VLAN tag forwarding by USG firewalls

The processing of VLAN tags by different ports on USG firewalls is as follows:
The USG firewalls provide three types of ports: Access, Trunk, and Hybrid.
Access interface:
When receiving a packet without a tag, the Access interface accepts the packet and adds the default VLAN ID to the packet.
When receiving a packet with a tag, the Access interface accepts the packet if the VLAN ID is the same as the default ID; the Access interface discards the packet if the VLAN ID is different from the default ID.
When sending a packet, the Access interface removes the tag from the packet.
Usage: The Access interface belongs to only one VLAN and is used to connect the switch to a PC directly.
Trunk interface:
When receiving a packet with a tag, the Trunk interface adds the default VLAN ID to the packet. If the default VLAN ID is on the permitted VLAN ID list, the Trunk interface forwards the packet; otherwise, the Trunk interface discards the packet.
When receiving a packet with a tag, the Trunk interface checks whether the VLAN ID carried by the packet is on the permitted VLAN ID list. If yes, the Trunk interface accepts the packet; if not, the Trunk interface discards the packet.
When sending a packet, the Trunk interface checks whether the VLAN ID carried in the packet is the same as the default VLAN ID. If yes and the VLAN ID is on the permitted VLAN ID list, the Trunk interface removes the tag and sends the packet; if not but the VLAN ID is on the permitted VLAN ID list, the Trunk interface retains the original tag and sends the packet.
Usage: The Trunk interface can belong to multiple VLANs and connect switches.
Hybrid interface:
When receiving a packet with a tag, the Hybrid interface adds the default VLAN ID to the packet. If the default VLAN ID is on the permitted VLAN ID list, the Hybrid interface forwards the packet; otherwise, the Hybrid interface discards the packet.
When receiving a packet with a tag, the Hybrid interface checks whether the VLAN ID carried by the packet is on the permitted VLAN ID list. If yes, the Hybrid interface accepts the packet; if not, the Hybrid interface discards the packet.
When sending a packet, the Hybrid interface checks whether the VLAN ID carried by the packet is on the permitted VLAN ID list. If yes, the Hybrid interface sends the packet. You can configure whether a packet carries a tag using the corresponding command.
Usage: The Hybrid interface can belong to multiple VLANs. It can connect switches or user devices.

Scroll to top