Help with setting up VLANS
I am having trouble setting up Vlans.
I Have 3 Vlans that I want to set up. 1) System VLAN 2) Computer VLAN 3) Other VLAN. I want to able to access the system vlan from any port, I also have an access point plugged in to port 8 that I want to be able to access all 3 vlans from, along with fiber connections in ports 9 and 10 that should access all 3 vlans as well. Maybe 9 and 10 need to be trunk ports? They would be connecting to other switches.
Should look something like this:
VLAN 1 | 1 | 2 | 3 | 4 | 5 | 6 | 7 | 8 | 9 | 10 |
VLAN 2 | 1 | 2 | 3 | 4 | 8 | 9 | 10 | |||
VLAN 3 | 5 | 6 | 7 | 8 | 9 | 10 |
I think I am missing something somewhere. I can create the Vlans and assign the ports, but I cannot get access from each port I need.
Any help would be appreciated.
- Copy Link
- Subscribe
- Bookmark
- Report Inappropriate Content
rjgivens wrote
I can create the Vlans and assign the ports, but I cannot get access from each port I need.
An access port is any port which is an untagged member of just one VLAN.
A trunk port is any port which is a tagged member of one or more VLANs.
You can assign a port as an untagged member of more than one VLAN, but then the switch will direct ingress traffic to only one VLAN, the one which is defined by the Port VLAN ID (PVID). Such ports are neither access nor trunk ports. There is no way to direct untagged ingress traffic to more than one VLAN, but on egress it is possible to send untagged traffic from different VANs to the connected device.
So you might ask why a port can be an untagged member of more than one VLAN. The answer is: it's used for asymmetric VLANs as used in Multi Tenant Unit (MTU) VLANs, which is kind of a »poor man's VLAN« for deployments where a single network is shared by several VLANs (e.g. five tenants isolated against each other with a shared uplink to the Internet).
As for an AP/EAP, you can assign its switch port to more than one VLAN, but it needs to be a trunk (tagged port) then to be able to send traffic to the AP and to serveral VLAN-mapped SSIDs. Just imagine that the physical Ethernet port of the AP is a trunk port and the AP itself as well as the SSIDs are on virtual access »ports« (in fact, virtual interfaces are used to split up the traffic).
The same holds true for the Fiber ports, they need to be trunks.
- Copy Link
- Report Inappropriate Content
rjgivens wrote
I am having trouble setting up Vlans.
I Have 3 Vlans that I want to set up. 1) System VLAN 2) Computer VLAN 3) Other VLAN. I want to able to access the system vlan from any port, I also have an access point plugged in to port 8 that I want to be able to access all 3 vlans from, along with fiber connections in ports 9 and 10 that should access all 3 vlans as well. Maybe 9 and 10 need to be trunk ports? They would be connecting to other switches.
Should look something like this:
VLAN 1 1 2 3 4 5 6 7 8 9 10 VLAN 2 1 2 3 4 8 9 10 VLAN 3 5 6 7 8 9 10
I think I am missing something somewhere. I can create the Vlans and assign the ports, but I cannot get access from each port I need.
Any help would be appreciated.
@rjgivens vlans are essentially separate LANS. It sounds like that isn't really what you want.
I don't own a T1500 switch, I have the less capable TL-SG108E. But I am looking at the T1500G-8T, but haven't pulled the trigger yet. I am a bit surprised that it doesn't allow ingress Acceptable Frame Types filtering for Untagged Only, when it does allow you to limit to Tagged Only, or Admit All. Seems to be an odd ommission. See page 147 of the user guide linked below. I am not aware of any other vendor's switch that allows frame type filtering, but doesn't allow limiting to untagged only.
If you are expecting the switch to limit what ports can talk to what ports, while all still being on the same LAN and ip subnet, then see Chapter 3 starting on page 97 of the T1500 User Guide This essentially lets you create an 8x8 matix of what port can transmit to what port. It is much more general than Multi-Tenant Unit (MTU) VLANS, but like MTU VLANS, doesn't scale across switches, if I understand what it does.
