Will Switch pass VLAN tag assigned to traffic by the AP on to Router

[ThatITGuy]

As mentioned in title, I am looking for more information on if a switch will pass VLAN tag/header that was assigned by the Access Point, on to the router. I was recently able to snag a Netgear ProSafe GS728TP for $50, and want to understand potential impacts to my home network.
My setup has been Mikrotik hEX rb750gr3 for my router and an Access Point connected directly to one of its ports for wireless connectivity (as well as numerous wired pathways connected to the other ports). I have 5 SSIDs on the access point, each assigned its own VLAN ID. I then have each of those VLAN IDs set up on the router as their own interface(under that port), with their own network, address pool, and DHCP server (and cross network communication dropped).
With the "new toy", i.e. the ProSafe GS728TP, I would like plug the Access point into the switch to leverage the POE capability of the switch to power the access point (currently I just have an extension cord run up to it for powering it), as well as likely running some of the wired branches into it instead of directly into the router. I am still somewhat new to VLANs, so I am trying to understand where the VLAN tagging/untagging on the switch comes into the picture. Does tagging a port / making it a member of a VLAN mean that all communications on that switch port gets assigned that VLAN ID by the switch? Does tagging a port / making it a member of a VLAN just let the switch know that there will be VLAN header information coming in on that port (assigned elsewhere), and I need to set up each of the VLANs on the switch and tag them to that port in order for the VLAN header data to make it to the router? If i just leave everything alone on that port, would the switch pass the VLAN header data assigned at the Access Point, or would it strip it and give it the default VLAN ID "1"? How do I configure the switch for that port, so that any VLAN header data assigned by the Access Point, makes it to the router intact, so that it can be segmented correctly?

 

[coxhaus]

Sounds like you need a trunk port connection to your wireless AP. The trunk will need to flow all the way to the router.

 

[MichaelCG]

As long as the tag on the AP matches a tag assigned to the trunk interface to the AP, it should work fine. I do it today with my UniFi gear. A single trunk interface to the AP, different SSIDs on different VLANs, and then I have a trunk interface back to my firewall with the same VLANs.

 

[ThatITGuy]

Thanks,
I was missing that I also needed to tag the port that connected the switch to the router with each VLAN id. Did that and it is now working.

 

[coxhaus]

Once you start using VLANs then use trunk ports on all your uplinks unless you have a VLAN you don't want to pass around. Using trunk port uplinks makes all VLANs available over your whole network.

 

[sfx2000]

Most current switches will support 802.1q VLAN tagging - even unmanaged ones if the tagging is done upstream at the router...

 

[coxhaus]

The tagging is done when it enters the VLAN switch. IF you pass a tag through a non-VLAN switch then it is stripped and the info is lost. Then the untagged data is passed to the default VLAN.

If you use a non-VLAN switch then you need to plug it into a VLAN switch where all the data from the non-VLAN switch is tagged when entering the VLAN switch. This allows both to work together.

 

[CaptainSTX]

The tagging is done when it enters the VLAN switch. IF you pass a tag through a non-VLAN switch then it is stripped and the info is lost. Then the untagged data is passed to the default VLAN.

If you use a non-VLAN switch then you need to plug it into a VLAN switch where all the data from the non-VLAN switch is tagged when entering the VLAN switch. This allows both to work together.

I'm not sure that is accurate all cases.

In my network setup I have multiple switches. The first switch in my network is a TL-Link SG108E which is smart switch. The LAN ports are divided between three 802.1 Q VLANS (100,101 & 102). One of the ports (VLAN 100) is connected to another TL-Link 108 (Not Smart).

All the devices connected to the second switch TL Link 108 are members of VLAN 100 and can communicate with other devices connected to this switch as well as devices connected to VLAN 100 ports on the primary router.

Devices connected to the second non smart switch can not communicate or ping devices that are members of VLAN 101 or 102.

