NETGEAR - VLANS

The Views Expressed Below Do not in any way reflect Internal Doctorine or Official Statements of Netgear Inc. These are just my notes - Use at your own Risk.

This site is intended to be for educational purposes. I'm not here to plagiarizer or copy any one.

Below are pdfs that are useful for different VLAN setups with netgear. Including layer 3 switches and wireless scenarios. Those ones are specifically written by NETGEAR for anyone to read and can be found on their site www.netgear.com and also support.netgear.com



NOTE: I have the PDF version of this as a download link at the bottom of the page. This was originally a powerpoint presentation that I made and that is why it has this outline sort of format to it.


[update 11/19/2013]

Access Points and WC7520
########################

(For this piece on accesspoints and wc6520 pretend management vlan is 1)

Tag SSID VLANs: For the access points you need to (from the switch) tag the vlans that are used in the SSID profiles
Untag Management VLANS (even if its 1 of the SSIDs): If the access point management vlan is 1 then untag 1 from the switch to it

The WC7520 is an access point controller and if your using it, it just needs management communication with the access points.
WC7520 just need Management VLAN information (so only untag 1 to it, thats if 1 is the managment vlan)


[update 2/27/2013] 

This note should be read after reading the full article

NOTE: The article below deals strictly with the Layer 2 setup. Here is what you should get out of it: 

1) a tiny change in the network means you have to do the tags/untag/pvids differently

2)
a) pvids dont really matter on trunk links
b) 1 pvid per port, 0 to Alot of tags per port possible, 0 to Alot of untags per port possible
c) In laymans terms the PVID: sets the vlan of the port, the TAGS/UNTAGS set who the ports can talk to (hence its called membership), being a none member means there is no tag or untag there. 

3) there are exceptions to the rules
a)  especially with default vlans ( I dont mention them below but its important to realize that all a default or management vlan is, it automatically untags it self at every port so that it transverses it self accross every port with no vlan header in the packet )
b) Ingress filtering - this is not on all of the switches but its really an easy concept - if its enabled it changes the decision tree of the Ingress portion
* If its Enabled - Frames are discarded if the port is not a member(tag/untag setting means membership) of the incoming packets vlan tag ( incoming packets vlan tag - simply meaning - the vlan id )
* If its Disabled - regular rules for 802.1Q ingress - the ones in the decission tree below - The packet goes into the switch and not dropped on input (if tag is on packet, dont touch the tag - and - if no tag/vlan header is on the packet then attach a tag/vlan header to the packet with the vlan number equal to the PVID )
c) Acceptable frame types
* Acceptable frame types: Admit All - untagged frames or priority tagged frames received on this port are accepted and assigned the value of the Port VLAN ID for this port.
* Acceptable frame types: VLAN only - all packets accepted
d) There are alot of other kind of vlans that are not covered in this article but they are mostly of the dynamic type (meaning they change from port to port, the setting varies per port - in fact it has nothing to do with the port but more of what the frame or packet contains)

4) Other types of Vlans - layer 2 technology (some looks at layer 3 information to assign the layer 2 vlan)
a) MAC based vlans: looks at the mac address to see what vlan something belongs in - this is like Voice Vlans
b) Voice Vlans - look for the OUI of a frame and tag the ports accordingly - thats it - they dont set the phones to the vlan - they simply tag the packet/frame if they detect a certain OUI on the frame. Voice vlans have the options to play with the QoS settings to make the voice vlan more important. Think of Voice VLAN like a friendly wizard that set up automatic Tags  - or  - mac based vlans for you - and - also set up QoS for that vlan.
c) IP Subnet based vlans - like mac based vlans accept the vlan is determined by the ip address of a packet
WHATS THE POINT OF THIS?
IP Subnet Based VLAN Configuration
when we have vlan routing already
* IP Subnet Based VLAN is a dynamic vlan (vlan can move from port to port) and it looks at the layer 3 information of the packet (source ip) to set the vlan id (layer 2)
* Routing VLAN 3 just associates a vlan to an ip gateway sort of mechanish - its all layer 3 (layer 3)




... here comes the main article ...

VLANS 

2 Types in with NETGEAR

·         Port Based Vlans

And

·         802.1Q Vlans ß MOST COMMON AND CURRENT INDUSTRY STANDARD

Port Based Vlans

      Rare and on old switchs

      VLAN information determined by the port its received on

      Frames don’t get tagged

      1 Port can only belong to 1 VLAN

      Ports in a port-based VLAN are referred to as untagged ports and frames received on the ports as untagged frames

      Frames received on a port hold no info on what VLAN it belongs to. Where the switch forwards the frame depends on the ports PVID (Port VLAN ID).

      Each port has PVID and switch forwards frame to all other ports with same PVID

802.1Q Vlans

      Industry Standard

      VLAN information determined by the frame instead of port

      On Ingress (as frame enters switch)

       Does this frame have an 802.1Q tag?

       No: Assign the VLAN ID (VID) of the Port VLAN ID (PVID) to the frame. [In other words: Tags the frame]

       Yes: Let the frame Ingress [In other words the frame stays tagged and leaves the switch]

      On Egress (as frame leaves switch)

       Is this port participating [tagged or untagged] in this VLAN?

       No [In GUI: VLAN configured BLANK]: Drop the frame

       Yes: Is this port configured to tag (port tagging)?

