while configuring a VLAN aware bridge to not use an untagged (so called native) VLAN on trunks to other switches, I was confused by the documentation "Configuring a VLAN-aware Bridge," "VLAN Filtering/VLAN Pruning," and "Dropping Untagged Frames."
As I understood the documentation, restricting the VIDs of a port to not include the bridge default PVID (which doubles as native VLAN for trunks) would prune it from the uplink. My assumption is based on experience with other vendors (Arista, Cisco, Enterasys, Extreme, HP, and other, more obscure ones) and the short section on VLAN Filtering/Pruning.
My understanding of the effect of bridge-allow-untagged no was that untagged frames are dropped, changing nothing else, similar to the ExtremeEOS (formerly Enterasys) command set port discard
The actual switch behavior as observed using net show bridge vlan was different:
- bridge-allow-untagged no results in tagging the native VLAN
- pruning the native VLAN (aka bridge-pvid) from an uplink requires both to prune it using bridge-vids
and to tag the native VLAN using bridge-allow-untagged no on the uplink
BTW, NCLU seems to have an issue with pruning the native VLAN by specifying a bridge-vids list without the native VLAN. The command was accepted, but net pending showed no change. Applying the pending configuration using net commit did not change the configuration file /etc/network/interfaces. Thus I manually edited /etc/network/interfaces and restarted networking.service, which achieved the desired effect (as observed with net show bridge vlan).
Have I got the above right? I did not verify the behavior with a sniffer and traffic generator, but used NCLU show commands only.
Would it be possible to improve the documentation to say that bridge-allow-untagged no changes the native VLAN to tagged, and that the native VLAN is included in a trunk unless it is both pruned and changed to tagged?