What's new

VLAN How To: Segmenting a small LAN

  • SNBForums Code of Conduct

    SNBForums is a community for everyone, no matter what their level of experience.

    Please be tolerant and patient of others, especially newcomers. We are all here to share and learn!

    The rules are simple: Be patient, be nice, be helpful or be gone!

To: dreid - First thanks for the article. I have been thrashing around trying to get VLANs working on my Netgear 724Ts for a long time and your article finally allowed me to understand. I haven't actually implemented it yet since I have a live network in a small hotel but at least now I think I know what I'm doing. A couple of follow up questions though:
1. What is the difference between the STATIC and DEFAULT VLAN 'Types' on the NetGear boxes?
2. Is there any special setting required if I have a port that is attached to a 2nd Netgear 724T switch that has the same VLANs configured? (I.e. what are the configuration issues involved with having the same VLAN span multiple 724T switches?)

Thanks
 
Answers:
1. According to the Netgear manual, the DEFAULT VLAN is VLAN 1. All other created VLANs are STATIC VLANs.
2. In your scenario, port x on switch 1 is connected to port y on switch 2. Configure port x and port y with the same VLAN settings. Both port x and port y should be a member of all VLANs that are used on both switches.
 
PVID Details

Thank you for the reply. That makes sense to me :).

Follow up question - When I was about to implement my plan (see attachment) I noticed in the PVID screen there were additional parameters;
Acceptable Frames Types (Admit All or VLAN only)
Ingress Filtering (Enable or Disable)

Other than the PVID assignment I show in my plan, what should I set for these two parameters?

I have read the manual about these parameters but I'm still unclear as to what I should set them to (I'm leaning towards Admit All & disabled respectively but could really use some confirmation)

Again - I can't thank you enough for the help. I've read the NetGear manuals but your explanations have proved to be much clearer.
 

Attachments

  • PBH_VLAN_Configs.pdf
    81.8 KB · Views: 587
  • NetGear_724T_PVID_Cropped.jpg
    NetGear_724T_PVID_Cropped.jpg
    57.9 KB · Views: 809
It Worked

Your instructions worked flawlessly. I prepped everything according to your example tweaked for my network and it switched over in about 5 minutes.

THank you so much again.

I do have another followup question. I now need to implement VLANS across 3 NetGear switches, 1 backbone switch (GS724TS-100NAS
) and two area switches (again GS724T). Do you by any chance have an example document that tells how you set up the trunk ports between the area switches to the backbone switch so that the VLAN traffic passes from switch to switch unimpeded?
 
Make the trunk ports Untagged ="U" members of VLAN1 and make them Tagged = "T" members of all the other VLANs.

That should do it.
 
Management - Switches

Excellent. I understand that.

1. Make sure the VLAN #s and usage are consistent across all switches (including the back bone switch)
2. Trunk ports to the back bone switch Tagged members of all VLANs

3?. The port that goes from the the backbone switch to the router - Same as #2? I.e. Tagged member of all VLANs.

4?. What is the PVID for the Trunk port? #1? Default VLAN?
 
Last edited by a moderator:
1. Correct
2. Correct
3. Correct - does your router support VLANs? See below.
4. If VLAN1 is the default VLAN and you're using it, then set the trunk PVID=1.
5. If you left the management VLAN at default, the switch IP should be on the subnet assigned to VLAN1.

If your router supports VLANs, configure the router port connected to the switch with the same tagged VLAN settings you applied to the trunk. See my article on using a router with VLANs.

http://www.smallnetbuilder.com/lanw...segment-a-small-lan-using-tagged-vlans-part-2

Part 1 might be helpful too.

http://www.smallnetbuilder.com/lanw...how-to-segment-a-small-lan-using-tagged-vlans
 
I had already read your first article. Really got me started. Very helpful.

The 2nd article I didn't know about but I just finished reading it and it too was very helpful.

Your pointer about having VLAN assignment and tagging charts is absolutely spot on! Doing that before I made my first conversion saved me from disaster I am sure.

I still have a few questions if you will bear with me - I am trying to implement these changes on a live network and I would rather err on the side of too many questions before trying to implement the change.:)

At the moment, I don't really have a need for inter-VLAN traffic (although the pfsense box I use as a router can handle VLANs - I am meeting with the vendor tomorrow on that. The only 3 VLANS that need to access the Internet are 1, 4, and 5.

My question is really if the configurations the way I have them on the attached diagram are correct (assuming no Inter-VLAN required) - especially for port 24 on the Back Bone switch.

I am thinking if I am not doing Inter-VLAN routing then the TAGGED memberships are really not needed. And if I do Inter-VLAN routing later, then I would need the TAGGED memberships. Would that be correct?

Thank you
 

Attachments

  • N Floor VLAN Config.pdf
    97.4 KB · Views: 682
Your configs on the switches in the diagram seem fine. Port 24 on your back bone switch appears to be correct.

You'll need to setup a trunk and VLANs on the router, which enables inter-VLAN routing, for devices on VLANs 4-6 to get to the Internet. My Part 2 article goes through the steps.
 
If the router doesn't handle VLAN routing, by default will all traffic from the various VLANs have access to the Internet PROVIDED that I set the port 24 on the back bone switch to be an UNTAGGED member of all the VLANs (instead of TAGGED)?
 
A very interesting article. The confusing part is a particular port having membership in more than one VLAN. As a set VLAN#2:[8 7 6 5 [4] 3 2 1]:VLAN#1 = VLAN#2+VLAN#1:[8 7 6 5 4 3 2 1] The unique tagging of a port implies that shouldn't be possible.
 
