VLAN How To: Segmenting a small LAN

[coxhaus]

Why can't all users access the management interface on the router unless blocked by ACL? I can be on any of my different networks and access my router interface including VLAN1 the default VLAN.

Your diagram doesn't show VLAN1 on the router. I only see VLAN99 and VLAN102. Using a trunk port can transfer routing from the layer 3 switch to the router.

PS
I guess I can add all my network equipment has an IP address in VLAN1 except my internet router. I don't want the internet router looking at any traffic except internet traffic. If I add VLAN1 traffic to my internet router then it will be slowed down by chatty talk from devices to windows chatty talk and everything else on the LAN including broadcast traffic as the router needs to look at all packets crossing it's interface. I want my internet router talking to the internet parallel as all this broadcast traffic is trapped in a different VLAN. This is where you gain through put with an isolated router as the internet router is not waiting on local LAN traffic in different VLANs.

 

[oletuv]

Why can't all users access the management interface on the router unless blocked by ACL? I can be on any of my different networks and access my router interface including VLAN1 the default VLAN.

I don´t know why VLAN 20 clients can´t access the management interface on the LRT224, see the image of the SG300 routing table below.

VLAN 40 (Internet of Things) and VLAN 50 (Guest) clients are blocked by ACL. As I said, VLAN 1 is solely used for management, so no problem for me. Before this change I had to either use a 192.168.99/29 transit and access the management from a VLAN 99 client on the switch or taking the router offline and connect a pc directly with IP address 192.168.99.2/30.

I only see VLAN99 and VLAN102. Using a trunk port can transfer routing from the layer 3 switch to the router.

Since the work networks are only defined on the switch and not on the router, the switch does the inter-VLAN routing.

Your diagram doesn't show VLAN1 on the router.

Good catch, I forgot to update the diagram after the configuration change.

 

[crashnburn]

Can we have a Tomato & DD WRT driven update/ alternative to this article/ Guide? That would be nice and quick to implement and more likely / inexpensive entry point for SNB users

 

[coxhaus]

I don´t know why VLAN 20 clients can´t access the management interface on the LRT224, see the image of the SG300 routing table below.
View attachment 5987
VLAN 40 (Internet of Things) and VLAN 50 (Guest) clients are blocked by ACL. As I said, VLAN 1 is solely used for management, so no problem for me. Before this change I had to either use a 192.168.99/29 transit and access the management from a VLAN 99 client on the switch or taking the router offline and connect a pc directly with IP address 192.168.99.2/30.

Since the work networks are only defined on the switch and not on the router, the switch does the inter-VLAN routing.

Good catch, I forgot to update the diagram after the configuration change.
View attachment 5988

I assume you have a routing statement on the LRT224 for VLAN20? The other gotcha is routers now limit access to their only defined LAN network. You need to add a ACL on the LRT224 to allow the networks on the layer 3 switch access.

Your layer 3 switch picture looks right. If the above does not fix it we can take another look.

 

[coxhaus]

Can we have a Tomato & DD WRT driven update/ alternative to this article/ Guide? That would be nice and quick to implement and more likely / inexpensive entry point for SNB users

Sounds like a good idea. Can you start it? I can help with the networking part.

 

[oletuv]

I assume you have a routing statement on the LRT224 for VLAN20? The other gotcha is router now limit access to their only defined LAN network. You need to add a ACL on the LRT224 to allow the networks on the layer 3 switch access.

Your layer 3 switch picture looks right. If the above does not fix it we can take another look.

Sure, I have routing statements on the LRT224 for VLAN 20, VLAN 40 and VLAN 50 pointing to 192.168.99.2.

I actually like that only VLAN 1 (Management VLAN) clients can access the management interface on the router, but I´ll check if adding a permit rule to the firewall will allow access.

 

[coxhaus]

I actually like that only VLAN 1 (Management VLAN) clients can access the management interface on the router, but I´ll check if adding a permit rule to the firewall will allow access.

I would limit VLAN1 to only LAN devices and a management console. No general workstations since the router will be responding to all traffic on the management VLAN1.

 

[oletuv]

I would limit VLAN1 to only LAN devices and a management console. No general workstations since the router will be responding to all traffic on the management VLAN1.

