VLAN T1600G-28TS

This thread has been locked for further replies. You can start a new thread to share your ideas or ask questions.
12

VLAN T1600G-28TS

This thread has been locked for further replies. You can start a new thread to share your ideas or ask questions.
11 Reply
Re: VLAN T1600G-28TS
2020-02-04 23:40:53 - last edited 2020-02-04 23:49:51

Hello @mupfel, I didn't expect that someone reads the old posts nowadays, so I updated the post #10 to take into account settings in newer firmware versions and to correct a few errors.

 

mupfel wrote

Thank you for the very good explanation. You said that the access point is only related to one vlan.

 

Usually an access port is related to its Port VLAN, which you could also call Native, Default, System or Primary VLAN for this port. I use the term Primary VLAN which implies that an access port can indeed be a member of other Secondary VLANs (but beware: other vendors might use the term Primary VLAN for different things).

 

If you have a VLAN-unaware device, the switch uses the Port VLAN ID (PVID) to tag frames from this device with a VLAN ID on ingress, thus assigning traffic to this VLAN. On egress to this device frames get stripped from every tags.

 

So if you have an access port which is member of more than one VLAN, it will receive alll traffic form other devices in those VLANs, but answers from this device can be assigned to only one VLAN, since there is only one PVID per port.

 

That means the device can not access two different VLANs over an access port by just adding this port to several VLANs, except ... the other device(s) in other VLANs are also member(s) of the origin port's Primary VLAN. This is called an asymmetric VLAN setup.

 

Let's see a practical example for such an asymmetric VLAN setup:

 

You have a VLAN-unaware router (R1) connected to port 1 and two PCs (PC2 and PC3) connected to ports 2 and 3 of your switch. The router has only one network IP (e.g. 10.0.0.0/24). You want to isolate the two PCs against each other, but allow both PCs to access the Internet through the router.

 

You can setup the switch as follows:

  • The router R1 will use port 1's Primary VLAN 1 with PVID=1.
  • To isolate the two PCs from each other you create two new VLANs 2 and 3:
    • VLAN 2 is the Primary VLAN for PC2 with PVID=2
    • VLAN 3 is the Primary VLAN for PC3 with PVID=3.
  • Since the PCs use VLANs 2 and 3 (b/c of their PVIDs) to communicate with the router R1, you need to assign the router a membership of those VLANs 2 and 3, too, but you leave it's PVID=1.
  • Since the router R1 will use VLAN 1 to send traffic back to PC2 and PC3, you assign PC1 and PC2 to be members of VLAN 1, too, but leave their PVIDs unchanged.

 

This uses one network, but three VLANs. Traffic from PC2 (PC3) reaches the router R1 via VLAN 2 (VLAN 3), while traffic from the router R1 to PC2/PC3 will use VLAN 1 (that's the asymmetry). Goal achieved.

 

You see, one can't say that an access port is restricted to only one VLAN, but one can state that a port with only one VLAN is almost certainly an access port. Technically, a single port could use tagged traffic if the device is VLAN-aware, but then it would not make much sense to tag it at all if the port is member of only one VLAN.

 

Now to your question:

 

How do I have to configure the switch if a client pc should have access to two different vlans over one access port?

 

Let's assume your router R1 is VLAN-aware and has two virtual interfaces (VIFs, e.g. eth0.2 and eth0.3), both tagging egress traffic with VLAN ID 2, resp. 3. eth0.2 is assigned to one network with 10.0.2.0/24 and eth0.3 is assigned to another network with IP 10.0.3.0/24. The router itself has two IPs: 10.0.2.1 on eth0.2 and 10.0.3.1 on eth0.3.

 

Same connections to the switch as show above (R1=port 1, PC2=port2, PC3=port3). Now you do not want to isolate the PCs, but to allow communication between the PCs in different VLANs. Switch setup is as follows:

 

  • The router R1 will use the trunk port 1 for communication with two VLANs 2 and 3. PVID doesn't matter as long as you only use the VIFs eth0.2 and eth0.3 (if you would use the base interface eth0 which causes untagged traffic on egress, PVID of the switch port would matter).
  • PC2 is member of VLAN 2 with PVID=2 and has IP 10.0.2.2.
  • PC3 is member of VLAN 3 with PVID=3 and has IP 10.0.3.3.
  • To allow PC2 to communicate with PC3 you would use Inter-VLAN routing. This can be done on the router (by allowing forwarding in the firewall) or on the switch (if it supports routing).

 

 

Another alternative would be to use VLANs on the PCs itself. Nowadays, almost all modern operating systems allow to set up VLAN-aware virtual interfaces on PCs, too. But then you have to switch the VIFs every time before using it. That's why Inter-VLAN routing is still the preferred method.

 

Hope this makes it somewhat clearer. Summary: VLAN is just an universal mechanism you can use in any way you like. Terms like "access port" and "trunk port" or "Default/System/Native VLANs" are just terminology to name the things you have set up. You could also call them mupfel VLAN, urmel port and lukas port if you want. 

 

 

༺ 0100 1101 0010 10ཏ1 0010 0110 1010 1110 ༻
  0  
  0  
#13
Options