On my Avaya ERS2550T switch each port can be set with a native/primary VLAN I can assign other secondary (depending on the mode) VLANs that will be associated with this port.
I can configure ports as:
- tagAll (trunk)
- untagAll (access)
- tagPvidOnly
- untagPvidOnly
I have seen similar port options on different switches. As I understand, VLANs are used to segregate collision domains in to separate subnets.
The thing I do not understand is, if we had VLANs 10, 20 and 30, which are each their own IP subnet, why would we want to untag all of these on a port as this would create a collision of different subnets on the same physical port.
So in summary, why does the untagAll (access) mode exist, and in what scenarios would it be useful to assign more than one VLAN to a port that is operating in this mode?
This definition of “access” port looks unusual — in many other devices setting the port mode to “access” means that the port can be a member of just a single VLAN. Some other devices have a “hybrid” port mode which is even more general — a hybrid port can be a member of multiple VLANs, and for each VLAN you can choose whether outgoing frames from this VLAN will be tagged or untagged.
Having more than one untagged VLAN on a port could be useful in special circumstances. Suppose that you have a server and three groups of clients in the same IP subnet; however, each group of clients must be able to communicate only with the server and other clients in the same group, but must not be able to reach clients from other groups. Then you can configure VLANs on the switch as follows:
In this case frames transmitted by the server will get VLAN ID 40 and could reach all clients; however, frames transmitted by a client from group 1 will get VLAN ID 10 and could reach only the server and other clients from the group 1, and similarly for other groups.
Such configuration does not by itself provide full protection between client groups — even if a client cannot send frames which would be received by a client from another group, this VLAN configuration cannot prevent it from spoofing IPs of clients from other groups. Other switch features (e.g., ACLs or DHCP snooping) may be used to prevent such IP spoofing.
Another potential hole in this configuration is the behavior of the switch when it receives a tagged frame on such port — e.g., if a client sends a frame tagged with VLAN ID 40, and the switch will process such frame according to the tag, this frame could reach clients from other groups. Therefore an option to filter all tagged frames on a port is needed to make group isolation really complete.
In a special case, where each client is in its own group, the same result could be achieved using a “port isolation” feature available on some switches, but more complex configurations with multiple clients in a group need separate VLAN IDs for groups.