VLAN How To: Segmenting a small LAN

[dieter]

I would first of all like to thank the author for these 2 great articles. There are tons of general guides and manuals about VLANs these days, but those two are probably the only one that actually in details describe the actual implementation on most known consumer/SOHO switches.

I did manage to get the tagged VLANs (802.1Q) working with DHCP, mutiple switches AND VLAN-aware router - the whole shebang. However, I tried to poke around the simple setup with not vlan-aware router and no tagging and....it just didn't work :O

I basically followed this guide:
https://www.smallnetbuilder.com/lan...how-to-segment-a-small-lan-using-tagged-vlans
and my setup is following:
router<--port1-->switch<---port4-->PC
vlan1 contains all 8 ports untagged
vlan 2 contains port 1+4 untagged
port 4 PVID = vlan2

In other words, exactly, as in the guide.

1. DHCP isn't leasing me any IPs - I get APIPA
2. Even with static IP (incl. router as gateway), I cannot ping either the router itself or anything else....

All the devices are on the same subnet.

Switch is a Netgear108Tv2 with the latest firmware (5.4.2.27)


What am I doing wrong ??

If you have figured this out, please post here...
dreid also said in Exapmple 2, that the Netgear GS108Tv2 will also work with 802.1Q...

 

[dieter]

There are cheap routers that can do what you need. The problem is, usually the cheaper you go, the more you need to know. In other words the cheaper ones usually assume you know more about networking and thus they save money on their user interfaces. Some of them make you use command line to set the router up. Mikrotik and Ubiquiti are two vendors that come to mind that have good, cheap routers. I am not very familiar with Mikrotik but here is a cheap, decent, Ubiquiti router. It does have a wizard to help you with initial setup but you will need to put some time into the config as the learning curve is fairly steep. The Ubiquiti router would hook to the internet in your case and you could put the Asus router in AP mode for your wireless.

It appears this Ubiquiti router can handle multiple VLANs. If I only need 2 Vlans, do I even need a L2 switch?
Thanks

 

[flipfl0p]

It appears this Ubiquiti router can handle multiple VLANs. If I only need 2 Vlans, do I even need a L2 switch?
Thanks

All switches are at least L2 network devices. I believe, you mean L3-switch, the only that handles IP-routing ?
In this case, no, not necessarily - Ubnt EdgeRouters have 3+ ethernet ports, and any of those can be freely configured to whatever you want them be. E.g. eth0 can be configured as a WAN port, eth1 as VLAN1 and eth2 as VLAN2 effectively separating your LAN in two.

 

[dieter]

Thank you. Seems like the 5port ER-X might be the solution I'm looking for.

 

[dieter]

Yes, the author mentions, that it's a GS108Tv1 switch. I just don't get it, that then means, that Netgear has just removed the portVLAN functionality in the V2 release, which just doesn't make sense, or it's just a bug they don't care to fix.

I have now read both V1 & V2 manuals. They both state the to do inter VLAN routing, you need a Vlan aware router.

 

[flipfl0p]

I have now read both V1 & V2 manuals. They both state the to do inter VLAN routing, you need a Vlan aware router.

Yes, but I'm not doing interVLAN routing, I'm just trying to have a few port-based VLANs and connect tje clients to the internet.
As I also mentioned, the V1 guide clearly shows, that it easily can be done.

 

[dieter]

Yes, but it is not working for us, right.
The way I'm looking at this (and the way Netgear explained it to me) we are trying to do inter VLAN routing. If you have your router /WAN connected to port 1 VLAN1, and your PCs to VLAN 2, VLAN 2 packets need to be routed to VLAN1.
Maybe dreid can shed some light on this...

 

[dieter]

Just talked with Netgear support again. They say the GS108Tv2 can definitely do this. Since this is not a L3 switch, you must configure the switch for "asymmetric" VLAN. That is, you have to create another VLAN (say 10) and configure it as an UPLINK on one of the ports. Then go back and change the VLID of the other VLANs. If you call Netgear support, they will walk you thru setting up an "asymmetric" VLAN config.

