VLANs and SG2008P
I am brand new to VLANs and could use a little help with my SG2008P switch.
VLAN 1 (unchangeable main VLAN for the switch) is hardcoded a static IP of 192.168.1.238 mask 255.255.255.0.
Under L2 features, VLAN, I added VLAN ID: 20, Name: IoT, Selected all ports untagged.
Under L3 interface, I added VLAN ID: 20, Selected static IP and assigned an IP 192.168.2.238 mask 255.255.255.0 (which is on a different subnet than VLAN 1)..
Under L3 static routing, I added Destination: 0.0.0.0, Mask: 0.0.0.0, Next Hop: the default route for my network.(192.168.1.250).
---------------
Then I configured a laptop with a manual IP of 192.168.2.25, default route 192.168.1.250, DNS server 192.168.1.9. I figured I'd try to get this working simply first before I worried about DHCP and DNS. Used a hardwired cable to connect the laptop directly to the SG2008P.
The laptop is unable to ping 192.168.2.238 (and is also unable to ping anything on 192.168.1.x/24). Why is the switch not responding on 192.168.2.238? That shouldn't depend on any routing since the two devices are on the same subnet.
Everything on VLAN1 (everything else in my network) works perfectly.
- Copy Link
- Subscribe
- Bookmark
- Report Inappropriate Content
A port should be untagged in only one VLAN, that is the VLAN you want that port belong to. Also, its PVID should be set to the VID of that untagged VLAN. In your case, the port on the switch connected to the router should be untagged in VLAN1 with PVID = 1. It looks as if that’s already the case, but remove that port from VLAN20. You have set the switch to do inter-VLAN routing which is good. However now, your switch’s VLAN interfaces (SVIs) 192.168.1.238 and 192.168.2.238 are the gateways for local traffic in their respective VLANs. Therefore, your laptop’s default gateway should be 192.168.2.238, not 192.168.1.250, if you connect the laptop to a VLAN20 port with PVID = 20. If you connect it to a port in VLAN1 with PVID = 1, the default gateway should be 192.168.1.238. Your router at 192.168.1.250 does not route local traffic, never did. It routes only traffic to/from Internet. The default route that you have already set up on the switch tell the switch that. Also, you need to add the following static route to your router so it knows that the 192.168.2.0/24 network can be reached through the 192.168.1.238 SVI.
192.168.2.0 255.255.255.0 192.168.1.238 LAN
If you add more VLANs, a static route like that will need to be added for each VLAN. You do not need a static route for VLAN1, because your router is in VLAN1.
- Copy Link
- Report Inappropriate Content
Thank you for the reply. It was quite helpful and informative.
But there is still one thing I don't get. Your very first sentence is:
"A port should be untagged in only one VLAN, that is the VLAN you want that port belong to."
That doesn't seem possible on my network. The SG2800P is connected to very many other devices through several of its ports, including downstream wireless access points. Here is a picture of my network (the SG2008P is the box labeled "managed switch")::
For any given port on the switch, downstream devices might belong to either VLAN1 or VLAN20. Also, the downstream devices don't understand VLANs, which is why I set the ports to untagged.
What I'm trying to accomplish is to segregate IoT devices onto a different subnet than the rest of my devices. Most of the IoT devices are connercted via WiFi from an access point downstream of the SG2008P. But some of the non-IoT devices also connect via the access point.
Is what I want not possible with my setup?
I also should add that my hoped for solution would allow the devices on VLAN1 full access to VLAN20, but that devices on VLAN20 would not have access to VLAN1 except for DNS and DHCP.
- Copy Link
- Report Inappropriate Content
A port can be untagged or tagged in a VLAN. A single port can be untagged in one VLAN and tagged in another. Again it should be untagged in only one VLAN, but it can be tagged in many VLANs. Having a port untagged in many VLANs does nothing since you can set only one PVID on a single port.
If your wireless AP supports VLANs and is configured with VLANs, the switchport the AP is connected to should be tagged in each VLAN. You configure an AP with VLANs by associating its SSIDs with VIDs, for example SSID1 with VID = 1 and SSID20 with VID = 20. The AP will tags frames sent to the switch with corresponding VIDs. For example, if a wireless device connects to SSID20, than the AP will tag its ethernet frames with VID = 20. I have no experience with wireless bridges or extenders that work with VLAN-aware APs.
If an AP is not configured with VLANs, the switchport it is connected to needs to be untagged and with a proper PVID. All devices connected to that AP, including wireless bridges and extenders, will belong to only one VLAN. However this can be altered, for example by using MAC-based VLANs. In MAC-based VLANs, you associate MAC addresses of end-point devices with VIDs. MAC-based VLANs are difficult to maintain so I would not recommend them.
An unmanaged switch needs to be connected to a switchport that is untagged, same as a VLAN-unaware AP. All devices connected to that switch will belong to only one VLAN. If you have some devices that need to belong to another VLAN, you should replace that switch with a managed switch. Two managed switches that are configured with VLANs should be connected together with the connected ports tagged in all VLANs.
- Copy Link
- Report Inappropriate Content
Thank you for the response.
You have convinced me that what I want to do won't work with VLANs. I have no way to associate SSIDs with a VLAN, and even if I did it wouldn't matter since all wireless devices are on the same SSID.
I suppose MAC-based VLANs are a possibiility, but I really don't want to have to maintain that.
What do you think about assigning device IPs to different subnets without using VLANs? (Just assigning through DHCP). My understanding is that the main thing I would lose is additional traffic on my net, which I really don't care about.
- Copy Link
- Report Inappropriate Content
“What do you think about assigning device IPs to different subnets without using VLANs? (Just assigning through DHCP). My understanding is that the main thing I would lose is additional traffic on my net, which I really don't care about.”
I don’t know what benefits of it would be. There will be no traffic separation at L2. I don’t think your DHCP server would be able to serve IP addresses to more than one subnet in the same broadcast domain. I also do not think you will be able to create a gateway for additional subnets.
What is that "additional traffic" you’ve mentioned? From time to time, posts offering very unorthodox solutions appear. Do not be guided by them. They either have a very limited use or are totally wrong.
- Copy Link
- Report Inappropriate Content
Thank you very much for the support. You have really helped clarify things.
The additional traffic I was referring to is that VLANs can help reduce broadcast traffic. Not an issue in my case.
No more support needed.
- Copy Link
- Report Inappropriate Content
Information
Helpful: 0
Views: 984
Replies: 6
Voters 0
No one has voted for it yet.