The Views Expressed Below Do not in any way reflect Internal Doctorine or Official Statements of Netgear Inc. These are just my notes - Use at your own Risk.
This site is intended to be for educational purposes. I'm not here to plagiarizer or copy any one.
Below are pdfs that are useful for different VLAN setups with netgear. Including layer 3 switches and wireless scenarios. Those ones are specifically written by NETGEAR for anyone to read and can be found on their site www.netgear.com and also support.netgear.com
NOTE: I have the PDF version of this as a download link at the bottom of the page. This was originally a powerpoint presentation that I made and that is why it has this outline sort of format to it.
Access Points and WC7520
(For this piece on accesspoints and wc6520 pretend management vlan is 1)
Tag SSID VLANs: For the access points you need to (from the switch) tag the vlans that are used in the SSID profiles
Untag Management VLANS (even if its 1 of the SSIDs): If the access point management vlan is 1 then untag 1 from the switch to it
The WC7520 is an access point controller and if your using it, it just needs management communication with the access points.
WC7520 just need Management VLAN information (so only untag 1 to it, thats if 1 is the managment vlan)
This note should be read after reading the full article
NOTE: The article below deals strictly with the Layer 2 setup. Here is what you should get out of it:
1) a tiny change in the network means you have to do the tags/untag/pvids differently
a) pvids dont really matter on trunk links
b) 1 pvid per port, 0 to Alot of tags per port possible, 0 to Alot of untags per port possible
c) In laymans terms the PVID: sets the vlan of the port, the TAGS/UNTAGS set who the ports can talk to (hence its called membership), being a none member means there is no tag or untag there.
3) there are exceptions to the rules
a) especially with default vlans ( I dont mention them below but its important to realize that all a default or management vlan is, it automatically untags it self at every port so that it transverses it self accross every port with no vlan header in the packet )
b) Ingress filtering - this is not on all of the switches but its really an easy concept - if its enabled it changes the decision tree of the Ingress portion
* If its Enabled - Frames are discarded if the port is not a member(tag/untag setting means membership) of the incoming packets vlan tag ( incoming packets vlan tag - simply meaning - the vlan id )
* If its Disabled - regular rules for 802.1Q ingress - the ones in the decission tree below - The packet goes into the switch and not dropped on input (if tag is on packet, dont touch the tag - and - if no tag/vlan header is on the packet then attach a tag/vlan header to the packet with the vlan number equal to the PVID )
c) Acceptable frame types
* Acceptable frame types: Admit All - untagged frames or priority tagged frames received on this port are accepted and assigned the value of the Port VLAN ID for this port.
* Acceptable frame types: VLAN only - all packets accepted
d) There are alot of other kind of vlans that are not covered in this article but they are mostly of the dynamic type (meaning they change from port to port, the setting varies per port - in fact it has nothing to do with the port but more of what the frame or packet contains)
4) Other types of Vlans - layer 2 technology (some looks at layer 3 information to assign the layer 2 vlan)
a) MAC based vlans: looks at the mac address to see what vlan something belongs in - this is like Voice Vlans
b) Voice Vlans - look for the OUI of a frame and tag the ports accordingly - thats it - they dont set the phones to the vlan - they simply tag the packet/frame if they detect a certain OUI on the frame. Voice vlans have the options to play with the QoS settings to make the voice vlan more important. Think of Voice VLAN like a friendly wizard that set up automatic Tags - or - mac based vlans for you - and - also set up QoS for that vlan.
c) IP Subnet based vlans - like mac based vlans accept the vlan is determined by the ip address of a packet
WHATS THE POINT OF THIS?
IP Subnet Based VLAN Configuration
when we have vlan routing already
* IP Subnet Based VLAN is a dynamic vlan (vlan can move from port to port) and it looks at the layer 3 information of the packet (source ip) to set the vlan id (layer 2)
* Routing VLAN 3 just associates a vlan to an ip gateway sort of mechanish - its all layer 3 (layer 3)
... here comes the main article ...
2 Types in with NETGEAR
· Port Based Vlans
· 802.1Q Vlans ß MOST COMMON AND CURRENT INDUSTRY STANDARD
Port Based Vlans
– Rare and on old switchs
– VLAN information determined by the port its received on
– Frames don’t get tagged
– 1 Port can only belong to 1 VLAN
– Ports in a port-based VLAN are referred to as untagged ports and frames received on the ports as untagged frames
– Frames received on a port hold no info on what VLAN it belongs to. Where the switch forwards the frame depends on the ports PVID (Port VLAN ID).
– Each port has PVID and switch forwards frame to all other ports with same PVID
– Industry Standard
– VLAN information determined by the frame instead of port
– On Ingress (as frame enters switch)
• Does this frame have an 802.1Q tag?
• No: Assign the VLAN ID (VID) of the Port VLAN ID (PVID) to the frame. [In other words: Tags the frame]
• Yes: Let the frame Ingress [In other words the frame stays tagged and leaves the switch]
– On Egress (as frame leaves switch)
• Is this port participating [tagged or untagged] in this VLAN?
• No [In GUI: VLAN configured BLANK]: Drop the frame
• Yes: Is this port configured to tag (port tagging)?