IEEE 802.1Q vlans can extend across multiple switches, and if that is what you want, then the other way is to use separate vlans and limit what can go between the vlans with a vlan-aware router connected to a trunk port on the switch. Then you would have to use the statefull firewall features in the router to limit who can initiate a conversation. With the TL-SG108E that's the only choice unless you want 7 isolated ports and one "internet" port, in which case you can use MTU VLAN mode.
For a good discussion of what vlans are, see this youtube video "What are VLANs? -- the simplest explanation" then go to the Practical Networking site and look for the CCNA-Index for more information. This forum doesn't allow external links, so you will have to do some searching yourself.
I am not sure if you can mix IEEE 802.1Q vlans and use the port isolation together, it isn't clear from the user guide, and I don't have a switch to test.
- Copy Link
- Report Inappropriate Content
Bongo wrote
But I am looking at the T1500G-8T, but haven't pulled the trigger yet. I am a bit surprised that it doesn't allow ingress Acceptable Frame Types filtering for Untagged Only, when it does allow you to limit to Tagged Only, or Admit All.
Inside a VLAN network there is no such thing as an »untagged frame«. Untagged frames will always be tagged, otherwise the switch (or the VLAN-aware router, AP, server, whatever) couldn't handle it. Untagged frames exist only outside the VLAN network, e.g. on a laptop or a network printer or any other non-VLAN-aware device you connect to a VLAN-aware switch.
Thus, to limit acceptable frame types to »untagged only« on T1500G switches you just assign the desired port an untagged membership of one VLAN only and leave the setting Ingress Checking enabled for this port. The PVID assigns the VLAN ID to the untagged frame on ingress. Now, if tagged frames arrive on this port they will be dropped. Only frames with the same VLAN ID as the port's PVID could pass, but that makes perfect sense if the device sends untagged and tagged frames on the same port.
With the TL-SG108E that's the only choice unless you want 7 isolated ports and one "internet" port, in which case you can use MTU VLAN mode.
The MTU VLAN setting in TL-SG108E is just a convenient and easy way to define an asymmetric VLAN. It can be easily defined in 802.1Q VLAN mode, too. In fact, MTU VLANs use 802.1Q and they can indeed span mutiple switches if you set them up expicitly rather than selecting this kind of a »one-click« mode on a TL-SG108E. Of course, you need an additional trunk port to connect the switches together.
- Copy Link
- Report Inappropriate Content
R1D2 wrote
The MTU VLAN setting in TL-SG108E is just a convenient and easy way to define an asymmetric VLAN. It can be easily defined in 802.1Q VLAN mode, too. In fact, MTU VLANs use 802.1Q and they can indeed span mutiple switches if you set them up expicitly rather than selecting this kind of a »one-click« mode on a TL-SG108E. Of course, you need an additional trunk port to connect the switches together.
Thank you! Your post prompted me to do some google research on asymmetric VLAN. And I was able to reproduce MTU VLAN emulation with port 1 as the Uplink port with ports 2-7 as isolated ports. I never understood why the TL-SG108E allowed you to configure more than one untagged vlan on a single switch-port, because I was in the symmetric vlan mindset. This is my first dabbling with asymmetric vlans. I had assumed that the TL-SG108E MTU VLANS were implemented by some type of switch feature that just prevented "isolated" ports from being able to transmit to another isolated port.
Here is the config I have that seems to behave identically to MTU VLAN with port 1 as Uplink port. I have not tried sending tagged vlans through, and I don't see how that could work if the separation is being done via vlan membership and always stripping the vlan-tag on transmit (essentially sending untagged frames from multiple vlans out the same port). I still have to do some more playing to get my head wrapped around this new paradigm.
- Copy Link
- Report Inappropriate Content
Bongo wrote
I had assumed that the TL-SG108E MTU VLANS were implemented by some type of switch feature that just prevented "isolated" ports from being able to transmit to another isolated port.
Port isolation is one of the features not found in Easy Smart switches. It's available in Smart and Managed switches only, e.g. in T-series switches (T1500G, T1600G, etc.).
I have not tried sending tagged vlans through, and I don't see how that could work if the separation is being done via vlan membership and always stripping the vlan-tag on transmit (essentially sending untagged frames from multiple vlans out the same port).