 

[flipfl0p]

Just talked with Netgear support again. They say the GS108Tv2 can definitely do this. Since this is not a L3 switch, you must configure the switch for "asymmetric" VLAN. That is, you have to create another VLAN (say 10) and configure it as an UPLINK on one of the ports. Then go back and change the VLID of the other VLANs. If you call Netgear support, they will walk you thru setting up an "asymmetric" VLAN config.

I'm already talking to Netgear in their forum. So far, they managed to show me this document and ask to test a few simple steps:
https://drive.google.com/file/d/0B4PuVEYxkQ5oa0lHdzNZUW94MDQ/view
However, it didn't have any effect at all - it's actually the same setup I did from the beginning where all the ports were untagged and several VLANs were attached to the same port.

I want to see a guide the pictures of the actual setup incl. modelnr. and firmware version so I can believe it's possible....

 

[dieter]

flipflOp,

I spent 2 hours+ with Netgear tech support, and we got it working! VLAN100 (port 8) to the router, and added VLAN 50 (port 5 & 6) & VLAN 70 (port 7). Even DHCP works.
You have to find someone who knows how to set up asymmetric VLANs.
Make sure you have the latest version of the firmware version 5.4.2.27. Suggest you also install the Smart Control Center Manager. This was needed to find out the switches DHCP address when you

I will try to document what we did and post it here tomorrow. It is somewhat involved...

 

[sfx2000]

I spent 2 hours+ with Netgear tech support, and we got it working! VLAN100 (port 8) to the router, and added VLAN 50 (port 5 & 6) & VLAN 70 (port 7). Even DHCP works.
You have to find someone who knows how to set up asymmetric VLANs.

Mentioned earlier that the GS108T would do the job - does what it does, and it's a bit obtuse on how it does it as it does tend to be netgear specific...

That being said - the 108T is a bit of a hidden gem at the price point...

 

[dieter]

flipflOp,

I spent 2 hours+ with Netgear tech support, and we got it working! VLAN100 (port 8) to the router, and added VLAN 50 (port 5 & 6) & VLAN 70 (port 7). Even DHCP works.
You have to find someone who knows how to set up asymmetric VLANs.
Make sure you have the latest version of the firmware version 5.4.2.27. Suggest you also install the Smart Control Center Manager. This was needed to find out the switches DHCP address when you

I will try to document what we did and post it here tomorrow. It is somewhat involved...

I hope I did not forget any steps... I was not able to upload VLAN70 membership.jpg (too a many files), but it is similar to VLAN50.

0. Install latest firmware to 5.4.2.27. If you do a factory reset after installation, it will change the IP of the switch to: 192.168.0.x). You must change your PC IP to 192.168.0.x to be able to change the switch to static ip on 192.168.1.x). To see the switch'es IP and FW version, run the SCCM utility.

1. Set switch to static IP (on 192.168.1.x)
2. Set PC to static IP (for starters, after things work, change to DHCP)
3. Connect router to port 8
4. Connect laptop to port 2
5. Check that PC can get to Internet
6. do VLAN configuration
7. do VLAN memberships for all ports (all Untagged)
8. Change PVID for VLANs

- Test getting from port 5, 6, and 7 to the internet
- Test pinging between VLANs
- Test DHCP
Note: something is goofy with ping from my pc. From VLAN1, ping reaches device on VLAN50 & 70 & 100, but NOT between VLANs. The Netgear tech will call me back with a possible.

If you still can't get it to work, call Netgear and they will walk you thru set up. Like I said, get someone who knows about asymmetric VLANs.

 

[flipfl0p]

Hi dieter, and thanx for the effort.
Well, the thing is, it's never a problem to get any devices on default VLAN1 to reach internet and DHCP even if the uplink/trunk port is on different VLAN (in your example, VLAN100 on port 8). In my case, the problem still remains if I assign a port a PVID of smth. else than VLAN1 and the PVID of the trunk port. E.g. in this case, ports 5,6,7 are cut off from everything, but themselves, as their PVID is 50+70 and the trunk port has PVID 100. PC on port 2 would work just fine as it resides on the default VLAN1, so as your non-VLAN-configured router by default.

