4

I'm having some difficulty getting my head around the VLAN settings in a NetGear Smart Switch (GS724TS). Can anyone help me?

My understanding is:

  • All incoming packets effectively have a VLAN number which is determined from a tag attached by another device or (if no tag is present) based on the port's PVID value.
  • Outgoing packets can then be sent only to those ports which are members of the VLAN to which the packet belongs (set in the "membership" part of the switch's UI).
  • Optionally, ports can tag outgoing packets.

Ports and PVIDS are 1-1 mapped, but a port may be a "member" of several VLANS. My problem is that I don't seem to be able to make this feature do anything useful... what am I misunderstanding?

If I assign the following:

Port    PVID    VLAN Membership
===============================
a       2       2, 10
b       3       3, 10
x       10      2, 3, 10

I would expect traffic to flow between ports a and x (and b and x). Presumably a and b would be isolated from one another, unless the device connected to x itself routed traffic between them. In my experiments, all traffic comes in and leaves untagged (no other VLAN capable devices are working on the network).

What I'm seeing is that no traffic (to be precise DHCP requests fail, web requests from computers with already assigned addresses timeout) flows unless the PVID of X is set to 2. Of course, this is no use for devices attached to port b.

Have I missed something? What is the point of ports being in multiple VLANs if they only route incoming traffic based on the PVIDs matching on both incoming and outgoing port?

Edit: I'm trying to determine whether I can share an Internet connection between two VLANs (without members of one having visibility of the other) using just the switch or whether I will need a VLAN aware router as well.

Bob Sammers
  • 309
  • 2
  • 5
  • 10

3 Answers3

6

The normal use of VLANs is to separate subnets (e.g. 192.168.0.0/24, 10.20.0.0/16, etc) without using separate switches for each subnet.

The point of the PVID is to have the switch tag incoming untagged packets, say from a workstation or server. Normal NIC configurations do not tag packets for most devices.

If you were to connect a device capable of tagging its own packets, then it could talk along any VLANs the port has been given membership to. This is handy when you're connecting switches together, connecting to a router that understands VLANS, or using a server that needs to be able to connect to several subnets (virtualization, especially).

Hyppy
  • 15,458
  • 1
  • 37
  • 59
  • Thanks for your help. This might be so (i.e. they can be used to separate traffic on different subnets), but I can't get **any** connectivity, same or different subnet. In addition, I understand that VLANs are also commonly used to share the same Internet connection between two groups of clients without peer to peer access between clients in different VLANs. I'm trying to determine if this is possible in the switch or if I need a more sophisticated router as well. – Bob Sammers May 26 '11 at 13:04
  • Are you saying that if port x is a member of VLANs 1,2,3 and a packet comes into this port tagged with 10, it won't be accepted? – Bob Sammers May 26 '11 at 13:07
  • 1
    Generally, you'll want the PVID to be the same for two computers to talk. In addition, you want the VLAN membership to be as specific as possible. If a computer does not tag its own packets, just set the VLAN membership to be the same as the PVID and be done with it. As for your second comment: that's correct. a tagged packet for the wrong VLAN is dropped. – Hyppy May 26 '11 at 13:30
2

Rather embarrassingly, after a spot of lunch and a reboot of the switch, it started behaving exactly as I imagined it should. I think this validates my original bullet-point understanding of the situation detailed in my question.

I'm going to leave the question up because, although the original question was perhaps bogus ("Why doesn't it work?", when it did), it does answer the underlying question and this (along with the valuable points made by Hyppy and blankabout) may be useful to others.

Just to reiterate: I wanted to know whether or not I could separate traffic between two VLANs but share a connection to the same router just by manipulating VLAN assignments in the switch (rather than having a more sophisticated VLAN-capable router as well). The answer is "yes, the switch can do it on its own", and for the record, I'm using a single subnet and one DHCP server, a configuration which is apparently fine.

Anything attached to port x can communicate with devices attached to ports a and b (and vice versa), but devices attached to ports a and b cannot communicate with one another.

Bob Sammers
  • 309
  • 2
  • 5
  • 10
  • your description helped me, at least -- and my configuration is even simpler, I just want two totally distinct networks with no crossover (so they will have only one VLAN membership per port, too) – Jeff Atwood Sep 25 '12 at 23:49
0

A few things that I'm not sure have been made clear so far:

  1. A port with a host connected to it is only normally in one VLAN. As a frame comes into that port it is tagged with that VLAN.

  2. Ports that are in more than 1 VLAN are called trunks, or trunk ports. These are normally used to carry traffic to another switch which has the connecting port in the same VLANs.

  3. For traffic to get out of the VLAN it has to go by way of a router, this may be inside the switch, in which case it is a multilayer switch. If the router is external it maybe in another switch, in which case it will route between VLANs just as an in-built router would.

  4. An alternative method of routing between VLANs, or more strictly speaking between subnets, would be to use a router on ports configured for a single VLAN (non-trunk ports), these would then receive untagged frames and route the encapsulated packet in the normal way, without ever knowing anything about VLANs.

Arseni Mourzenko
  • 2,165
  • 5
  • 23
  • 41
blankabout
  • 1,004
  • 1
  • 9
  • 16