VLANs are not tagged or untagged, it is frames flowing through a VLAN network which are tagged (and such frames are always tagged).
There is no single untagged frame inside a VLAN network, the tags can just be removed/added on egress/ingress of a VLAN network, so untagged frames will appear only outside a VLAN. You can define where a VLAN starts and ends by defining the switch's behavior on individual ports and you can extend VLANs to other switches and devices such as routers, servers, access points etc. and even to laptops and PCs.
To better understand this, let's extend your MTU VLAN to a second TL-SG108E. For clarification, I assign the ports an additional switch number, so port 1/8 is port 8 of the first switch and 2/8 is port 8 of the second switch.
First you create more VLANs, say 21, 22, 23, etc. VLAN 21 is a convenient short-hand for »first tenant unit on second switch«, but it's just a convention, you can use any VLAN ID not in use already. You need to create those VLANs on both switches.
Then you assign both switches an uplink port, say ports 1/8 and 2/8. Both uplink ports will be tagged members (trunk ports) of all VLANs required on switch 2 (VLAN 1, 21, 22, 23 and so on). PVIDs of those trunk ports don't matter, since there will be no untagged frames on this trunk, so set PVID=1.
Assign port 1/1 as an untagged member of all VLANs, that's 1-7, 21-27.
Assign port 2/1 as an untagged member of VLANs 1 and 21, PVID=21.
Your VLAN 21 now »starts« at port 2/1, spans ports 2/8, 1/8 and is »terminated« at port 1/1, meaning that VLAN tags are added to / removed from frames depending on direction of flow on ports 2/1 and 1/1 only. Tags will be left intact when frames pass the trunk ports 2/8 and 1/8. Thus, the VLAN spans mulitple switches and inside this VLAN there are no untagged frames.
Same (no untagged frames) is true for VLAN 1 and even for VLANs 2-7, except that the latter ones exist only in switch 1. But inside this switch there are no untagged frames (except on the internal Ethernet interface of the switch itself where you can reach its web UI, but let's ignore that, it's irrelevant for now).
Notes:
- This scheme of an asymmetric VLAN for sharing a common ressource (Internet) works only for cascaded switches, not for switches connected in star topology directly to the router. For the latter you would need to either deny LAN-to-LAN forwarding in the router's firewall or extend the VLAN network to the router and tag frames there, else tenant units connected to switch 2 could reach tenant units connected to switch 1.
- TL-SG108E provides only 32 VLAN IDs out of 4096.
- Copy Link
- Report Inappropriate Content
R1D2 wrote
Bongo wrote
But I am looking at the T1500G-8T, but haven't pulled the trigger yet. I am a bit surprised that it doesn't allow ingress Acceptable Frame Types filtering for Untagged Only, when it does allow you to limit to Tagged Only, or Admit All.
Inside a VLAN network there is no such thing as an »untagged frame«. Untagged frames will always be tagged, otherwise the switch (or the VLAN-aware router, AP, server, whatever) couldn't handle it. Untagged frames exist only outside the VLAN network, e.g. on a laptop or a network printer or any other non-VLAN-aware device you connect to a VLAN-aware switch.
Thus, to limit acceptable frame types to »untagged only« on T1500G switches you just assign the desired port an untagged membership of one VLAN only and leave the setting Ingress Checking enabled for this port. The PVID assigns the VLAN ID to the untagged frame on ingress. Now, if tagged frames arrive on this port they will be dropped. Only frames with the same VLAN ID as the port's PVID could pass, but that makes perfect sense if the device sends untagged and tagged frames on the same port.
I found a file on slideshare that showed what you described, evidently for a Marvell switch chip. search At8000 s configurando vla_ns - SlideShare and see slide 32/111
where it has this
reasonably good description of vlans
- Copy Link
- Report Inappropriate Content
@Bongo, thanks, that's helpful. So it seems that PVID association is done before applying »Ingress Filter« - that's missing in the documentation for JetStream switches. You got two Kudos (counts double for reasons unknown to me, ha ha).
- Copy Link
- Report Inappropriate Content
Information
Helpful: 0
Views: 1884
Replies: 7
Voters 0
No one has voted for it yet.