Forum Discussion

eesun_276598's avatar
Dec 06, 2017

VLAN ID and tag

Hi Anyone can make it clear the concept with relation between VLAN ID and its tag in f5. In Cisco switch, vlan id is vlan number, such as vlan 10, vlan 20, vlan 30 etc. And tag is used when two switches are connected with trunk. Once vlan message pass through trunk port and go into the switch the tag not exist. So in f5, the VLAN ID is like vlan number such as vlan 10, vlan 20 etc, can we say it like that? Thank you

 

27 Replies

  • In F5, Trunk means Ether channel in switch. When you are setting up a new F5, add all existing interfaces into trunk and then go to VLAN section and add switch VLAN number as 'tag' in F5. For example: If 2.1 interface is in swtich VLAN20, add '20' as tag in F5.

     

    Then add 'Trunk' as an interface in the VLAN section as untagged.

     

    Thanks,

     

    Harsha Potharaju.

     

  • Thank you for your reply. In f5, the VLAN ID is vlan number such as vlan 10, vlan 20 etc, can we say it like that?

     

  • Vlan ID and VLAN tag are the same thing - not only in F5 but across all vendors. This is a networking concept not bound to a specific vendor.

     

    On the F5, when you configure a VLAN, there is a field where you specify the Tag - that's an integer and it's exactly the same as the VLAN ID.

     

    I hope this answers your question.

     

  • So, when we configure vlan, we could have two choices, one is tagged and other is untagged interface. For example, the tag is 10, then we put it under untagged interface 1.1, the tag 10 means vlan10 will be created, but why we have choice to put it under untagged interface? That would remove tag 10? or if so, what that means after removing tag10? Thank you

     

    • Gonzalex_330537's avatar
      Gonzalex_330537
      Icon for Cirrostratus rankCirrostratus

      Basically, strictly within the networking concept itself, you can have trunk interfaces (tagged ports) and access ports (untagged ports).

       

      When you specify a tag of X, vlan X is created. What dictates further the choice of tagged vs untagged is the device and configuration at the other end of the link.

       

      So you could then have two cases:

       

      a) The port is tagged - meaning, it is a trunk port. Furthermore, it accepts incoming tagged frames and tags frames before sending them out. You setup a trunk port if your F5 connects to another trunk port - normally on another switch. In this configuration you are basically aggregating traffic from all vlans, on a single port.

       

      b) The ports is untagged - in this case, you are configuring an access port in vlan X - simple as that. You could have more than one port in the same VLAN - think of it as a switch with more than one port in the same vlan ... so hosts connected to those two ports can communicate directly as they will be in the same broadcast domain. Unlike with trunk ports, here you are segregating the traffic into multiple vlans.

       

    • eesun_276598's avatar
      eesun_276598
      Icon for Cirrus rankCirrus

      I agree on this comment. but in your first comment, you mentioned " Vlan ID and VLAN tag are the same thing - not only in F5 but across all vendors. This is a networking concept not bound to a specific vendor". "tag" should be concept regarding trunk port. Only when frame enter trunk port, the tag will be added to the frame. While VLAN ID is vlan mark, which identify different vlan. How can you say the two are the same things? Can you explain? Thank you

       

  • It is due to 802.1Q tagging also called Dot1q tagging. It is required to tag the VLANs in hardware f5 but not in VE. Try searching for 802.1q.

     

    • eesun_276598's avatar
      eesun_276598
      Icon for Cirrus rankCirrus

      You are right. In VE, when configuring vlan as untagged, the vlan interface can work well, but if it configured as tagged, it cannot work(no connection). Can you tell why? Thanks

       

    • PK_Bhatia_13533's avatar
      PK_Bhatia_13533
      Icon for Cirrus rankCirrus

      Because you are already assigning VLAN to the network interface you assign to VE f5. I think VMWare workstation support it if you assign interface with VLAN 4096 (cisco), not sure about other virtualization vendors.