Sure, I use VLAN 1 solely for management of the network devices (router, switches, APs) and only 1 client (me) is using VLAN 1 for this purpose. Since management tasks are just occasionally, there will be practically no traffic on VLAN 1. VLAN 99 which trunks all traffic to and from the local networks is a /30 transit network with only two available IP addresses, 192.168.99.1 (LRT224) and 192.168.99.2 (SG300), and is therefore totally isolated.

 

[coxhaus]

Yes the reason to run a router in a separate VLAN is to isolate all local traffic from the router. The router is a single task device and if it is processing local traffic it is not doing internet traffic so local traffic is taking time away from the internet traffic. Of course this is assuming a constant internet stream.

PS
I just thought of something. I guess you moved the default VLAN to a different VLAN other than VLAN1 otherwise all untagged traffic is going to be processed by VLAN1 which means it will have access to all your network devices.

 

[oletuv]

PS
I just thought of something. I guess you moved the default VLAN to a different VLAN other than VLAN1 otherwise all untagged traffic is going to be processed by VLAN1 which means it will have access to all your network devices.

Not yet, but perhaps I should do that. Generally, do you see any problems with untagged traffic on my SG300 switch ports (see image)?

 

[coxhaus]

No I don't see any problems with untagged traffic on your switch. I wonder how well consumer gear will live with moving the default VLAN to other than 1. Maybe you can live with it and just remember how untagged traffic will be processed. I don't know what is best.

 

[crashnburn]

Sounds like a good idea. Can you start it? I can help with the networking part.

?? I am not familiar with VLANs as yet and looking tutorials.. How would you suggest I start it?
I thought someone with VLAN knowledge/ experience could take the existing tutorial - copy it - replace pieces within.

 

[coxhaus]

I have thought about this and I really think you will need some kind of tutorial like a book. I don't think a few forum posts are going to be able to teach you networking. Probably the best way to learn networking is classes. The cheapest classes are at your local community college. Cisco teaches good classes but they are pricey.
As far as books goes the only ones I have are advanced. I learned networking many years ago, over 20 years ago, from Cisco classes and books. So I don't know what a good starting book is. Buy one if you don't like it buy another. If you stick to it you will learn networking.

The VLAN stuff we are talking about here is universal. It will apply to all switches and routers. The device management and how you configure it may be different but the networking is the same.

 

[crashnburn]

I understand networking/ Subnets/ OSI Layers/ Syn/Acks/ IP with UDP/ TCP etc. and a lot more. PS: have a graduate degree in the space. Same here, been at networking/ computing for 15/20 yrs; but since I was not a dedicated networking role, didnt need to configure VLANs

I was just hoping for my first VLAN configuration experience with DD WRT / Tomato be a clearer simpler Go through. Anyways, I figured it would be a great add to a Small Network site, where most people will use DD WRT/ Tomato etc.

 

[dieter]

I have read the How TO articles and this thread, but still have questions regarding VLANs application. I have just purchased a LGS308 and have a Asus RT-AC1900P WiFi router. As for devices I have hardwired computers, WiFi computers, a VoIP box, a ROKU and a couple of Chromecasts. Currently all devices are hooked up to the Asus router via an un-managed switch. I intend to also connect the LGS308 to an old DIR655 router for Internet access purposes.

My question are:
1. If I hook up the RT-AC1900P to the LGS308 and make that VLAN-2 (say port 2), and make VLAN-3 (say port 3) with a hardwired Chromecast on it, can a WiFi computer on VLAN-2 cast videos to the Chromecast on VLAN-3?

2. If the Asus router (on VLAN-2) has DHCP enabled, will the Chromecast (VLAN-3) be able to get it IP from the Asus router (VLAN-2)? Or will I have to disable DHCP on Asus router, and enable DHCP on my old router connected to the WAN?

Thanks much.

 

[lsx1970]

Hello,
I'm Italian and I do not speak English well, I ask help for a configuration of asus dsl-ac68u router + cisco switch SG300 10+Zyxel switch 1900 HP
I followed the steps of the guide "How To Use A Layer 3 Switch In A Small Network."
My network is structured as follows:

Asus router PORT 4 -> SG300 PORT 10 GENERAL 1UP, 25U, 45U

SWITCH CISCO SG 300
PORT 8 TRUNK 1UP, 25T, 45T-> ZYXEL SWITCH 1 PORT 8 TRUNK 1UP, 25T, 45T
PORT 7 TRUNK 1UP, 25T, 45T-> ZYXEL SWITCH 2 PORT 8 TRUNK 1UP, 25T, 45T
PORT 6 TRUNK 1UP, 25T, 45T-> ZYXEL SWITCH 3 PORT 8 TRUNK 1UP, 25T, 45T
PORT 5 TRUNK 1UP, 25T, 45T-> ZYXEL SWITCH 4 PORT 8 TRUNK 1UP, 25T, 45T


