1. This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn More.
Dismiss Notice

Welcome To SNBForums

SNBForums is a community for anyone who wants to learn about or discuss the latest in wireless routers, network storage and the ins and outs of building and maintaining a small network.

If you'd like to post a question, simply register and have at it!

While you're at it, please check out SmallNetBuilder for product reviews and our famous Router Charts, Ranker and plenty more!

How To Segment A Small LAN Using Tagged VLANs - Part 2

Discussion in 'LAN & WAN Article Discussions' started by Sebastienbo, Jul 26, 2015.

  1. Sebastienbo

    Sebastienbo Occasional Visitor

    Joined:
    Jul 26, 2015
    Messages:
    20
    http://www.smallnetbuilder.com/lanw...ll-lan-using-tagged-vlans-part-2?limitstart=0

    Concerning the article above I have question.
    I've been buying the same switches as above but my config has become a complete mess, I don't understand what I'm doing wroing and I have tried so many combinations (tag/untagged/etc..) but I'm not able to achieve a trunk :-(

    Therefore I've descided to swallow my pride and ask for help on this forum :)

    The prupose of my setup is as follow:
    I have a wall with just one cable from my living room (where the provider modem is + some internal network devices) to my office room (where I have the firewall/router/wlanap + Internal devices such as pc's/nas/etc..)
    Both sides have the article described device : ZyXEL GS1900-8HP with the latest firmware 2.0

    What I want to achieve:
    My modem (in the living room should connect to port 2 so I set PVID to vlan 2 and vlan 2 is part of port 1 and 2 untagged), so port 2 becomes my DMZ or external network (whatever you wanna call it)
    Remaining Ports 1,3,5,6,7,8 are vlan 1 (internal lan for pc's)

    Port 1 should handle traffic from vlan 1 and vlan 2 and sent it over that one cable over to the office, so I configurred port 1 as a trunk on both switches accepting tagged and untagged traffic.

    So how should my traffic flow?
    1) I have my provider modem sending data to port 2
    2) port 2 should tag it and send it to it's other member ports (port 1)
    3) Port 1 sends it over to the other switch port 1 where it should be detected as beeing part of vlan 2 ) therfore sent it to port 2
    4) Port 2 sends that traffic to my WAN side of my router
    5) The lan side of my router sends that traffic to port 3 of the switch, which is vlan 1
    6) And if something happens in the office on vlan 1, it should be sent over that one cable again to the other 7) vlan 1 members in the living room (my tv,home enterainment,etc..)

    Important: At no point the traffic of my provider and my internal traffic may see each other: It must go through the router first

    As you see, this should not be a complicated confifuration at all...I feel so stupid not beeing able to solve it myself :-(

    Can someone help me understand what I'm doing wrong?
     
  2. BDH

    BDH New Around Here

    Joined:
    Jul 24, 2015
    Messages:
    7
    -----------------

    It sounds like you are trying to use 802.1Q VLANs since you are having to define tagged, untagged & PVIDs for all ports. Your switch can build port based VLANs instead. This frees you from all of the work defining which ports should be tagged, untagged & PVIDs, etc. My D-Link switches have a separate spot for defining port based VLANs, but from the manual of yours it appears to use the same area for both types of VLANs. The way you make certain settings defines the VLAN as port based instead of 802.1Q. "The GS1900-8HP supports port-based and 802.1q VLANs. You can make a port an untagged member of multiple VLANs, which essentially provides the ability to do port-based VLANs." Read through the section on port based VLANs on your switch. I have tried to convert how D-Link does these to how your ZyXel does them in what I write below, but without the ZyXel device I may miss something.

    1) I have my provider modem sending data to port 2.

    Port 2 should be in a VLAN called VLAN 2 for your Internet traffic. Port 1 should be set as a trunk port & also be a member of both VLAN 1 & 2. Port 2 should be untagged. The beauty of port based VLANs is that the trunk port will tag frames prior to sending them using the VLAN ID of the VLAN it received those frames on. If a frame comes to the trunk port from an untagged port that is a member of VLAN 1 it will be tagged as VLAN 1 traffic before it is sent. Same for VLAN 2.

