What's new
  • SNBForums Code of Conduct

    SNBForums is a community for everyone, no matter what their level of experience.

    Please be tolerant and patient of others, especially newcomers. We are all here to share and learn!

    The rules are simple: Be patient, be nice, be helpful or be gone!

VLAN How To: Segmenting a small LAN

scotty

Senior Member
I have a quick question regarding the setup in this article. I ask because I might have to set up this very same setup for a friend's office (shared office). I've done lots of VLAN'ing on bigger Cisco switches and routers, but not much on the Linksys type equipment. My question is essentially about the 'general' port mode offered in the SRW-2008.

The Cisco mentality is that you have trunk ports or access ports. Trunks use .1Q (or ISL) tagging, whereas access ports don't, and can only be a member of 1 VLAN. Normally, you would only have each port (which a device plugs into) as a member of 1 VLAN, and then set up a trunk port to a .1Q aware router, or on a Cisco-type device set up with sub-interfaces and do a Router on a Stick setup.

What I don't get with the article is the "general" mode that gets used, and how it seems to get away with both. It seems as though you can assign multiple VLANs to a port without needing .1Q encapsulation aware devices on the other end. I'm just wondering how this 'general' mode works. Is this all just a function of the switch being used (SRW-2008) and it being 'smart' enough to only transmit frames on ports which it knows are a member of the VLAN.

I've asked a couple higher-end Cisco guys I know and unfortunately they only know how to do it on Cisco devices (ROAS). With this port mode, do you also need a 1Q aware router?
 
I run the SRW2024, and a Cisco 3725 router. On the switch side, I have ports set as access and trunk, but I haven't used General. I think it means that you can define on a per-port, per-vlan basis whether the vlan is tagged or untagged. I think that the .1q spec can only allow one untagged vlan, otherwise the other end will have no way of knowing which vlan a packet goes into.

On the router side, I just implemented sub-interfaces for each vlan, and everything works great.

Best of luck,
Tamarin
 
SRW2008 and VLANs

Thank you for the questions! Vlans can get confusing if you think in Cisco terms on small network device devices.

Access mode works well on ports with single non Vlan aware devices connected.

General mode comes in handy on the SRW for a port that may have an unmanaged switch connected with devices that are a mixture of Vlan aware and unaware. For example, you could have a Linux server that is Vlan aware and a couple non Vlan aware devices on that unmanaged switch all connected to the SRW2008's General mode port. The Linux server could be configured to recognize the Tagged frames while the other devices would respond to the Untagged frames.

Trunk mode on the SRW applies a Vlan tag to all frames on that port. This mode is useful when connected to a Vlan capable switch or router, such as a Cisco device.

With port based Vlans, you can set up simple Vlans to put devices into different groups, and then use a non-802.1q capable router. All devices would be in the same subnet and the router port would have to be a member of all Vlans. This solution works well to restrict certain devices on a LAN from accessing other devices.

Good luck at your friend's office!
 
Thanks for the answer Doug!

So it sounds like this quasi-general mode is more a function of switch's own logic, rather than any particular standard? Unless I have my fundamentals wrong, non-1Q aware devices can't read 1Q tagged frames, so the 'general' mode keeps things untagged, but the switch itself knows which ports are in which broadcast domain and forwards/floods them appropriately. The logic makes perfect sense, it's just that my brain is wired in Cisco logic.

I've also seen several HP switches I've worked on be able to assign ports to multiple VLAN's, so perhaps the idea that non-tagged access ports can only belong to one VLAN is just a Cisco thing?
 
It seems as though you can assign multiple VLANs to a port without needing .1Q encapsulation aware devices on the other end. I'm just wondering how this 'general' mode works. Is this all just a function of the switch being used (SRW-2008) and it being 'smart' enough to only transmit frames on ports which it knows are a member of the VLAN.

I'm not sure if I'm following what you'll be setting up...but yes Linksys does make it quite simple on their managed switches.

Example..your 8 port switch..say you want to have 2x separated networks....Network A and Network B.
Uplink your router into port 1
Plug computers from Network A into ports 2,3, and 4. Assign ports 2, 3, and 4 to VLAN1...and make port 1 (the router) a member of VLAN 1 also.
Plug computers from Network B into ports 5, 6, 7, and 8. Assign ports 5,6,7, and 8 to VLAN 2...and add port 1 (the router) to be a member of VLAN 2 also.