       

    • eesun_276598's avatar
      eesun_276598
      Icon for Cirrus rankCirrus

      Right, but if configuring it as tagged in F5, why it cannot have connection? Can I say it is becuase VMWare workstation interface is not trunk? Thank you

       

  • It is due to 802.1Q tagging also called Dot1q tagging. It is required to tag the VLANs in hardware f5 but not in VE. Try searching for 802.1q.

     

    • eesun_276598's avatar
      eesun_276598
      Icon for Cirrus rankCirrus

      You are right. In VE, when configuring vlan as untagged, the vlan interface can work well, but if it configured as tagged, it cannot work(no connection). Can you tell why? Thanks

       

    • PK_Bhatia's avatar
      PK_Bhatia
      Icon for Nimbostratus rankNimbostratus

      Because you are already assigning VLAN to the network interface you assign to VE f5. I think VMWare workstation support it if you assign interface with VLAN 4096 (cisco), not sure about other virtualization vendors.

       

    • eesun_276598's avatar
      eesun_276598
      Icon for Cirrus rankCirrus

      Right, but if configuring it as tagged in F5, why it cannot have connection? Can I say it is becuase VMWare workstation interface is not trunk? Thank you

       

  • I see others already did a pretty good job at explaining this (upvotes given as credit). I'll just summarize bits and pieces into one answer and elaborate.

    As you seem familiar with Catalyst NS, I'll use this as point of reference. In Catalyst switches, your default VLAN is VLAN 1 which is also the default

    Native VLAN
    . In a dot1q Ethernet link, just one VLAN can be untagged, otherwise the switch that receives a frame wouldn't be able to tell to which VLAN the received frame belongs to. So in case of Cisco Catalyst switches, all VLAN 1 traffic is untagged by default for any dot1q links you create. It's also a common security practice to change native VLAN to something other than VLAN 1.

    In a Catalyst NS, you can change your native (aka untagged) VLAN with

    switchport trunk native vlan
    command (if-config). So if you type in
    switchport trunk native vlan 10
    , your VLAN10 traffic on that dot1q link would become untagged, and VLAN 1 traffic would become tagged as a result. In case of BigIP LTM, moving VLAN 10 to untagged is the exact same thing.
    Untagged VLAN
    is
    Native VLAN
    .

    As you are familiarizing yourself with BigIP L2 terminology, keep in mind that F5 has a tendency to vandalize commonly accepted networking terminology. I.e., "Trunk" term here means something completely different. It is used to describe

    Link Aggregation
    (known as EtherChannel in Cisco world).

    • Stanislas_Piro2's avatar
      Stanislas_Piro2
      Icon for Cumulonimbus rankCumulonimbus

      As you are familiarizing yourself with BigIP L2 terminology, keep in mind that F5 has a tendency to vandalize commonly accepted networking terminology.

       

      I should replace commonly accepted with Cisco

       

      When searching over Internet the definition of Trunk in networking terminology, I found several articles with this kind of explanation (this one is from wikipedia):

       

      In computer networking, port trunking is the use of multiple concurrent network connections to aggregate the link speed of each participating port and cable, also called link aggregation. Such high-bandwidth link groups may be used to interconnect switches or to connect high-performance servers to a network.

       

      Cisco made some weird choices all other vendors can disallow...

       

      How many times I heard some network engineers talking about Source NAT and calling it PAT!!!

       

      Why Cisco named source NAT with the name of the workaround?

       

    • Hannes_Rapp's avatar
      Hannes_Rapp
      Icon for Nimbostratus rankNimbostratus

      Hahah

       

      The way I see it, F5 would ideally use "Port Aggregation" or "Link Aggregation" for absolute clarity. Or by minimum, "Port Trunk" over "Trunk". "Trunk" word alone is vandalized so much in networking that it's stripped of any meaning. Another word must at all times stand next to it. Cisco is so big that if they are first to vandalize a term, the vandalized variant almost always becomes the new norm. Possibly thats why when talking about "Trunk", the first thing that comes to a network guy's mind is the Cisco's VTP protocol and VLAN trunking. As you pointed out, "Port trunking" is also a real deal. Not a completely made up thing, but also no longer the winning candidate for it's shorter abbreviation "trunk".