Asus DSL-AC68U
vlan1 192.168.1.0
default gateway 192.168.1.1
dhcp 192.168.1.100 ... 254

Cisco SG300 (layer 3 mode)
vlan1 interface 192.168.1.2

vlan25 interface 192.168.25.0
default gateway 192.168.25.1
dhcp 192.168.25.100 ... 254 dns 192.168.1.1

vlan45 interface 192.168.45.0
default gateway 192.168.45.1
dhcp 192.168.45.100 ... 254 dns 192.168.1.1

Asus router static routes
vlan25 192.168.25.0/24 192.168.1.2
vlan45 192.168.45.0/24 192.168.1.2

SG300 static routes
0.0.0.0/0 192.168.1.1
192.168.1.0/24 192.168.1.2 directly connected
192.168.25.0/24 192.168.25.1 directly connected
192.168.45.0/24 192.168.45.1 directly connected


Clients on vlan25 can ping clients on vlan45 and clients vlan45 can ping clients on vlan25, but clients on vlan1 (wi-fi and cable connected) cannot ping clients of the vlan 25 and vlan45 and clients on vlan25 and vlan45 cannot ping clients on vlan1.
All vlan clients are able to access the Internet.

If I configure vlan1 clients with default gateway 192.168.1.2 Instead of 192.168.1.1 all clients on vlan1 (wi-fi and cable connected) can ping all clients on vlan25 and vlan45 and all clients on vlan25 and vlan45 can ping vlan1 clients.
Clients on vlan25 can ping clients on vlan45 and clients vlan45 can ping clients on vlan25.
All clients are able to access the internet but some services of the asus router such as parental control do not work.

For vlan1 clients I would like to use the asus router parental control (it is mac address based) that with default gateway 192.168.1.1 works fine but with default gateway 192.168.1.2 not works (does not block anything).

What am I doing wrong?

Thanks in advance

 

[dieter]

Doug or anyone, help please.

Tried to configure a Linksys LGS308 very similar to the article, except VLAN1 as NETWORK (as mentioned in the TIP).

NON VLAN aware router on Port 1, Ports 2-4 computers, Ports 5 and 6 = VLAN 2, Port 7 = VLAN 3. Whenever I try to change the membership of VLAN 2 to include port 1 (router), the software removes Port 1 from VLAN1. In other words, I can not get it configured such that all VLANs can access the router.

Called Linksys, and they said that the LGS308 requires a VLAN aware Router.

Is this correct?

If so, are there any managed switches out there which will work with routers not aware of VLANs?

Thanks much.

 

[dreid]

Example 2 in this article (https://www.smallnetbuilder.com/lan...how-to-segment-a-small-lan-using-tagged-vlans) covers configuring 802.1q vlans with a non-vlan aware router.

 

[dieter]

Thanks Doug. I had seen Example 2. However, on the Linksys LGS308, when I try to make VLAN 1 (G1) part of VLAN2, it removes G1 from VLAN1.
The linksys switch is slightly different in its configuration, After you create the VLANs, you set the port specifics (U,T, General, etc.) for each port. Then you add memberships to each VLAN. Whenever I added Port G1 to the membership of VLAN2, it removed G1 from VLAN1.
I tried to talk to their tech support, but they insist I must have a VLAN aware router, since the LGS308 can not send VLAN2 traffic to VLAN1.
I will try again to configure the switch, but I think it's hopeless...
Thanks again.

 

[dieter]

Doug,
Here are the LGS308 config screens and my settings. Port 1 is connected to the router / WAN. With these settings as shown in the attached JPGs, devices on the 3 VLANs can get to the WAN.

BUT I can also ping from VLAN 3 to VLAN 2. NOT GOOD.

As soon as I "CHECK" the G5 & G6 "PVID" on VLAN2, and G7 on VLAN3, things stop working. I'm locked out of the admin. The PVID of G1, G5 & G6 of VLAN1 is unchecked, and the PVID G1 and G7 is unchecked on VLAN1. That is why it stops working, I think.

Any thoughts?