the OSI layers.
2. When traffic arrives on the intermediary device with VLAN30 which is untagged on the switch, the traffic will leave the switch with no VLAN tag assigned. Since the traffic does not have any VLAN tag assigned, it will be automatically accepted by the BIG-IP since it does not expect a VLAN tag. The traffic will continue the processing up the OSI layers.
I hope this helps. Let me know if you have any further questions.
This article describes it well:
Port-based access to VLANs
With port-based access to VLANs, the BIG-IP system accepts frames for a VLAN simply because they are received on an interface that is a member of that VLAN. With this method, an interface is an untagged member of the VLAN. Frames sent out through untagged interfaces contain no tag in their header.
Port-based access to VLANs occurs when you add an interface to a VLAN as an untagged interface. In this case, the VLAN is the only VLAN that you can associate with that interface. This limits the interface to accepting traffic only from that VLAN, instead of from multiple VLANs. If you want to give an interface the ability to accept and receive traffic for multiple VLANs, you add the same interface to each VLAN as a tagged interface. The following section describes tagged interfaces.
Tag-based access to VLANs
With tag-based access to VLANs, the BIG-IP system accepts frames for a VLAN because the frames have tags in their headers and the tag matches the VLAN identification number for the VLAN. An interface that accepts frames containing VLAN tags is a tagged member of the VLAN. Frames sent out through tagged interfaces contain a tag in their header.
Tag-based access to VLANs occurs when you add an interface to a VLAN as a tagged interface. You can add the same tagged interface to multiple VLANs, thereby allowing the interface to accept traffic from each VLAN with which the interface is associated.
When you add an interface to a VLAN as a tagged interface, the BIG-IP system associates the interface with the VLAN identification number, or tag, which becomes embedded in a header of a frame.
I did some more research on this and I updated the answer. It is possible to configure it like that :)