What's new

VLAN How To: Segmenting a small LAN

  • SNBForums Code of Conduct

    SNBForums is a community for everyone, no matter what their level of experience.

    Please be tolerant and patient of others, especially newcomers. We are all here to share and learn!

    The rules are simple: Be patient, be nice, be helpful or be gone!

Back when VLANs first came out from Cisco they seemed complicated. Then over the years I came up with a few rules to make things simple which works with small and large networks.
1. When creating VLANs always assign a network to each VLAN.
2. VlANs are routed just like regular networks so you need a layer 3 device.
3. VlANs are always tagged so they work with one or more switches.
4. When connecting VLANs devices together use a trunk port.
5. If you are connecting to a non-aware VLAN device use an access port.

I think with these very simple rules you can build any size network using VLANs. These simple rules allow for easy maintenance and trouble shooting.
 
Last edited:
Back when VLANs first came out from Cisco they seemed complicated.

Nice post - the one thing I would add...

-- in the planning phase - draw it out on paper, and number things there

The other item - when considering VLAN ID's - start from 100, but that's just me (and experience talking there).
 
hi Dreid,

I am trying to setup a network using vlan to segregate staff and guest access on wired and wireless devices following your earlier example 4. After creating the 3 vlan : vlan10 (staff) ; vlan20 (internet access) & vlan30(guest). Set the port to vlan as required, I am not seeing the segregation between vlan10 and vlan30. Any particular setting I should review ?

Also what is your recommendation on configuration the Ruckus AP to have the 2 SSIDs.

High level network diagram attached

thanks.
 

Attachments

  • Paul Network.pdf
    335.4 KB · Views: 765
Last edited:
Noob question......

When using a WAP with separate SSID's and vlans is this a trunk port?

In what circumstance would you use a hybrid port?

Thanks


Sent from my iPhone using Tapatalk
 
I use a trunk port with SSIDs on different VLANs. I am not sure about a hybrid port. I have never used one.

I guess you know you can only pass untagged traffic on the default VLAN so use tagged VLANs.
 
Back when VLANs first came out from Cisco they seemed complicated. Then over the years I came up with a few rules to make things simple which works with small and large networks.
1. When creating VLANs always assign a network to each VLAN.
2. VlANs are routed just like regular networks so you need a layer 3 device.
3. VlANs are always tagged so they work with one or more switches.
4. When connecting VLANs devices together use a trunk port.
5. If you are connecting to a non-aware VLAN device use an access port.

I think with these very simple rules you can build any size network using VLANs. These simple rules allow for easy maintenance and trouble shooting.

Please do point to a good Tutorial that I can use to learn VLANs, in implementing a VLAN on Tomato/ DD-WRT router.
 
I don't know of any as I learned my info 20 years ago before internet. I have my way of doing VLANs. It works for me. I use the rules above.
 
I have IT background but novice networking knowledge. The question is about my home network setup:

Right now I have a setup 2 Wi-Fi routers/DHCP servers (Home 10.20.30.1 & Guest 10.20.50.1) connected physically to my ISP modem/router (192.168.10.x). The Home router is then physically connected to the L2 switch (HP Procurve 1810G) and the Home LAN (10.20.30.x). The Guest router is only for wifi use. This setup is described on the "How To: One Internet connection - Two Private LANs" article. See below for my setup
Home LAN v1.JPG

My question is whether I can physically connect to the switch (a) the ISP modem/router, (b) the Home router/DHCP server, (c) the Home LAN and (d) the Guest router/DHCP server without any hickups and ensuring the isolation between Home and Guest LAN's, as below?
Home LAN v2.JPG

My switch supports VLAN's. Is this the way? Reading online I understand that I need to (1) setup 2 VLAN's, one for each Home and Guest LAN's and then (2) assign switch ports of the correspoding devices are connected to, to the proper VLAN. Please confirm.

Can someone shed some light on the Tag/Untag/Exclude All setting, please?

Any guidance is highly appreciated.

Thanks,
Panos._
 
I think you are going to have a problem with an L2 switch. With an L2 switch you can physical divide the switch and use it as if there were 2 different switches but it won't fit your drawing. Some people around here do double NAT but I don't consider it good networking design.

If you had a layer 3 switch you could make it work providing your ISP modem is doing NAT. Something simple like a Cisco SG300 switch which can be had used for little money off eBay. I would use DHCP off the switch for the LAN side. For the guest wireless if you don't share resources then DHCP off the wireless is fine otherwise use DHCP off the switch with shared resources.

L3 switches don't do NAT unless you spend lots of dollars maybe $50,000 plus.
 
Hi dieter, and thanx for the effort.
Well, the thing is, it's never a problem to get any devices on default VLAN1 to reach internet and DHCP even if the uplink/trunk port is on different VLAN (in your example, VLAN100 on port 8). In my case, the problem still remains if I assign a port a PVID of smth. else than VLAN1 and the PVID of the trunk port. E.g. in this case, ports 5,6,7 are cut off from everything, but themselves, as their PVID is 50+70 and the trunk port has PVID 100. PC on port 2 would work just fine as it resides on the default VLAN1, so as your non-VLAN-configured router by default.

With the setup you showed me, did you manage to access the rest of the network (Internet) from ports 5,6,7 ?

According to that description of Asymmetric VLANs (link in my previous post) that Netgear support provided to me, the whole idea is rather simple and should work. I mean, you basically do following:
  • create VLAN X+Y for client machines
  • create VLAN Z for the "uplink"/trunk port

  • assign client1 machine's untagged port to VLAN X and VLAN Y and VLAN Z
  • assign client2 machine's untagged port to VLAN Y and VLAN X and VLAN Z
  • assign the uplink port to VLAN Z

  • assign client1 machine's port to PVID X
  • assign client2 machine's port to PVID Y
  • assign uplink port PVID Z
Then connect the router to the uplink port.