    2) Port 2 should tag it and send it to it's other member ports (port 1)

    Not exactly. Port 2 should be an untagged port in a port based VLAN. The untagged frames from port 2, your modem, will be sent to all other ports on that switch that are members of VLAN 2. In your case only port 1; the trunk. The trunk will know to tag it as VLAN 2 traffic since this frame came from port 2 which is a member of VLAN 2. On this switch, port 1 & 3 - 8 should all be defined as members of VLAN 1. 3 - 8 should all be untagged ports. Port 1 is already set as trunk so it will handle tagging VLAN 1 packets before sending them out the trunk just as it does for VLAN 2, since the trunk is a member of both VLANs (that is what makes it a trunk).

    3) Port 1 sends it over to the other switch's port 1 where it should be detected as being part of vlan 2 ) therefore sent it to port 2

    The office switch in your setup should match your other switch. Port 1 & 2 in VLAN 2 with port 1 set as a trunk. VLAN 1 should contain ports 1 & 3-8. 3-8 should be untagged ports.

    4) Port 2 sends that traffic to my WAN side of my router

    Right, plug your router's WAN port into port 2 on the office switch.

    5) The lan side of my router sends that traffic to port 3 of the switch, which is vlan 1

    Right, plug the router's LAN port into port 3 on the office switch.

    6) And if something happens in the office on vlan 1, it should be sent over that one cable again to the other 7) vlan 1 members in the living room (my tv,home enterainment,etc..)

    Correct, but your switches are 8 port switches and 3 - 8 are VLAN 1, so it will be 6 other members, not 7. There are 7 members of VLAN 1, but one of those members is the trunk port which is not an untagged VLAN 1 member, it is a special member since it is a trunk and also belongs to VLAN 2. It is also true that activity on the other switch in VLAN 1 will traverse the trunk and be seen by the VLAN 1 ports in the office.

    I hope this helps. If I need to clarify anything let me know.
     
  3. Sebastienbo

    Sebastienbo Occasional Visitor

    Joined:
    Jul 26, 2015
    Messages:
    20
    Thanks very much for your help

    It was exacly how I configured it, I actually configured this also the same way on my current netgear GS108e, and there it just works fine.

    I don't completely understand the difference between port based vlans and 801q (port based I understand, but the 801q not, especially not the difference)

    Ok back to the problem: I'm sending you some screenshots over with my current config (both switches are configured the same way like a mirror )
    Currently I'm only testing with port 1 and port 2, that means that the only test that I'm trying to achieve is to get the modem from port 2 to send traffic to trunk port 1, which then should send the traffic over to the other switch on port 1 and there go to port 2 (my router) <- Here it stops already, my router doesn't have internet...

    I send you my config (4 screenshots), you'll see it's configured the same way you told me and it's an easy setup, so I don't know what still could be wrong here, but maybe you see something in my screenshot that I'm doing wrong. (lets hope that)
     

    Attached Files:

  4. Sebastienbo

    Sebastienbo Occasional Visitor

    Joined:
    Jul 26, 2015
    Messages:
    20
    Here are the other two images
     

    Attached Files:

  5. BDH

    BDH New Around Here

    Joined:
    Jul 24, 2015
    Messages:
    7
    Working from the specific configuration documentation for the ZyXel GS1900-8 switch, here is how to do this:

    Tagged versus untagged applies to how traffic leaving a port for a device should be sent. In other words should it be tagged as belonging to a VLAN or untagged.

    Any port used to connect a device that is not aware of VLANs (computers, TVs, DVRs, DVD players, etc.) needs to be untagged. This tells the port to remove the tagging before sending it to the device. For both of your switches ports 2-8 need to be untagged. Port 1 on both switches needs to be tagged. That is because it is a trunk port to another switch that is aware of vlans & tagging.

    This is different from how you currently have your port 1 set on each switch and needs to be changed. Currently you have them set to untagged. That means before a packet leaves port 1 to go to port 1 on the other switch, all VLAN tagging is removed. Thus when the other switch gets the packet it is not identified as being for VLAN 1 versus VLAN 2. The switch does not know which of its VLANs the packet is for and discards the packet.

    PVID applies to how traffic entering a port from a device should be tagged:

    Port 2 on both switches (your internet modem and your wifi router WAN port) need a PVID of 2.
    Ports 3-8 need a PVID of 1.
    Port 1 (the trunk port on each switch) can have a PVID of 1 or 2 but both should be the same. 1 is probably best. It should never be needed because all of your other ports have PVIDs. The PVID of the trunk would only come into play if the port sees a packet that does not already have a VLAN tag. Since all of your other switch ports will be applying either VLAN 1 or 2 prior to forwarding the packet to port 1, it will never use its PVID. I think you have the PVIDs correct based on your screen shots.

