Tagged/Untagged vs Include/Exclude

From Ubiquiti website

This VLAN ID tag may be added or removed by a host, a router, or a switch. Within the network, physical ports are configured as untagged or tagged for a specific VLAN—determining whether to accept and forward traffic belonging to each VLAN ID. Let’s take a closer look at each one.

Untagged: a VLAN that is untagged is also sometimes referred to as the “Native VLAN”. Any traffic that is sent from a host to a switch port that doesn’t have a VLAN ID specified, will be assigned to the untagged VLAN.

This option is typically used when connecting hosts such as workstations or devices like IP cameras that don’t tag their own traffic, and only need to communicate on one specific VLAN. A port can only have one Untagged VLAN configured at a time.

Tagged: Assigning a tagged VLAN to a port adds that port to the VLAN, but all ingress and egress traffic must be tagged with the VLAN ID in order to be forwarded. The host connected to the switch port must be capable of tagging its own traffic, and be configured to do so with the same VLAN ID.

Tagged VLANs (as opposed to Untagged) on a port are typically used when connecting to a host that needs access to several networks at once using the same interface, such as a server providing services to more than one department in an office. It can also be used when connecting two switches, in order to restrict access to a VLAN to hosts connected to a downlink switch for security purposes.

Trunk: A trunk port is typically considered a member of all VLANs—it will accept and forward traffic on any VLAN ID and is typically configured for the uplink and downlink ports between switches and routers.

All well and good, but say you wanted to use tagging for privatizing certain traffic, what is the difference between that and using the include and exclude CLI functions? Say I had an AP connected to a switchport and only wanted it to allow traffic from VLAN192. What is different than tagging that port with 192, vs excluding participation in other VLANs? Seems to me like it does basically the same job.

You don’t tag ports, a port tags or untags traffic, or drops/allows traffic.

Or rather, for any given vlan id, a properly configured port can either emit traffic belonging to that vlan with a tag, without a tag, or not emit it.

Traffic coming in can be accepted or dropped based on incoming vlan id, or if no vlan id tag is present, a port can classify that incoming traffic into a vlan (and then accept or drop).

Usually, ports configured to carry tagged traffic exclusively are called trunk ports. Ports configured to carry exclusively untagged traffic are called access ports, ports configured to carry one vlan untagged and one or more tagged vlans are called hybrid ports

For example, when traffic comes in already tagged with vlan 192 on a port not participating in 192, it’s dropped.

If traffic comes in untagged on a port that is configured with 192 untagged, and the port is participating in 192, it’s accepted and forwarded appropriately to one/all of the other ports participating in 192 and depending on port it might come out either tagged or untagged there. (that port might have pvid 192 configured)

Worth mentioning is the fact that in hardware, typically all switch chips being made these days support vlans, nested vlans (aka q-in-q), and majority of high port count chips can do IP forwarding, and they can encapsulate/decapsulate traffic not just into/ou of vlans, but also into/out of gre and vxlan. They’re pretty flexible. Manufacturers of chips that are put into 16port dumb switches will only licence particular feature set, and from it they’ll only use a subset. As a side effect it’s entirely possible to misconfigure things using whatever messed up Web UI/CLI/cfg manufacturer provided you with, and end up getting strange results… Trust but verify. Look at tcpdump and Wireshark, stick to trunk / access / hybrid with 1 vlan untagged when planning and you’ll be fine.

1 Like