With the setup you showed me, did you manage to access the rest of the network (Internet) from ports 5,6,7 ?

According to that description of Asymmetric VLANs (link in my previous post) that Netgear support provided to me, the whole idea is rather simple and should work. I mean, you basically do following:

• create VLAN X+Y for client machines
• create VLAN Z for the "uplink"/trunk port
• 
  
• assign client1 machine's untagged port to VLAN X and VLAN Y and VLAN Z
• assign client2 machine's untagged port to VLAN Y and VLAN X and VLAN Z
• assign the uplink port to VLAN Z
• 
  
• assign client1 machine's port to PVID X
• assign client2 machine's port to PVID Y
• assign uplink port PVID Z

Then connect the router to the uplink port.

So, in short terms: make sure all VLANs contain untagged ports, assign them to each other and make sure, the uplink/trunk port is a member of all VLANs needed to go through that port. And the key is to have everything to be on the same subnet.

However, the reality with these Netgear switches seems different. If e.g. switch port5 has PVID of VLAN5 and the trunk port8 has PVID of 10, no matter have many other VLANs those ports are members of, port5 won't send traffic through that trunk port :-((((

 

[flipfl0p]

Well, after hours of poking around, looks like I got it working...somehow

Actually, I tried all kinds of combinations and...eneded up with exactly the same setup I began with...and this time it was working! With DHCP and everyting!
So the approach the Asymmetric VLAN is very simple:

E.g.

• define VLAN 10 + 20
• define the trunk/gateway - VLAN50 (or keep the default VLAN1)
• make ports 4+5 only members of VLAN10 and VLAN 20 respectively
• make all ports needing access to the outside network (extra switch of router) members of VLAN50
• set port 1 to PVID50
• set port 4+5 to PVID10 and PVID20 respectively

And the setup works as intended - port 4+5 are getting IPs from DHCP-server and are online, but cannot talk to each other as they are on different VLANs.

Now, the biggest question still remains - Why the #¤%# didn't it work before ?!

A few reboots were made, yes, but otherwise, nothing else!

Additional question:

- What exactly are Tagged VLANs needed for then comparing the Untagged if the asymmetric VLANs support the network segmentation and DHCP ?

 

[flipfl0p]

Note: something is goofy with ping from my pc. From VLAN1, ping reaches device on VLAN50 & 70 & 100, but NOT between VLANs. The Netgear tech will call me back with a possible.

Ping from where ? Devices residing on different VLANs are by default not suppose to talk to each other - that's the whole point of VLANning.

 

[dieter]

Everything is working now!
Netgear support proved that the problem with ping is the ASUS RT-AC1900P. When "removing" the connection (from Port 8) to the Asus router, NO pings between VLANs.
With the Asus router connected to port 8, pings reach all the devices on the VLANs.

Replacing the Asus router with a DLINK DIR655, pings work as they are supposed to. No pings between VLANs.

All devices on the VLANs can access the internet via Port 8 (to the DIR655).
DHCP is also working.

Netgear (nor I) can not explain why pings reach across VLANs with the Asus router.

Maybe RMERLIN can explain this, and maybe there is a setting in the Asus router to make this work.

Any comments would be appreciated.

flipflOp, I suggest you remove your router and test pings...

 

[flipfl0p]

Everything is working now!
flipflOp, I suggest you remove your router and test pings...

Why would I do that ? As I said, the whole point of NOT being able to ping between VLANs if what network segmenting with VLANs is all about. It IS a problem is you can without inter-vlan routing....

 

[dieter]

If you remove the router and the pings fail, you have set up the switch correctly.
If after reconnecting the router the pings are successful, the router is causing the problem, as was the case with my Asus router.

 

[sfx2000]

If you remove the router and the pings fail, you have set up the switch correctly.
If after reconnecting the router the pings are successful, the router is causing the problem, as was the case with my Asus router.

Only in this use case - but it's risky to suggest that failure is a misconfig - depends on the switch and the network topology here...

 

[dieter]

Only in this use case - but it's risky to suggest that failure is a misconfig - depends on the switch and the network topology here...

How could "network topology" explain what flipflOp is experiencing?