    Let me know how it goes when you mark your trunk ports as tagged.
     
    username0475, Spock83 and Sebastienbo like this.
  6. Sebastienbo

    Sebastienbo Occasional Visitor

    Joined:
    Jul 26, 2015
    Messages:
    20
    It's working!

    Thanks very much, I'm stil re-reading your explenation, it makes so much sense

    So in my config my packets were thrown away by the second router, because i actully instructed the switch port & to remove the vlan tag by setting the untagged bullet...so simple now that I think of it

    Thanks for deblocking me
     
  7. BDH

    BDH New Around Here

    Joined:
    Jul 24, 2015
    Messages:
    7
    I'm glad that worked. Each of these vendors handle VLANs a little differently and I thought I understood how yours would work but was not positive.
     
  8. Sebastienbo

    Sebastienbo Occasional Visitor

    Joined:
    Jul 26, 2015
    Messages:
    20
    One last question

    I'm experimenting with the vlans and have bought a third switch
    The purpose of the thrid swith is to extend my other two switches (so it comes in between)
    Therefore I have configured the three switches the same way as follows:

    Config: Vlan 1 (WAN) and 2 (LAN)
    pvid : 1 : for ports 1,2,3
    pvid : 2 : for ports 4,5,6,7,8
    vlan 1:
    tagged port 1,2
    untagged port 3
    vlan 2:
    tagged port 1
    untagged ports 4,5,6,7,8

    switch 1:
    Port 1 has the connection to port 1 of switch 2
    Port 3 has the connection of the modem (wan)
    Port 4-8: Internal lan devices
    Switch 2: (this switch creates the extension)
    Port 1 receives the cable from switch 1
    Port 2 cable that goes to port 1 of switch 3
    Switch 3:
    Port 1 receives the cable from port 2 from switch 2
    Port 3 is connected to the router
    Port 5 is receiving the lan side of the router (so that the internet arrives in vlan 2 (internal lan)

    Results:
    the internet is correctly send over from switch 1 to switch 2 to switch 3 to the router.
    And the router is correctly delivering it's internet to the vlan1 segment of switch 3 , because all those devices have access to the internet
    On switch two, when I connect to vlan 2 on port 5 it also has internet
    But on switch 3, the vlan 2 has no internet.

    So i'm wondering if I configured this all correct in order to have switch 2 to extend my lan/wan (I think I did somethin wrong on switch 2) Port 1 and 2 are both tagged in vlan 1 but not in vlan 2

    So should I tag port two of switch 2 in vlan 2 also?
     
  9. BDH

    BDH New Around Here

    Joined:
    Jul 24, 2015
    Messages:
    7
    -------------------------------------------------------------------------

    This is my exact configuration except that I call VLAN 1 my LAN and VLAN 2 my WAN, but that does not matter, either will work.

    On switch 1 only port 1 should be tagged for both VLAN 1 & 2. Port 2 should be untagged for VLAN 1 and should be where your modem plugs in.
    On switch 2 ports 1 & 2 BOTH need to be tagged for both VLAN 1 & 2. (The middle switch needs 2 trunked ports in order to get traffic from end to end on your network.)
    On switch 3 only port 1 should be tagged for both VLAN 1 & 2. Port 2 should be untagged for VLAN 1 and should be where your router WAN port plugs in.
    I would put port 3 into VLAN 2 on all three switches. Otherwise you are reserving 3 ports on each switch for VLAN 1 when only 2 are needed. Moving port 3 gives you 6 LAN (VLAN2) ports available on switches 1 & 2 and 5 available on switch 3.
    On switch 3 I would use port 3 for the LAN side of the router.

    I hope that helps!
     