• Yes (Participating TAG): Preserve the Tag & egress [Leaves w/ Tag]
• No (Participating UNTAG): Strip the Tag & egress [Leaves w/out TAG]
Interesting Things to Note
• All traffic in a managed switch has an 802.1q tag on it
• Even if no VLANs are created, everything still is tagged for VLAN 1
• Avoid using VLAN 1 – leave it for management and trunk ports pvids
• On some switches you will see an Audio and Video VLAN. That cant be deleted. They have QoS settings and make Audio VLAN more important. So avoid both of them if you don’t want the QoS effect.
• PVID determines what VLAN a port belongs to
• Tagging and Untagging determines who can talk to who
• With Firewalls/Routers: The firewall should have all the same VLANs created on it as are on the switch.
– Firewall and Routers:
• Membership: This is like auto tagging and untagging
– When it connects to a switch it tags
– When it connects to a host it untags
• Default VLAN: This is like the PVID
– If firewall/router doesn’t have the the VLAN:
• Create VLAN on the switch to disperse the internet out, by untagging all the ports with it and setting the PVID on the port uplinking to the router/firewall as the Internet VLAN PVID
Trunks between switches
• Trunk Links Connecting Switchs
– PVID doesn’t matter so just leave it as 1.
– Because all traffic that leaves out of it is tagged previously therefore PVID doesn’t matter. (Look at Above)
– Good to have Data and Voice VLAN separate
• Security: So computers cant record phone data
• Can apply QoS (Quality of Service) on it so that Phone traffic is more important
• VoIP traffic is sensitive to delays and differences in delays (jitter) both measured in units of time (millisecond to microsecond)
• Best quality = minimizing delay as much as possible and having 0 jitter
– Phones: VoIP phones tag their traffic so PVID doesn’t matter for the performance of the phone. However set PVID to computer VLAN, if computer is attached to phone
– Think of a VoIP phone as a 2 port switch. All voice traffic is tagged automatically by the phone and computer traffic goes through it untagged.
• So on the switch we catch the untagged computer traffic with a PVID
• And distribute VoIP data by tagging
Connecting With Cisco
• Trunk Port - Cisco will Tag all VLANs across (Since PVID doesn’t matter here its just like Tagging every VLAN), can control with pruning or “allowed VLANs” command
• Access Port – Cisco untags the appropriate VLAN here and also sets the PVID (this is like a PVID and Untagging at the same time)
• Native VLAN in Cisco is similar to PVID. Tags traffic that comes in without a tag.
• On Cisco when connecting to a Phone-PC combo set the Cisco port as a Trunk Port and the Native VLAN on that port to match the PCs VLAN
• In the configuration process just treat the Cisco switches as if it were Netgear device, Untagging and Tagging as needed
• Do not configure a Cisco device, let the customer configure it. (We are not CISCO Tech Support)
Connecting With DHCP Server
• 3 Scenarios
– Netgear Device has the VLANs configured on it
• Just as Example: Gateway that understands VLANs, except configure the VLANs to have DHCP Server Enabled
– PC has DHCP Scope for 1 VLAN, Each VLAN has its own dedicated PC to give out DHCP
• Untag & PVID that port for the VLAN # that DHCP server is in
– 1 DHCP Server for the entire Network
• Untag all VLANs that need DHCP on that port
• Set the PVID to whatever VLAN that DHCP server belongs in
• Use IP-HELPER or DHCP RELAY to point the other VLANs to the DHCP Servers IP
• Usually want to have a Guest VLAN and Main Office VLAN
• Each SSID on the Access Point gets its own VLAN ID
– GUEST SSID – VLAN 3
– MAIN SSID – VLAN 2
• Tag Wireless VLANs to the Access points
• Make sure VLANs have a path thru all the switches to get to all the Access points, controller/s (?) and to the gateway
– Make sure gateway has both VLANs created on it
– If gateway doesn’t have VLANs created on it then make sure there is an internet VLAN used to disperse the internet
Summary [corrections on 11/19/2013 listed below]
• PC1 and PC2 cant communicate
– To PC1: Untag PC1 VLAN, PVID PC1 VLAN
– To PC2: Untag PC2 VLAN, PVID PC2 VLAN
• PC1 and PC2 can communicate with each other
– To PC1: Untag PC1 & PC2 VLANs, PVID PC1 VLAN
– To PC2: Untag PC1 & PC2 VLANs, PVID PC2 VLAN
• Trunk to Switch handling VLANs: Tag all VLAN, PVID 1 (Doesn’t matter)
• Trunk to unmanaged switch serving VLAN PC1: Untag PC1 VLAN, PVID PC1
• PC-1+Phone: Untag DATA PC1 VLAN, Tag PHONE VLAN, PVID DATA PC1
• Phone: Tag PHONE VLAN, PVID 1 (Doesn’t matter)
• DHCP Server Serving many VLANs: Untag ALL VLANs, PVID PC1 VLAN
• Gateway which has VLANs: Tag ALL VLANs, PVID 1 (doesn’t matter)
• Gateway which has no VLANs: Untag ALL VLANs, PVID INTERNET VLAN
• Access Point: Tag ALL VLANs that SSIDs talk with, PVID 1 (doesn’t matter) - Correction on 11/19/2013: untag mgmt vlan,pvid mgmt vlan, tag ssids
• To Controller: Tag ALL VLANs that SSIDs talk with, PVID 1 (doesn’t matter) - Correction on 11/19/2013: only untag mgmt vlan and pvid mgmt vlan