This way, computers from Network A cannot see/browse/do anything with computers from Network B..and visa versa. Yet they can still share the router for internet access.
 
Need help setting up VLANS

Trying to set up two isolated VLANs that can both access printers & internet but not each other.

I tried following the instructions in the article but ended up with the VLANs not isolated or locking myself out of the management interface. The system would warn me that i would lose a connection with the management interface when switching from "tagged" to "untagged". I'm still confused about when to use tagged vs untagged.

Here is what I'm trying to do. (see attachment VLAN-PLAN.jpg)

VLAN 1 - Internet / Default
VLAN 2 - (not used)
VLAN 3 - Office
VLAN 4 - Printers (accessible by VLAN 1,3, & 5)
VLAN 5 - Home


I'm using a Linksys RV042 Router & a Cisco SG 200-08 VLAN switch (slightly different from the article). I'm attaching two 'dumb' switches inside the Office and Home VLANs to allow for expansion.

-- Can I use non-vlan switches with-in a VLAN?
-- Can the Internet VLAN and Default VLAN be the same? or do they need to be separate. (The RV042 router can only be set to VLAN1 apparently… )
-- How should the tagged / untagged settings be set?

-- How should I set up the "port to van" and 'port vlan memberships" settings?
(see attached images )

Any help would be be appreciated.

Cheers!
 

Attachments

  • VLAN-PLAN.jpg
    VLAN-PLAN.jpg
    44.9 KB · Views: 4,889
  • port_to_vlan.jpg
    port_to_vlan.jpg
    21 KB · Views: 1,606
  • port_vlan_membership.jpg
    port_vlan_membership.jpg
    19.1 KB · Views: 1,581
  • default-vlan.jpg
    default-vlan.jpg
    19.3 KB · Views: 1,542
You can use regular dumb switches, yes. All ports in each dumb switch will belong to the same VLAN as the port on the managed switch they are plugged into.

Don't mess with the default VLAN or use it as your Internet link. Pick another VLAN.

Tagging shouldn't matter unless you are trying to establish VLANs between multiple switches.
 
Thanks! I guess i was thrown off by the Linksys' advertised RV042 VLAN support. ("hard-set" to VLAN1) I see in your example you used VLAN2 for your RV042 / internet.

Cheers!
 
Question on the same article.

Why would one want to configure more than one VLAN per port if it's untagged and if there's a VLAN configured by default (PVID) ?

Thank you
 
A General port is unique as it can be an untagged member of two or more VLANs, whereas an Access and Trunk port can only be an untagged member of one VLAN.

A possible application is to make a port on a switch a General port and to make it an untagged member of two VLANs. Connect this port to a router. Then, put your PCs on access ports that are members of either of your two VLANs.

The end result is the PCs should not be able to cross VLANs, but PCs in both VLANs should be able to access the Internet and router.
 
A possible application is to make a port on a switch a General port and to make it an untagged member of two VLANs. Connect this port to a router. Then, put your PCs on access ports that are members of either of your two VLANs.

The end result is the PCs should not be able to cross VLANs, but PCs in both VLANs should be able to access the Internet and router.
Thank you for your answer.
What happens then if a machine (connected to a port with two untagged vlans) makes a DHCP request ?
 
Taken from the posted guide
In all the examples, all end devices are in the same IP address range (subnet) and the router doesn't support VLANs.

Do you have any guides or information to do the same thing when there are multiple vlans, and the router doesn't support vlans?

I currently have an SG300-10 and a router that doesn't support vlans,
The switch is currently configured in Layer 3 mode,
and my current setup is working for me.
I am just curious as to how one would do the same thing as in the article,
but when one is running multiple subnets, I think I know how to do it,
just need some time to sit down and put in a play and see how it goes.
 
Hi dreid

At present the main purpose for the SG300 is Lab purposes,
basically for learning, experimentation, and POC's.

The article peaked my interest in how one could isolate a single ip range
by leveraging vlans on a switch connected to a non vlan aware router.