So, in short terms: make sure all VLANs contain untagged ports, assign them to each other and make sure, the uplink/trunk port is a member of all VLANs needed to go through that port. And the key is to have everything to be on the same subnet.

However, the reality with these Netgear switches seems different. If e.g. switch port5 has PVID of VLAN5 and the trunk port8 has PVID of 10, no matter have many other VLANs those ports are members of, port5 won't send traffic through that trunk port :-((((
 
Hello Flip Flop, I will give your configuration a try. I am trying to accomplish a very simple task, but it is turning out to be a lot harder than I thought. I also have GS108Tv2. I am trying to set up a separate home lab on a segmented network using this switch. The key thing is I am trying to isolate the home lab from picking up dhcp from my home router, as this will be handled by one of my virtual servers. However I still need to be able to access the internet from my lab network so that I can download updates, etc. So far it's been either all or nothing, maybe I just need to get a level 3 switch and be done with it? Spoke with Netgear support and the individual just didn't have the knowledge, as a matter of fact he screwed up the switch so much I had to do a factory reset and start over. Anyway, I don't know if the asymmetrical configuration will work for me but, I will give it a try.
 
I'm not sure if I'm following what you'll be setting up...but yes Linksys does make it quite simple on their managed switches.

Example..your 8 port switch..say you want to have 2x separated networks....Network A and Network B.
Uplink your router into port 1
Plug computers from Network A into ports 2,3, and 4. Assign ports 2, 3, and 4 to VLAN1...and make port 1 (the router) a member of VLAN 1 also.
Plug computers from Network B into ports 5, 6, 7, and 8. Assign ports 5,6,7, and 8 to VLAN 2...and add port 1 (the router) to be a member of VLAN 2 also.

This way, computers from Network A cannot see/browse/do anything with computers from Network B..and visa versa. Yet they can still share the router for internet access.

Thanks for this explanation. Now I understand what VLAN does. Two days ago I didn’t even know VLAN existed. Unfortunately, I bought two unmanaged switches during Black Friday, and now I wish I had bought GS1200-5 instead.

https://www.zyxel.com/products_serv...gabit-Switch-GS1200-5-GS1200-8/specifications

I’ll have to buy this one too, now that I know I can separate my banking computer from my other computers. Reading this forum for the past two days has been really informative.
 
Last edited:
If you know Cisco switching then buy a Cisco small business switch like the old SG350 L3 switches. They have new models now just google them. The nice thing is they work like the Cisco enterprise switches in theory so the same rules will apply. The small business switches are limited compared to enterprise switches but work the same way.
 
If you know Cisco switching then buy a Cisco small business switch like the old SG350 L3 switches. They have new models now just google them. The nice thing is they work like the Cisco enterprise switches in theory so the same rules will apply. The small business switches are limited compared to enterprise switches but work the same way.

I’m sure the Cisco switch is good, but I know almost nothing about networking so I want to keep it as simple as possible. A port-based VLAN would be good enough for me.

But I must say I’m surprised to see that a simple, managed switch such as the mentioned Zyxel needs firmware updates. Perhaps Zyxel builds with security as an afterthought? Maybe ad hoc patching is good enough for them? How difficult can it be to design and build a primitive device such as the GS1200-5 with security in mind? Makes me think I should perhaps continue to use dumb switches. The more advanced hardware, the more time to manage it.

What ordinary home user remembers to update the firmware of a switch which is clearly meant for the consumer market? If things continue in this trajectory, we’ll soon have to update the firmware of our toasters and egg boilers. I mean, what if somebody hacks the egg boiler’s java-based web interface and boils the egg to crisp? Should I preemptively put the egg boiler in a VLAN and hide its physical location behind a VPN?
 
I’m sure the Cisco switch is good, but I know almost nothing about networking so I want to keep it as simple as possible. A port-based VLAN would be good enough for me.

But I must say I’m surprised to see that a simple, managed switch such as the mentioned Zyxel needs firmware updates. Perhaps Zyxel builds with security as an afterthought? Maybe ad hoc patching is good enough for them? How difficult can it be to design and build a primitive device such as the GS1200-5 with security in mind? Makes me think I should perhaps continue to use dumb switches. The more advanced hardware, the more time to manage it.

What ordinary home user remembers to update the firmware of a switch which is clearly meant for the consumer market? If things continue in this trajectory, we’ll soon have to update the firmware of our toasters and egg boilers. I mean, what if somebody hacks the egg boiler’s java-based web interface and boils the egg to crisp? Should I preemptively put the egg boiler in a VLAN and hide its physical location behind a VPN?

Zyxel seem to cook bugs in their products often. I avoid them at all cost.

In a lot of instances of VLAN I see online is actually unnecessary if the network was either wired correctly for the use or proper zone network management is applied.

I purposely avoid VLAN because there are disadvantages to it.
 
eggs are a backdoor path into the other devices on your network ;)
Of course we can discuss the zero day in VLAN if you want.

But normally VLAN should be deployed on managed switches in a network instead of the router in case the router goes out. Now you have to spend time resetting everything up. That's no fun. Granted, its not like networking a few hundred servers but its going to be a task depending how complicated you made it for yourself.
 
Last edited:

Support SNBForums w/ Amazon

If you'd like to support SNBForums, just use this link and buy anything on Amazon. Thanks!

Sign Up For SNBForums Daily Digest

Get an update of what's new every day delivered to your mailbox. Sign up here!
Top