So.... keep this in mind..... A trunk port (carrying Tagged vlan) will also have untagged traffic (native vlan) by default. An Access port cannot carry tagged vlan traffic (an access port is where tagged vlan traffic is untagged on egress and tagged in ingress).
Now assuming that the ES1 is a normal L3 switch, if you have a port carrying tagged vlan 104, I am going to assume it is setup as a Trunk Port, thus by default you have untagged native vlan (most switches will allow you to change the native/untagged vlan from 1 to any other vlan ). I am going to assume that the lingo you are using, "Exclude vlan" is from the switch's documentation or some other documentation you have read. Some places use the "Exclude" term for tagged vlans / trunk ports, because by default on those switches, when you define a trunk port, you do not need to specify the specific tagged vlans that are going to be carried on that trunk port. e.g. if you are using two cisco switches, and you have 10 vlans on each, when you connect the two switches together using a trunk port, you do not need to specify all 10 vlans as 'allowed' on the trunk port... they by default will be 'allowed' .. thus the terminology of 'Exclude' if you don't want an existing vlan to go across a trunk port. Regards. Faisal Imtiaz Snappy Internet & Telecom http://www.snappytelecom.net Tel: 305 663 5518 x 232 Help-desk: (305)663-5518 Option 2 or Email: [email protected] ----- Original Message ----- > From: "Nate Burke" <[email protected]> > To: "AnimalFarm Microwave Users Group" <[email protected]> > Sent: Wednesday, September 5, 2018 6:09:31 PM > Subject: Re: [AFMUG] Edgeswitch Vlan Leaking > Thanks for the explanation. Am I understanding that on the ES1, if the > port is only setup as a Tagged Vlan104, and excluded from everything > else, it will still show non-tagged traffic as well as tagged traffic as > Vlan104? My Thought was that if the physical port on ES1 is not set as > untagged for any vlan (It is excluded from All other Vlans, including > Vlan1), that Only tagged Vlan104 traffic should be present at the Mikrotik. > > Nate > > On 9/5/2018 4:51 PM, Faisal Imtiaz wrote: >> Let me help you out.. .think of a port as a Tube, a tagged vlan is another >> tube >> running inside the bigger outer tube. >> The outer tube is Untagged Vlan traffic or native vlan traffic ... >> >> A trunk port is one that can see both the outer tube (untagged vlans) as >> well as >> the inner tubes (tagged vlans) >> An access port is one where the inner tube (tagged vlan) is connected to act >> as >> the Outer Tube (ie. tagged traffic in received and it flows thru as >> untagged). >> >> In your example, you have a tagged vlan 104 going thru the MT1, ES1, EPMP SM, >> and the EPMP AP (let's just stop here in the chain, for a moment). >> Which is all good, however, by virtue of the physical connection, you also >> have >> the Untagged traffic connected.. >> in other words, you have native/untagged traffic flowing all the way thru, >> along with Tagged Vlan 104 traffic. >> >> Now if you look at the rest of the chain, you are taking Untagged vlan 1000 >> (native) + Tagged vlan 104 into ES2, and then handing them off as two tagged >> vlans to MT2. >> Which means that between ES2 and MT2 native/untagged traffic is not going >> anywhere other than staying between these two devices. >> >> and this would explain why MT1 is able to see everything via native + vlan >> 104, >> and MT2 is able to see everything via Vlan 1000 and Vlan 104, and only the >> ES2 >> via native vlan. >> >> Hope it makes sense. >> >> Regards. >> >> Faisal Imtiaz >> Snappy Internet & Telecom >> http://www.snappytelecom.net >> >> Tel: 305 663 5518 x 232 >> >> Help-desk: (305)663-5518 Option 2 or Email: [email protected] >> >> ----- Original Message ----- >>> From: "Nate Burke" <[email protected]> >>> To: "Animal Farm" <[email protected]> >>> Sent: Wednesday, September 5, 2018 1:30:45 PM >>> Subject: [AFMUG] Edgeswitch Vlan Leaking >>> I'm sure I have something missing in my configuration, but I haven't >>> been able to figure it out yet. Edgeswitches on Version 1.7.4 and 1.8.0 >>> >>> Mikrotik1 <-Tagged Vlan104-> Edgeswitch1 <-Tagged Vlan104-> EPMP SM >>> <---> EPMP AP <-Untagged Vlan1000, Tagged Vlan104-> Edgeswitch2 >>> <-Tagged Vlan1000,Tagged Vlan104-> Mikrotik2 >>> >>> Mikrotik1, in it's neighbor list, is able to see on Vlan104 all devices >>> that exist on Vlan1000 at Edgeswitch2. Since the Port on Edgeswitch1 is >>> set for Tagged vlan104 and excluded from all other vlans, shouldn't this >>> isolate all traffic to only Vlan104, which means that Mikrotik1 Should >>> only see Mikrotik2 in a neighbor list? Vlan1000 does not exist in the >>> Vlan Table of edgeswitch1 at all. Everything is working the way I expect >>> it to, I'm just trying to figure out why I'm seeing the layer2 neighbor >>> traffic when I don't think I should. >>> >>> Nate >>> >>> >>> -- >>> AF mailing list >>> [email protected] >>> http://af.afmug.com/mailman/listinfo/af_af.afmug.com > > > -- > AF mailing list > [email protected] > http://af.afmug.com/mailman/listinfo/af_af.afmug.com -- AF mailing list [email protected] http://af.afmug.com/mailman/listinfo/af_af.afmug.com
