Here's what I have already figured out by reading Cisco's literature...

-If I create a VLAN on a few ports, using the following commands: switchport mode access switchport access vlan 42

-The switch allows untagged packets to ingress the port. And, any packets ingressing the port are associated with VLAN 42.

So, my question is how do I configure a port to tag packets as they egress the port AND ... require ingress packets to already be tagged with VLAN 42.

Could it be such a simple solution? Anyway, any help would be appreciated.


Reply to
Loading thread data ...

its called a trunk :-))

Reply to

You can configure the port as a trunk port, then allowed only vlan 42 on it. switchport mode trunk switchport trunk encapsulation dot1q switchport trunk native vlan 42 switchport trunk allowed vlan 42


Reply to

Ooooooooooooooooh! OK! Thank you!

I see now; I am just starting to fit the pieces together.

So, may I ask; what is a "multi"?

I believe that the Cisco switch (2900/3500) supports: these three switchport modes: access, multi, and trunk...

Thanks again!

Reply to


Well that's not completely correct. The "switchport trunk native vlan 42" actually untags traffic for vlan 42. Remove this statement and you'll be fine.

The multi mode is an old thing, not supported on newer switches and should be avoided if possible. The multi mode allowed you to make the access port member of more than one vlan. For example if you've got multiple vlans and want one host to be member of more than one of these vlan's you could have setup a port in muti mode and assign multiple IP's to the host's nic. A side effect of this is that traffic generated from this host is send to all vlans, thus causing a leak of traffic for one vlan to the other vlan's. Don't use it. If a host has to be accessible to multiple vlans, use a router and route to the host.


Reply to
Erik Tamminga

Unless you need a multi option dont use, as one specific NIC will be allowed the membership more then one VLAN and its a security breach

Reply to

Or have the port trunk, permit only the VLANs to which the host should have access, and have the host use 802.1q.

This requires that the host have a different IP on each VLAN, but that's probably more of a Good Thing than Bad Thing in that you get only the "leakage" you want.

I don't know how to do this with other environments, but Linux has been able to speak 802.1q for a few years at least.

- Andrew

Reply to
Andrew Gideon

Cabling-Design.com Forums website is not affiliated with any of the manufacturers or service providers discussed here. All logos and trade names are the property of their respective owners.