Thanks for the question!

You mention "The confusing part is a particular port having membership in more than one VLAN... The unique tagging of a port implies that shouldn't be possible."

I agree, it can be confusing. VLAN configuration in switches can vary.

Some switches allow a port to be a member of multiple VLANs (port-based) and to optionally apply VLAN tags to one or more VLANs on that port. Some switches call these ports "general" ports.

Some switches are 802.1q switches where 802.1q access ports can only be members of one VLAN, and no tag is applied on that port. An 802.1q trunk port can be a member of multiple VLANs and applies a VLAN tag to all VLANs except the native VLAN (PVID). Other switches have port-based (no-tagging) VLAN capabilities.

Likewise, some routers support 802.1q VLANs and some support port-based VLANs. Frankly, I think port-based VLANs on a router has limited use.

Here are some examples:

I used a Linksys SRW2008 switch that supported general ports in the example is this article (http://www.smallnetbuilder.com/lanwan/lanwan-howto/30071-vlan-how-to-segmenting-a-small-lan.)

I used GS108T (example 2) and GS1900-8HP (example 3) switches that supports 802.1q with a router that doesn't support VLANs in this article (http://www.smallnetbuilder.com/lanw...how-to-segment-a-small-lan-using-tagged-vlans)

I used a GS108T that also supports port-based VLANs and a router that doesn't support VLANs in example 1 of this article. (http://www.smallnetbuilder.com/lanw...how-to-segment-a-small-lan-using-tagged-vlans)

I used a Cisco SG200 switch and Zyxel Zywall 110 router that supports 802.1q in this article (http://www.smallnetbuilder.com/lanw...segment-a-small-lan-using-tagged-vlans-part-2)

I hope this helps!

Doug Reid
 
In my way of thinking you really don't want a router supporting VLANs because you want to keep the interVLAN routing on the Layer 3 switch. Once you add a trunk port from the switch to the router you transfer the interVLAN routing to the router instead of the switch.

InterVLAN routing comes in handy when you want to share resources such as printers and other devices across local networks. The small business Cisco switches have interVLAN routing on by default. The PRO Cisco switches do not. You have to turn it on.

I run a router VLAN on my Cisco SG300 layer 3 switch which I like best. This router VLAN is only a VLAN created for one member my router. This isolates all local network traffic from this VLAN except for the traffic destined for the internet. To me this seems to work better than running the router in VLAN1 which is the default VLAN also. Too many chatty devices on VLAN1.
 
Last edited:
I run a router VLAN on my Cisco SG300 layer 3 switch which I like best. This router VLAN is only a VLAN created for one member my router. This isolates all local network traffic from this VLAN except for the traffic destined for the internet. To me this seems to work better than running the router in VLAN1 which is the default VLAN also. Too many chatty devices on VLAN1.
Cox,

Did you get a /30 network between the SG300 and the router working?

Ole
 
No. There is a fix in the new firmware for the Cisco SG300 switches which I hope will fix it. It runs fine with a 24 bit mask. It is now spring time for me and I don't plane to change anything until it gets hot. I have too many other things to do for a while. I do plan to upgrade to pfsense 2.3 real soon. If I run into problems and start over I may test it.
 
No. There is a fix in the new firmware for the Cisco SG300 switches which I hope will fix it. It runs fine with a 24 bit mask. It is now spring time for me and I don't plane to change anything until it gets hot. I have too many other things to do for a while. I do plan to upgrade to pfsense 2.3 real soon. If I run into problems and start over I may test it.
Cox,

I changed my configuration today using a /30 transit between the SG300 L3 switch and the LRT224 router. The SG300 is set up with a default route pointing to the router IP address (192.168.99.1) and the router has static routes to all the subnets on the the SG300 pointing to the transit VLAN address (192.168.99.2).

All seems to work fine. Since the /30 network does not allow any additional hosts, I just plug my laptop into the router offline with a static address of 192.168.99.2 whenever I need to change the configuration.

Ole
SG300 IPv4 Interface.png SG300 IPv4 Routes.png
 
Last edited:
Go to know it works. You should see higher through put since the router no longer waits for all the local VLAN 1 traffic. Did you use the latest firmware for the switch?
 
Go to know it works. You should see higher through put since the router no longer waits for all the local VLAN 1 traffic. Did you use the latest firmware for the switch?
Yes, I installed the latest firmware (sx300_fw-1424.ros).
 
All seems to work fine. Since the /30 network does not allow any additional hosts, I just plug my laptop into the router offline with a static address of 192.168.99.2 whenever I need to change the configuration.
Cox,

I think I´ve found a better solution:

LRT224:
VLAN 1 192.168.1.1/24 (management interface) untagged
VLAN 99 192.168.99.1/30 (transit) tagged

SG300:
VLAN 1 192.168.1.254/24
VLAN 99 192.168.99.2/30
Trunkport VLAN 1 untagged, VLAN 99 tagged

Works flawlessly. Now VLAN 1 clients on the SG300 can access the management interface on the LRT224. All SG300 clients can ping 192.168.99.1 unless their IP address is blocked by ACL. Only VLAN 1 clients can ping 192.168.1.1 which is what I want, since VLAN 1 is solely used for management.

Ole
Oles Home Network.png
 

Support SNBForums w/ Amazon

If you'd like to support SNBForums, just use this link and buy anything on Amazon. Thanks!

Sign Up For SNBForums Daily Digest

Get an update of what's new every day delivered to your mailbox. Sign up here!
Top