       Yes (Participating TAG): Preserve the Tag & egress [Leaves w/ Tag]

       No (Participating UNTAG): Strip the Tag & egress [Leaves w/out TAG]



Interesting Things to Note

       All traffic in a managed switch has an 802.1q tag on it

       Even if no VLANs are created, everything still is tagged for VLAN 1

       Avoid using VLAN 1 – leave it for management and trunk ports pvids

       On some switches you will see an Audio and Video VLAN. That cant be deleted. They have QoS settings and make Audio VLAN more important. So avoid both of them if you don’t want the QoS effect.

       PVID determines what VLAN a port belongs to

       Tagging and Untagging determines who can talk to who

Firewall/Routers

       With Firewalls/Routers: The firewall should have all the same VLANs created on it as are on the switch.

      Firewall and Routers:

       Membership:  This is like auto tagging and untagging

      When it connects to a switch it tags

      When it connects to a host it untags

       Default VLAN: This is like the PVID

      If firewall/router doesn’t have the the VLAN:

       Create VLAN on the switch to disperse the internet out, by untagging all the ports with it and setting the PVID on the port uplinking to the router/firewall as the Internet VLAN PVID






Trunks between switches

       Trunk Links Connecting Switchs

      PVID doesn’t matter so just leave it as 1.

      Because all traffic that leaves out of it is tagged previously therefore PVID doesn’t matter.  (Look at Above)



VoIP

      Good to have Data and Voice VLAN separate

       Security: So computers cant record phone data

       Can apply QoS (Quality of Service) on it so that Phone traffic is more important

       VoIP traffic is sensitive to delays and differences in delays (jitter) both measured in units of time (millisecond to microsecond)

       Best quality = minimizing delay as much as possible and having 0 jitter

      Phones: VoIP phones tag their traffic so PVID doesn’t matter for the performance of the phone. However set PVID to computer VLAN, if computer is attached to phone

      Think of a VoIP phone as a 2 port switch. All voice traffic is tagged automatically by the phone and computer traffic goes through it untagged.

       So on the switch we catch the untagged computer traffic with a PVID

       And distribute VoIP data by tagging




Connecting With Cisco

      Trunk Port - Cisco will Tag all VLANs across (Since PVID doesn’t matter here its just like Tagging every VLAN), can control with pruning or “allowed VLANs” command

      Access Port – Cisco untags the appropriate VLAN here and also sets the PVID (this is like a PVID and Untagging at the same time)

      Native VLAN in Cisco is similar to PVID. Tags traffic that comes in without a tag.

      On Cisco when connecting to a Phone-PC combo set the Cisco port as a Trunk Port and the Native VLAN on that port to match the PCs VLAN

      In the configuration process just treat the Cisco switches as if it were Netgear device, Untagging and Tagging as needed

      Do not configure a Cisco device, let the customer configure it. (We are not CISCO Tech Support)

Connecting With DHCP Server

       3 Scenarios

      Netgear Device has the VLANs configured on it

       Just as Example: Gateway that understands VLANs, except configure the VLANs to have DHCP Server Enabled

      PC has DHCP Scope for 1 VLAN, Each VLAN has its own dedicated PC to give out DHCP

       Untag & PVID that port for the VLAN # that DHCP server is in

      1 DHCP Server for the entire Network

       Untag all VLANs that need DHCP on that port

       Set the PVID to whatever VLAN that DHCP server belongs in

       Use IP-HELPER or DHCP RELAY to point the other VLANs to the DHCP Servers IP



Wireless VLANs

      Usually want to have a Guest VLAN and Main Office VLAN

      Each SSID on the Access Point gets its own VLAN ID

      GUEST SSID – VLAN 3

      MAIN SSID – VLAN 2

      Tag Wireless VLANs to the Access points

      Make sure VLANs have a path thru all the switches to get to all the Access points, controller/s (?) and to the gateway

      Make sure gateway has both VLANs created on it

      If gateway doesn’t have VLANs created on it then make sure there is an internet VLAN used to disperse the internet








Summary [corrections on 11/19/2013 listed below]

      PC1 and PC2 cant communicate

      To PC1: Untag PC1 VLAN, PVID PC1 VLAN

      To PC2: Untag PC2 VLAN, PVID PC2 VLAN

      PC1 and PC2 can communicate with each other

      To PC1: Untag PC1 & PC2 VLANs, PVID PC1 VLAN

      To PC2: Untag PC1 & PC2 VLANs, PVID PC2 VLAN

      Trunk to Switch handling VLANs: Tag all VLAN, PVID 1 (Doesn’t matter)

      Trunk to unmanaged switch serving VLAN PC1: Untag PC1 VLAN, PVID PC1

      PC-1+Phone: Untag DATA PC1 VLAN, Tag PHONE VLAN, PVID DATA PC1

      Phone: Tag PHONE VLAN, PVID 1 (Doesn’t matter)

      DHCP Server Serving many VLANs:  Untag ALL VLANs, PVID PC1 VLAN

      Gateway which has VLANs: Tag ALL VLANs, PVID 1 (doesn’t matter)

      Gateway which has no VLANs: Untag ALL VLANs, PVID INTERNET VLAN

      Access Point: Tag ALL VLANs that SSIDs talk with, PVID 1 (doesn’t matter) - Correction on 11/19/2013: untag mgmt vlan,pvid mgmt vlan, tag ssids

       To Controller: Tag ALL VLANs that SSIDs talk with, PVID 1 (doesn’t matter) - Correction on 11/19/2013: only untag mgmt vlan and pvid mgmt vlan


Ċ
koss boss,
Sep 16, 2012, 2:42 PM
Comments