  10. intelligo

    intelligo New Around Here

    Joined:
    Dec 4, 2016
    Messages:
    3
    Location:
    Southeast USA
    vlanTrunk01 (1).png Basic 802.1Q VLAN configuration for TP-Link SG-105Ev2 switch with Asus RT-AC68U router (Merlin firmware RT-AC68U_380.63_2):

    I must be missing something basic in this configuration I am attempting (see image). I'd like to define several tagged 802.1Q VLANs for a small network, but the hosts for different VLANs are scattered across different physical locations throughout the network. In the network diagram, hosts for VLAN101 hang off different switches MOCA1 and MOCA2, and both switches connect to different ports on the SG-105Ev2 switch. I'd also like all VLANs to have internet access, but also have some VLANs communicate with other VLANs within the same network. This TP-Link guide somewhat resembles what I'd like to achieve, but although the VLANs can access the internet, neither VLAN can communicate with the other.

    I see that the article shows in Example 1 how to assign IP subnets to VLANs for the Linksys LRT224 router, but in reviewing the documentation for the SG-105Ev2 (and RT-AC68U), I cannot find guidance for how to do this. Without being able to assign subnets to VLANs either in the SG-105Ev2 switch or RT-AC68U router, I don't see how I can set up VLANs on my network.

    Question: is there some way to assign IP subnets to VLANs with this hardware?

    Thanks as always for your expert guidance!
     
  11. BDH

    BDH New Around Here

    Joined:
    Jul 24, 2015
    Messages:
    7
     
  12. BDH

    BDH New Around Here

    Joined:
    Jul 24, 2015
    Messages:
    7
    From a quick look at the hardware, specifically the 3 switches where the VLANs are defined, none appears to have layer 3 capability. They only have the layer 2 capabilities needed to implement VLANs. Without Layer 3, you cannot assign unique subnets to each VLAN in order to route them to each other or to the Internet. At the time of this writing, consumer grade wifi routers are not able to handle this sub-netting either. Wifi routers are usually limited to 2 subnets, one for the WAN and one for the LAN. The default for most factory wifi router firmware is that all of the LAN ports are in the same VLAN. Aftermarket firmware like DD-WRT allows the LAN ports to be independently assigned to unique VLANs, but that is as far as it goes. It is left to another device to supply capabilities like defining multiple layer 3 subnets, linking those to a unique VLAN and providing a DHCP server that can handle multiple scopes for the various subnets.

    When I reached the point where just a WAN & LAN subnet did not suffice, I replaced one of my layer 2 switches with a Cisco SG300, which does all the same layer 2 VLAN functionality, but adds the needed level of layer 3 capability to handle routing and a DHCP server that can handle multiple scopes. This enabled me to create several subnets, tie each to its own VLAN, then make any of those VLANs available on any of the other layer 2 switches via 802.1q trunking. This enabled me to route any subnets that I wanted to have Internet access to my DD-WRT based wifi router. Other subnets that I wanted to remain local were not given routing to the Internet. It is also possible to create ACLs to allow or deny access from the various subnets to each other.

    I hope this helps-
     
  13. t84a

    t84a New Around Here

    Joined:
    Mar 25, 2013
    Messages:
    9
    Location:
    Maryland
    I read the article and I would like to use the LRT224 but I really don't want to have to buy a managed switch. Is this not possible to accomplish with just the LRT224? I have WANs from Comcast and Verizon and then I want PRIVATE and PUBLIC segments. This is easily accomplished using Untangle but at a far greater cost.

    It would be nice if the LAN ports could be configured to provide the segmentation. All PRIVATE traffic would go though one LAN port and the PUBLIC traffic would go through another one.

    Help me understand why this can't be done using just the LRT224. Thanks
     
  14. coxhaus

    coxhaus Part of the Furniture

    Joined:
    Oct 7, 2010
    Messages:
    2,652
    Location:
    texas
    My one thought about your setup is to remember only the default VLAN can pass untagged traffic from VLAN switch to VLAN switch on a trunk. If you want to connect a dumb switch to your router use a tagged access port. The data from the switch will be processed in the router as tagged but passed back to the switch as untagged data.
     
  15. AsceticWonder

    AsceticWonder New Around Here

    Joined:
    Nov 3, 2017
    Messages:
    1
    Hello everyone...

    I dont have any experience in VLANs and am in the process of setting up a small office that I think will benefit from segregating the network. Doug's article is great and I will have a router and switch that support 802.1Q.

    If someone can confirm that I'm understanding this right. If I want to keep my surveillance cameras completely segregated, I would put them on ports that are untagged members of VLAN 20 (let's say). Now if I want to access the NVR from the LAN/WAN, I would have to put that machine on a port that is an untagged member of the default VLAN and a tagged member of VLAN 20, correct?

