Understanding VLAN Retagging

The VLAN identifier in packets arriving on a Layer 2 trunk port can be rewritten or “retagged” with a different internal VLAN identifier. VLAN retagging is a symmetric operation; upon exiting the same trunk port, the retagged VLAN identifier is replaced with the original VLAN identifier. VLAN retagging provides a way to selectively screen incoming packets and redirect them to a firewall or other security device without affecting other VLAN traffic.

VLAN retagging can be applied only to interfaces configured as Layer 2 trunk interfaces. These interfaces can include redundant Ethernet interfaces in a Layer 2 transparent mode chassis cluster configuration.

Note: If a trunk port is configured for VLAN retagging, untagged packets received on the port cannot be assigned a VLAN identifier with the VLAN retagging configuration. To configure a VLAN identifier for untagged packets received on the physical interface, use the native-vlan-id statement.

To configure VLAN retagging for a Layer 2 trunk interface, specify a one-to-one mapping of the following:

• Incoming VLAN identifier—VLAN identifier of the incoming packet that is to be retagged. This VLAN identifier must not be the same VLAN identifier configured with the native-vlan-id statement for the trunk port.
• Internal VLAN identifier—VLAN identifier for the retagged packet. This VLAN identifier must be in the VLAN identifier list for the trunk port and must not be the same VLAN identifier configured with the native-vlan-id statement for the trunk port.

Related Topics

• Configuring VLAN Retagging