I don't think that is just something peculiar to TP-Link switches as I have a repurposed a Linksys 54G router that is used as a switch only. It is conneted directly by cable to the TP-Link SG108E on a VLAN 100 LAN port and all devices connected to the 54G are isolated on VLAN 100.

IMHO the VLAN information may be ignored by the non smart switches but it isn't necessarily stripped off the data packets.

I haven't tested what happens if you set up a switch chain smart switch 1--------->switch----------->smart switch 2
and if the 802.1Q VLAN information would flow from smart switch 1 to smart switch 2 so you may be correct in what happens in this case.

I currently am setup so that VLANs 100,101 & 102 appear on both my smart switches but there isn't an intermediate switch in between them to possibly interfere with the transmission of VLAN tags.

P.S. I just tested what happens if you put a dumb switch between two smart switches and it had no effect on the functioning of the VLANs at least when using TP-Link switches.

 

[coxhaus]

This is the way it was designed by Cisco in the old days so old switches could be used with the new VLAN switches.

So are you saying you can put a dumb switch in and all the VLANs flow thru the dumb switch? What I am saying if you plug a dumb switch into a VLAN port then that dumb switch becomes a member of the VLAN it is plugged into.

 

[CaptainSTX]

This is the way it was designed by Cisco in the old days so old switches could be used with the new VLAN switches.

So are you saying you can put a dumb switch in and all the VLANs flow thru the dumb switch? What I am saying if you plug a dumb switch into a VLAN port then that dumb switch becomes a member of the VLAN it is plugged into.

I don't disagree. What I'm saying is that a dumb switch regardless of where it is in the string of a network doesn't seem to strip off the VLAN data.

 

[ColinTaylor]

What I'm saying is that a dumb switch regardless of where it is in the string of a network doesn't seem to strip off the VLAN data.

From what I've read the behaviour of the switch would be "undefined". I think nowadays even "dumb" switches are 802.1Q aware and just ignore the tag. If you have a really old switch that wasn't "aware" it would look at the EtherType field, see 0x8100 and not understand what the packet was. I read on the Netgear forums that their old switches would drop these packets whereas their newer ones would just ignore the tag. I've not seen anything that says the tags would be stripped (although that's possible). YMMV as they say.

 

[coxhaus]

All the devices connected to the second switch TL Link 108 are members of VLAN 100 and can communicate with other devices connected to this switch as well as devices connected to VLAN 100 ports on the primary router.

Devices connected to the second non smart switch can not communicate or ping devices that are members of VLAN 101 or 102.
.

So a little bit at a time. The first sentence supports what I said I think. If you plug a dumb switch into a VLAN switch then they are members of that VLAN based on the port definition. I am assuming it is plugged into an access port not a trunk port. A trunk port has no definition. So all untagged packets in a trunk port go to the default VLAN.

The second I am not sure about. What is the second switch plugged into? IS this a routing issue?

PS
Maybe we should include what DHCP is doing? What networks are being assigned in the dumb switches?

 

[coxhaus]

. I read on the Netgear forums that their old switches would drop these packets whereas their newer ones would just ignore the tag. I've not seen anything that says the tags would be stripped (although that's possible). YMMV as they say.

What does ignore mean? Is the tag passed? If not it is the same as stripping.

 

[ColinTaylor]

What does ignore mean? Is the tag passed? If not it is the same as stripping.

By "ignore" I mean leave the 4 byte tag information in the frame rather than remove it.

 

[CaptainSTX]

I don't have any issues mixing smart switches and dumb switches in my network. The point I was trying to illustrate was that at least with either TP-Link switches and even an old Linksys 54G being used as a switch the 802 1Q info including PVID tags are passed through the network and once they have been set on a smart switch passing through/ being switched by a dumb switch doesn't remove the information. Perhaps in older switching gear it does get stripped but those were the days when you had to use cross over cables etc.

1. Any devices connected to a dumb switch will be assigned to the VLAN of the VLAN of the port on the upstream smart switch.