I have attached SG300 L3 Example 1.jpg
At present this is how things are configured, the SG300 in L3 mode,
for my VMware, HyperV, Xen stuff that are connected to the SG300

From what I can gather, the only way to limit inter-vlan routing and traffic
is to use various ACL's to block the inter-vlan communication
and one could further and a sub layer within one of the ip subnets
by doing something similar to the tactic used in the article

With that said,
I'll post a generic example of what I think it should look like shortly
 

Attachments

  • SG300 L3 Example 1.jpg
    SG300 L3 Example 1.jpg
    89.5 KB · Views: 1,427
Hi dreid

Here is an example of what I am thinking about implementing,
as a POC of what one could/would do to achieve one or both of the following

- segemented intra-vlan traffic and access isolation
- segemented inter-vlan traffic and access isolation

I have attaché SG300 L3 Example 2.jpg
It is leveraging both of the above access isolation methods

When one turns on L3 mode,
to my knowledge, it isn't possible to isolate vlan traffic
in the way one would expect to
The only way I know of is to use ACL's

In my example,
- the subnets can't access each other, but can access vlan 10 and the internet
- The subnets are further separated into two vlans,
that can't access each other, but can access vlan 10 and the internet

Im still looking to see if I can simplify the approach,
and am always looking for better approaches.
 

Attachments

  • SG300 L3 Example 2.jpg
    SG300 L3 Example 2.jpg
    68 KB · Views: 1,337
Last edited:
Phibertron -

Here are two options:

Option 1: Disable L3 mode and follow Example 4 in my latest article. This will provide simple VLAN separation. As discussed in my article, you can create more than two VLANs. All devices will be on the same subnet, which may be an advantage, as you only have one DHCP server on the network anyway.
 
Phibertron -

Option 2: If you still want to go with L3 mode, you can do it with manual configs. (The below is a detailed method that illustrates all the paths to setup.)

Router configs:
The router is 192.168.10.1.
The router needs the following static routes =
192.168.11.0 255.255.255.0 192.168.10.2
192.168.12.0 255.255.255.0 192.168.10.2
192.168.13.0 255.255.255.0 192.168.10.2
192.168.14.0 255.255.255.0 192.168.10.2

SG300 configs:

Setup the SG300 with VLAN 10 as its default VLAN.

Remove all ACLs on the SG300.

Set VLAN 10 = 192.168.10.2, set VLAN 11-14 IP addresses = 192.168.11.1, 192.168.12.1, 192.168.13.1 and 192.168.14.1.

There should be a default static route in the SG300 = 0.0.0.0 0.0.0.0 192.168.10.1.

Give the SG300 a DNS server, such as Google's 8.8.8.8 and 8.8.4.4.

Connect the router to VLAN 10 on the SG300. Run some tests. Make sure the SG300 can ping 192.168.10.1 and can ping smallnetbuilder.com. Make sure the router can ping 192.168.10.2, 192.168.11.1, 192.168.12.1, 192.168.13.1 and 192.168.14.1. Get this working before proceeding.
 
Option 2 cont...

Statically configure one device in VLANs 11-14 with IP addresses, give them the SG300's appropriate VLAN IP as their gateway, and give them DNS IP address(es) such as 8.8.8.8 and 8.8.4.4.

For example, a device in VLAN 11 will have an IP = 192.168.11.x and a gateway IP = 192.168.11.1 and DNS = 8.8.8.8, 8.8.4.4. A device in VLAN 12 will have an IP = 192.168.12.x and a gateway IP = 192.168.12.1.

Then, test from devices. Make sure devices in each VLAN can ping their gateway on the SG300, can ping the router at 192.168.10.1, can ping a device on the Internet (such as smallnetbuilder.com) and can ping a device on another VLAN. Get this working before proceeding.

Once you have full connectivity to the Internet and between VLANs, you'll need to create ACLs on the SG300 to filter traffic. Create IP based ACLs to filter inter and intra based VLAN controls. Test each ACL after you enter it to see if it is filtering as desired.
 
Hi dreid

Thank you for the article, your time and the suggested options.

Option 2 looks very similar to my SG300 L3 Example 2.jpg,
Which is good to see that I wasn't off the mark on implementation.

Other than the option 1 and option 2 configurations,
Are there any solutions/tactics that you can think of,
that one could use to accomplish the same thing,
without resorting to getting a router than supports multiple vlans?

PS
This is something related to the article content, I didn't see it noted,
It might be worth noting, that if the router has additional lan ports,
that they would be on the internet vlan, and accessible from both vlan 1 and 2
which could be advantageous for printer or file shareing etc.
 

Latest threads

Support SNBForums w/ Amazon

If you'd like to support SNBForums, just use this link and buy anything on Amazon. Thanks!

Sign Up For SNBForums Daily Digest

Get an update of what's new every day delivered to your mailbox. Sign up here!
Back
Top