    I plan on getting a Pepwave SOHO router. If I assign DHCP servers to each VLAN, then the above configuration will give all my IP cameras an IP address like 192.168.20.x? And my NVR will be in the default subnet 192.168.1.x?

    To keep the IP cameras walled off from the WAN, is it a matter of just making sure the IP cameras' ports are not members of the default VLAN? Or do I need disable intervlan routing? This is the confusing part... I don't know how the NVR can communicate with the IP cameras on a separate subnet without allowing the IP camera subnet access to the WAN. (Similarly to how I don't understand a guest wifi network you can disable intervlan routing to keep guests off your LAN, but still provide internet access from default VLAN.)

    Any help appreciated!!!!
     
  16. coxhaus

    coxhaus Part of the Furniture

    Joined:
    Oct 7, 2010
    Messages:
    2,652
    Location:
    texas
    In small networks that this site supports your default VLAN is going to be your untagged VLAN which is VLAN1. I would run my cameras in a separate tagged VLAN with limited access.
     
  17. abailey

    abailey Very Senior Member

    Joined:
    Mar 29, 2014
    Messages:
    576
    Location:
    Tennessee, USA
    This is not correct. Most things you put on your network are not VLAN aware (like PC's, Cameras, Smart TV's, Game systems, etc). This means they do not recognized tagged packets. Things like routers, some WAP's etc. can recognized tagged packets and can work with multiple VLANs at once. So when you are sending more than one VLAN through a port then that port needs to be tagged in the VLANs you want to send through it. For example if you want to send two VLANs to your router through one port, then that port would be a tagged member of both VLANs. Things get a little more complicated when you start talking default VLANs. Thus I usually tell people to not use the default VLAN and make new VLANs for all their ports. So in your example the NVR would be an untagged member of whichever VLAN you want it in (but a member of only 1 VLAN).


    Yes you decide what IP range you want the router to hand out. The two examples you gave are fine.


    For subnets (and in your case VLANs) to talk to each other you must have a router. Most routers that can route subnets have rules you can apply as to what VLANs can talk to each other, or the internet. They can also usually let even just one device on a subnet talk to another subnet if you want.
     
  18. coxhaus

    coxhaus Part of the Furniture

    Joined:
    Oct 7, 2010
    Messages:
    2,652
    Location:
    texas
    Cameras and devices do not need to be VLAN aware to run in a tagged VLAN. The switch handles the VLAN tags not the cameras. The statement above makes me believe you do not really understand how to setup tagged VLANs. I don't understand multiple tags as trunks pass multiple VLANs. Devices do not need to be tagged in multiple VLANs

    PS
    Setting up tagged VLANs the simple view
    1. Default VLAN will be the only untagged VLAN usually VLAN1. AND it is the only untagged traffic allowed to pass on a trunk port.
    2. Tagged VLANs are created on the switch and router if you are not using a layer 3 switch. If using layer3 switch the stand alone router is not VLAN aware as the layer3 switch does the VLAN routing.
    3. The camera devices and such are plugged into a switch port which is assigned to a VLAN. The switch will tag that device packets. The device does not even know about VLAN tags. Devices do not need to be in multiple VLANs.
    4. Trunk ports allow multiple switches to connect with multiple VLANs. Trunk ports are used to connect VLAN aware devices.
    5. To talk across VLANs you will need a router or layer3 switch.

    Follow these simple rules and you can build big networks with lots of switches.
     
    Last edited: Jan 4, 2018
    username0475 likes this.
  19. abailey

    abailey Very Senior Member

    Joined:
    Mar 29, 2014
    Messages:
    576
    Location:
    Tennessee, USA
    After looking back at my post I did not write it clearly and maybe a little over your head. I apologize. What I meant was that end devices cannot be connected to a tagged port if they are not VLAN aware. They need to be connected to an untagged port. Once again I apologize if my explanation was overly complex.
     
  20. coxhaus

    coxhaus Part of the Furniture

    Joined:
    Oct 7, 2010
    Messages:
    2,652
    Location:
    texas
    This is what I think you don't understand. The end devices need to be connected to a tagged port to be in that VLAN. I think you have it wrong. I have built VLAN networks for 20 years. I think I understand that you don't understand.

    PS
    Check my simple VLAN network description above. This is the way you build big VLAN networks.
     
    Last edited: Jan 4, 2018