MAC address level awareness only (managed switch). Uses VLANs. Injects / strips VLAN tag from packets as needed.
IP address level awareness (router). Supports routes, ACLs, etc.
The primary function of a VLAN is to separate layer 2 traffic. Hosts in one VLAN cannot communicate with hosts in another VLAN without extra services. An example service is a router to pass packets between the VLANs (layer 3 traffic).
The general idea is that all traffic that flows through a switch is part of a VLAN at all times.
Not of interest. Do not confuse with native VLAN (!)
We cannot change the default VLAN. We cannot delete the default VLAN. It is the default VLAN. It is [vlan 1]. All switch ports turn into a member of the default VLAN just after the initial bootup of the switch. All these ports engage in the default VLAN which makes all of them a part of the same broadcast domain. Because of this, any device connected to any port can communicate with other devices on other switch ports. [vlan 1] is the default VLAN.
These phrases apply equally to traffic and to ports:
Untagged traffic = does not contain injected VLAN tag; tagged traffic = contains an injected VLAN tag.
VLAN-enabled ports are generally categorized in one of two ways, tagged or untagged. These may also be referred to as “trunk” or “access” respectively.
Connects to end user devices / hosts (computer, printer, etc.). These hosts generally do not use VLAN tags in their traffic. The connected host sends its traffic without any VLAN tag in the frames. When the frame reaches the switch port, the switch will add the VLAN tag. The switch port is configured with a VLAN ID that it will put into the tag. This will grant the host access to a VLAN, hence the name “access port”.
When a frame leaves an untagged port, the switch strips the VLAN tag from the frame as connected end user devices generally do not use VLAN tags.
For example:
interface Ethernet1/0/12 stp edged-port enable port link-type access port access pvid vlan 2 apply qos-profile default
Incoming traffic from end user device will have [vlan 2] tag injected at all times. Outgoing traffic will have VLAN tag stripped.
A Port VLAN ID (pvid) is a VLAN ID that is assigned to an access port to designate the virtual LAN segment to which this port is connected. If none is specified, the default VLAN ID will be used ([vlan 1]).
A port is a ‘tagged port’ when the port is expecting frames containing VLAN tags. An example of this is when two switches are connected and pass tagged traffic. A trunk port can pass through multiple VLAN tags, like a tree trunk carrying multiple tree branches. ‘Trunking’ is also a common phrase indicating grouping. Hence the name “trunk port”.
The sender will send a frame with a VLAN tag. The receiving switch will see the VLAN tag, and if the VLAN is allowed, it will forward the frame as required. For example, a broadcast may be received on [vlan 10]. In this case, the switch will flood the frame to all other ports configured with [vlan 10].
In some cases, an untagged frame will arrive on a tagged port. To handle this, tagged ports have a special VLAN configured on them called the untagged VLAN. This is also known as the ‘native VLAN’.
The switch assigns any untagged frame that arrives on a tagged port to the native VLAN. If a frame on the native VLAN leaves a trunk (tagged) port, the switch strips the VLAN tag out.
In short, the native VLAN is a way of carrying untagged traffic across one or more switches.
Combination of both Access port and Trunk port. When the Hybrid port and Trunk port receive data, the processing method is the same. The only difference is when sending data: Hybrid ports allows multiple VLAN packets to be sent without tags, while Trunk ports only allows the native VLAN.
For example:
interface Ethernet1/0/12 stp edged-port enable port link-type hybrid port hybrid vlan 3 tagged port hybrid vlan 2 untagged undo port hybrid vlan 1 port hybrid pvid vlan 2 apply qos-profile default
This port is part of [vlan 2] (pvid) and will therefore tag incoming untagged traffic with a [vlan 2] tag when forwarding. Incoming [vlan 3] traffic is allowed through and will remain tagged when forwarding. Incoming [vlan 2] traffic is allowed through but will have its tag removed when forwarding. This port will not allow vlan 1 traffic through.
Only for a Hybrid port (not allowed for Trunk port) could we add another ‘untagged’ rule:
port hybrid vlan 4 untagged
Incoming [vlan 4] traffic is allowed through but will have its tag removed when forwarding.
In short, a summary:
Access port
Incoming – Injects VLAN tag. Data packet now becomes tagged traffic.
Outgoing – Strips VLAN tag. Data packet now becomes untagged traffic.
Trunk port
1. Compare the PVID of the port and the VLAN information in the packet to be transmitted.
2. If they are the same, proceed to Step 3, otherwise, proceed to Step 4
3. Strip the VLAN information in the packet and forward the packet.
4. Forward the packet directly.
Hybrid port
1. Check the VLAN attributes on this port by running the command [display interface Ethernet 1/0/12] to see whether the VLAN attribute is “tagged” or “untagged”
2. If I is untagged, proceed to Step 3, if it is tagged, proceed to step 4.
3. Strip the VLAN information in the packet and forward the packet.
4. Forward the packet directly.
VOIP scenario
https://youtu.be/2QOFNTF4nyU?t=1506
You can connect a computer to a VOIP device to a wall data outlet, sharing the same switch network port. Computers do not use VLAN tags in their traffic. When configuring a VOIP device, you can specify which VLAN it should be in. The VOIP device will then include a VLAN tag in its traffic. The switch will see both untagged packets and tagged packets on a single switch port as a result.
A switch hybrid port can then be used to route untagged traffic from computers differently (= inject VLAN tag #1 into packets) from VOIP devices (= process VLAN tag #2 already present in packets).