The actual example of a VLAN configuration is very simple, just like the eth-switch routing method through VLAN. First, let's look at a method with high hardware efficiency: Port1 ~ 4 As the access port and the user mode on the hardware, that is, the packets sent from the PC to these ports do not carry VLAN-tag. After the SW hardware receives the packets, based on the internal vlan configuration, if the target is another PC in the same vlan, it will be directly forwarded; if it is to be sent to the CPU, the hardware will automatically tag them, then it is handed over to the vlan device of the Kernel. Similarly, the data packets sent by the Kernel are tagged (because they are sent by vlan devices). Finally, the hardware finds the corresponding port based on the tag, removes the tag, and sends it to the PC. Port5 is used as the trunk port and the hardware as the transmission mode. (as the WAN port) the packet sent from the external PC must contain tags (there are multiple tags ), the hardware then checks whether the port is sent to other ports of the same vlan. If yes, the port is directly forwarded. Otherwise, the port is directly transmitted to the vlan device of the CPU's Kernel. The tag-based data packets sent by the Kernel are also directly sent to the PC. The PCS here are generally external ISPs. They have their own requirements on which applications (such as PPP and TR069) Use vids. Of course, they can also identify various vlan-tags. One disadvantage of this method is that the vid of the WAN port (port5) cannot overlap with the LAN port, that is, the vid used by the LAN port, and the WAN port cannot be reused, this is not good for ISP. Next, let's look at another method: the LAN port method remains unchanged. The WAN port (port5) is no longer used as the trunk port, but is the same as the LAN port, as the access port, and the hardware adopts the user mode. The difference is that it uses two-layer vlan in the Kernel. This allows the ISP to send packets to the SW to freely include the tag with the vid and still, and the SW hardware will automatically add the tag of vid5 (vlan ID of the port in the SW) to the packet, then to the Kernel, The eth2.5 in the Kernel first peel off the vid5-tag, and then according to the Layer 2 vid to the corresponding Layer 2 vlan device for processing. The advantage of this is that the ISP's vid is no longer limited. However, the disadvantages are also obvious. First, the efficiency is reduced because most of the work needs to be done through the Kernel software. Second, as an access port, WAN cannot be directly exchanged with the LAN port.