       

      If we add another vendor to mix, CheckPoint, things get really exciting! They use term "bond" which stands for an aggregated link and "bonding" which stands for link aggregation. Complete mess! Maybe the network tech guys will one day come to senses and stop inventing new terms for link aggregation. As the saying goes, a good kid has many names but this is being taken too far!

       

  • I see others already did a pretty good job at explaining this (upvotes given as credit). I'll just summarize bits and pieces into one answer and elaborate.

    As you seem familiar with Catalyst NS, I'll use this as point of reference. In Catalyst switches, your default VLAN is VLAN 1 which is also the default

    Native VLAN
    . In a dot1q Ethernet link, just one VLAN can be untagged, otherwise the switch that receives a frame wouldn't be able to tell to which VLAN the received frame belongs to. So in case of Cisco Catalyst switches, all VLAN 1 traffic is untagged by default for any dot1q links you create. It's also a common security practice to change native VLAN to something other than VLAN 1.

    In a Catalyst NS, you can change your native (aka untagged) VLAN with

    switchport trunk native vlan
    command (if-config). So if you type in
    switchport trunk native vlan 10
    , your VLAN10 traffic on that dot1q link would become untagged, and VLAN 1 traffic would become tagged as a result. In case of BigIP LTM, moving VLAN 10 to untagged is the exact same thing.
    Untagged VLAN
    is
    Native VLAN
    .

    As you are familiarizing yourself with BigIP L2 terminology, keep in mind that F5 has a tendency to vandalize commonly accepted networking terminology. I.e., "Trunk" term here means something completely different. It is used to describe

    Link Aggregation
    (known as EtherChannel in Cisco world).

    • Stanislas_Piro2's avatar
      Stanislas_Piro2
      Icon for Cumulonimbus rankCumulonimbus

      As you are familiarizing yourself with BigIP L2 terminology, keep in mind that F5 has a tendency to vandalize commonly accepted networking terminology.

       

      I should replace commonly accepted with Cisco

       

      When searching over Internet the definition of Trunk in networking terminology, I found several articles with this kind of explanation (this one is from wikipedia):

       

      In computer networking, port trunking is the use of multiple concurrent network connections to aggregate the link speed of each participating port and cable, also called link aggregation. Such high-bandwidth link groups may be used to interconnect switches or to connect high-performance servers to a network.

       

      Cisco made some weird choices all other vendors can disallow...

       

      How many times I heard some network engineers talking about Source NAT and calling it PAT!!!

       

      Why Cisco named source NAT with the name of the workaround?

       

    • Hannes_Rapp_162's avatar
      Hannes_Rapp_162
      Icon for Nacreous rankNacreous

      Hahah

       

      The way I see it, F5 would ideally use "Port Aggregation" or "Link Aggregation" for absolute clarity. Or by minimum, "Port Trunk" over "Trunk". "Trunk" word alone is vandalized so much in networking that it's stripped of any meaning. Another word must at all times stand next to it. Cisco is so big that if they are first to vandalize a term, the vandalized variant almost always becomes the new norm. Possibly thats why when talking about "Trunk", the first thing that comes to a network guy's mind is the Cisco's VTP protocol and VLAN trunking. As you pointed out, "Port trunking" is also a real deal. Not a completely made up thing, but also no longer the winning candidate for it's shorter abbreviation "trunk".

       

      If we add another vendor to mix, CheckPoint, things get really exciting! They use term "bond" which stands for an aggregated link and "bonding" which stands for link aggregation. Complete mess! Maybe the network tech guys will one day come to senses and stop inventing new terms for link aggregation. As the saying goes, a good kid has many names but this is being taken too far!

       

  • The concept is the same. F5 uses the same 802.1q tag in the Ethernet frame. What is different is the nomalacture. A trunk in Cisco is a connection allowing many VLANS. A Trunk in F5 is an Etherchannel. So to configure muliple VLANS on an interface on F5, you have by default configured a Cisco trunk.