Menu
What's new
By:
Filters Better Search

VLAN usage question

  • SNBForums Code of Conduct

    SNBForums is a community for everyone, no matter what their level of experience.

    Please be tolerant and patient of others, especially newcomers. We are all here to share and learn!

    The rules are simple: Be patient, be nice, be helpful or be gone!

T

timmy2

Occasional Visitor
(NOTE: I have read the SNB article, "VLAN How To: Segmenting a small LAN", which introduced me to the fundamentals of using the VLAN feature of a managed switch.)


Let's assume I have a router and a low-end, web-managed switch that both offer VLAN capabilities.

On the switch I have some ports assigned to VLAN 2 and some to VLAN3.

Only one PC is connected to the router and it is assigned to VLAN3. (let's refer to this PC as "Fred's PC"). The only other device connected to the router is the aforementioned switch.

Will "Fred's PC" have complete access to the PCs connected to VLAN3 ports on the switch, and vice versa? Conversely, will the VLAN 2 users on the switch be isolated from and unable to access to Fred's PC?

Note that I have only one network cable available to connect the router to the switch, and rewiring is next to impossible.

Are there any exceptions I should know about, like must the switch and router be of the same brand?

Thank you.
 
Last edited:
It's not the brand so much as the type of tagging like 801.q. When I create a VLAN I always turn it into a network level VLAN so you need routing between my VLANs. It is the only way I setup VLANs. Whether a VLAN can communicate with each other depends on how I wish to setup security. Sometimes I only want a printer to be used off a different VLAN and not allow the PCs to talk to different VLANs. It is the way I structure security.

In my world if you want multiple LANs to communicate across 1 wire you can either use a trunk port or a routed port. I don't mess with layer 2 VLANs without assigning a network to the VLAN.
 
coxhaus said:
It's not the brand so much as the type of tagging like 801.q. When I create a VLAN I always turn it into a network level VLAN so you need routing between my VLANs. It is the only way I setup VLANs. Whether a VLAN can communicate with each other depends on how I wish to setup security. Sometimes I only want a printer to be used off a different VLAN and not allow the PCs to talk to different VLANs. It is the way I structure security.

In my world if you want multiple LANs to communicate across 1 wire you can either use a trunk port or a routed port. I don't mess with layer 2 VLANs without assigning a network to the VLAN.
Click to expand...

Thank you for replying, @coxhaus, but your reply is over my head. My only exposure to VLANs was long ago with a Linksys RV082 (no external switch involved), where I simply isolated two groups of PCs by assigning them to different VLANs. They all continued to have access to the Internet but could not see each other, share files/folders, etc.

From the Small Net Builder article, "VLAN How To: Segmenting a small LAN", I learned that there's more to it than simply assigning ports to different VLANs. While I think I can extrapolate from that article and configure a managed switch like the NETGEAR ProSAFE GSS116E to segregate two groups of PCs (solely for security purposes in my case, e.g., "office" vs "guests"), I don't know how to configure the router -- with its single PC user -- so his PC can be part of one of the switch's VLAN "groups".
 
With VLAN's - Some vendors do 802.1q, some do port based - and some do a mix...

Keeps network admins employed - with a lot of grey hair sometimes ;)

The big challenge is mixed vendors - as one might do 801.1q, and others try to do something else...

Pen/Paper - and drawing out things sometimes is the best approach, and careful study of the user manuals - otherwise, one can get into a very odd place, it might work, but it can lead to traffic going where one doesn't want it to go.
 
Note to readers: I'm looking for a simple recipe here. Maybe this is the wrong forum for that, so please let me know if that's the case.

The current application seems one step removed from rudimentary, to my simple mind. Back when the application involved a single Linksys RF082 all I did was assign guests to one VLAN and office workers to another VLAN. I was not confronted with options like tagging and port types, and yet it worked.

The difference here is that a switch AND a router are involved.

Office workers connected to the switch will be on one VLAN.

Guest PCs connected to the switch will be assigned to a different VLAN.

Maybe there's a third VLAN that everyone is assigned to so they can access the Internet. The SNB article, "VLAN How To: Segmenting a small LAN" gives me that impression.


The hurdle to me is that the business owner's PC is connected to the downstream router. I wish it was as simple as assigning him to the same VLAN number used on the switch for the office workers, but there are these darned options like tagging and port types, and now "801.1q", all of which I know nothing about (and articles I've found about them get awfully involved).

Can someone just tell me the VLAN settings needed for this application?
 
This is the way I do VLANs. I posted this before.

Back when VLANs first came out from Cisco they seemed complicated. Then over the years I came up with a few rules to make things simple which works with small and large networks.
1. When creating VLANs always assign a network to each VLAN.
2. VlANs are routed just like regular networks so you need a layer 3 device.
3. VlANs are always tagged so they work with one or more switches.
4. When connecting VLANs devices together use a trunk port.
5. If you are connecting to a non-aware VLAN device use an access port.

I think with these very simple rules you can build any size network using VLANs. These simple rules allow for easy maintenance and trouble shooting.
 
The main thing with VLAN's in the home environment - one doesn't have enough seats to justify the configuration complexity that VLAN's add in a general context.

In a small/medium business - perhaps - but even then, it's better to just subnet things out perhaps.

There are edge cases where VLAN's can help - e.g. VOIP/IPTV/VPN perhaps to provide for traffic separation on an access class perspective, but even then, it doesn't solve many things.
 
The problem with just a subnet without a VLAN is security or lack of so I disagree. I use VLANs with subnets and superscopes. I use a 248 mask on a VLAN to share printers and stuff. It is much easier to use a network instead of individual IP addresses. I just overlay a 248 mask on a larger network so I am only using a subset of the network which I can reference with 1 statement.
 
vlans have their advantages, even in small networks. Other than segmentation, security and being organised, you can use it to reduce the number of layer 2 broadcasts and multicasts too. So it has a use actually, just not for the basic home user.
 
You must log in or register to reply here.

Similar threads

Maverick009
Ienron switches any good for managed switch?
Replies
4
Views
388
Maverick009
Maverick009
DGS
AiMesh over managed switch strange behavior
Replies
14
Views
664
DGS
DGS
C
RT-AX88U Pro - TL-SG108E managed switch and VLAN
Replies
7
Views
1K
deveals
D
ptthstr
AX88U Pro VLAN support: AP Mode?
Replies
4
Views
457
ptthstr
ptthstr
D
VLAN Config Query using pfSense and Unifi
Replies
18
Views
1K
awediohead
A
Similar threads
Thread starter Title Forum Replies Date
ddaenen1 Do i need an IoT VLAN Routers 25
J Allowing Remote Desktop Connection between VLAN's Routers 23
C RT-AX88U Pro - TL-SG108E managed switch and VLAN Routers 7
F Question re: router that doesn't require compromising security Routers 4
jebnz Merlin VPN Director question Routers 2
J Best combination question Routers 7
J Question on ax88u pro Routers 1

Similar threads

Latest threads

Sign Up For SNBForums Daily Digest

Get an update of what's new every day delivered to your mailbox. Sign up here!

Members online

Total: 613 (members: 15, guests: 598)
Top