2. If the trunking port (member of all VLANs on the first smart switch ) between two smart switches passes through a dumb switch the VLAN information is not stripped off but the VLANs exsisting on both smart switches still function as intended on the second smart switch and members of any VLAN on either smart switch can communicate to other devices in the same VLAN.

I don't have my LAN setup to have dumb switches at intermeadiate locations in my network. I only temporarily set it up this way to test if the 802 1Q info passed through intact. My dumb switches are located in media cabinets where I need multiple Ethernet connections and only have a single cable.

DHCP on my LAN is set on the router which is upstream of the first smart switch. All devices are assigned IPs in the same subnet. Policy routing is applied and some devices on any of the VLANs are routed through the VPN tunnel.

Again my network functions exactly as I want it to. My posts were to show that at least with my hardware VLAN information passes through dumb switches.

 

[sfx2000]

The tagging is done when it enters the VLAN switch. IF you pass a tag through a non-VLAN switch then it is stripped and the info is lost. Then the untagged data is passed to the default VLAN.

If you use a non-VLAN switch then you need to plug it into a VLAN switch where all the data from the non-VLAN switch is tagged when entering the VLAN switch. This allows both to work together.

The current class of desktop unmanaged switches will pass thru the VLAN tags - at least they do with Netgear, DLink, and Linksys (which makes sense, as they're all pretty similar).

Cisco is a bit different with their unmanaged - and I think this is a deliberate design decision.

Keep in mind that there is firmware running, even on so-called dumb switches, and most of the consumer grade stuff is running stock from the chip vendor - Cisco does their own firmware...

 

[coxhaus]

OK, that makes sense. In the old days I guess chips of dumb switches were designed for 1500 bit packet sizes. Now days maybe all the chips are built for the larger VLAN 1518 bit packet size so dumb switches can pass the larger packets without stripping them.

I am not sure Cisco makes a dumb switch any more.

 

[coxhaus]

So before we completely drop this I would like to know about DHCP. So if the dumb switch is passing tags then it should be able pass multiple networks. My original statement says all ports on a dumb switch will all be in 1 network. That network will be assigned based on VLAN port IP port assignment. The VLAN tag is assigned for all ports of the dumb switch when they pass thru the VLAN port switch.

I think a dumb switch will not be able to stand up to DHCP working correctly in a VLAN network. The only way a dumb switch will function is being on the outside network where all tags are assign upon entering a VLAN switch. It makes no sense to me that a dumb switch can pass tags. If it does then it should be able to support multiple DHCP networks. I always assign an IP network to every VLAN. If a dumb switch does not assign a tag how does DHCP know what network to assign to the device?

So tell me am I still wrong.

 

[L&LD]

So before we completely drop this I would like to know about DHCP. So if the dumb switch is passing tags then it should be able pass multiple networks. My original statement says all ports on a dumb switch will all be in 1 network. That network will be assigned based on VLAN port IP port assignment. The VLAN tag is assigned for all ports of the dumb switch when they pass thru the VLAN port switch.

I think a dumb switch will not be able to stand up to DHCP working correctly in a VLAN network. The only way a dumb switch will function is being on the outside network where all tags are assign upon entering a VLAN switch. It makes not sense to me that a dumb switch can pass tags. If it does then it should be able to support multiple DHCP networks. I always assign an IP network to every VLAN.

I may be off here, but I would understand it to work as required if a dumb switch was used for each VLAN network. Then; no issues.

 

[coxhaus]

OK, that is what I originally posted. Cisco designed old switches to be used in VLANs. The VLAN is assigned to dumb switch traffic when entering the VLAN switch where it is assigned a tag. This limits the dumb switch. There is no tags being passed. The traffic only picks up tags when entering the VLAN switch. DHCP is assigned based on the VLAN port IP address to all dumb switch ports. There are no tags in the dumb switch. They are pickup in the VLAN switch on the way back to the DHCP server.