Device isolation using a VLAN-capable manageable switch

I have acquired ($60) a "vintage" Dell PowerConnect 5324 switch for home use. I have several servers (DHCP, NAT, NAS, VM host) and want to share some among various internal VLANs.
I have an admin, a kids, a guest WiFi and an internal WiFi segments that are currently all visible to each other, including all the servers.
I've been fighting with how to configure the ports and VLANs on the switch. Example - I want the kids VLAN to only access DHCP and NAT, not VM and NAS, but I want the admin VLAN to access all (etc.)
How would I configure the ports for the servers, to allow access from only some VLANs but deny others? 99% of my devices are NOT VLAN-aware so the 5324 ports will have to be configured to accept untagged frames and tag them, but only internally - tags will need to be stripped before they exit the ports.

So far I've tried configuring the ports as "General" and making, say, the DHCPd port a U (Untagged) member of the kids and admin VLANs but something always breaks.
To make this a real challenge, I have two VLAN-capable switches - one in the basement, one upstairs and want to trunk all VLANs between them, since some of my "kids'" devices are upstairs and downstairs, as well as my "admin" a.k.a. adult's segments.

tl;dr:
(1) Do I need to configure matching VLANs on both switches, e.g. does Admin_101, Kids_133 etc. need to be known to both switches?
(2) In what mode do I put a switch port which is connected to an "admin" device: General/GVID 101, and set all other ports to 101 member/untagged?
(3) In what mode do I put a switch port which is connected a "kids" device: General/GVID 123, and set only ports I want them to access to member of 123/untagged?

Sorry for the long-winded question. I've googled and experimented for days, with frequent trips to the basement to reset the switch to load a previous config because I cut myself off from being able to reach it via http/ssh...

Any pertinent hrefs would be greatly appreciated.

TIA!

Mike Rysanek

Posted 2016-08-28T03:18:08.203

Reputation: 11

You seem to have a misunderstanding about what switches do. If your segments are all part of a single network, all you can do with a switch is connect them together. And if you change it so that you have separate networks, a switch can keep them isolated, but something else will have to carry the traffic you want to allow. You can use two switches to trunk multiple networks over a single cable, but you first have to have multiple networks. – David Schwartz – 2016-08-28T06:49:49.880

The approach I am trying to take is setup all "shared" devices on their own VLAN and the logical segments (kids, admin, WLAN) as well, and use the switch ports to allow or drop appropriately-tagged VLANs.<br>E.g.: INET VLAN=2, NAS VLAN=3, adults VLAN=10, kids VLAN=11. Setup the port into which NAS is plugged in as allow (member of) VLAN 10, and the INET VLAN as allow/member of VLAN 10 and 11, all the while tagging inbound and untagging outbound.<br><br>Is this not possible? – Mike Rysanek – 2016-08-28T14:48:06.077

That makes no sense whatsoever. It's hard to explain what's wrong with it in precise terms, but basically the problem is that you made all that stuff up and it has nothing to do with what switches actually do. You can't switch between two different VLANs because different VLANs are different networks and you can't switch between different networks. Switches connect all the devices in one network together, they don't connect devices in different networks. Each VLAN is its own network, they just happen to be able to ride on a common wired, but are kept separate by switches. – David Schwartz – 2016-08-28T19:17:02.963

-1 for being a hater. I had the configuration working on a ZyXEL GS1900, also a VLAN/manageable switch, as I described. I was looking for pointers on how to setup the Dell. +1 to @joeqwerty for a good answer, despite that I am convinced I can do it on the Dell as well! If/when I figure it out I will post. – Mike Rysanek – 2016-08-28T22:41:40.533

Joe suggested you set the systems up on separate networks and use a router to route between them. That is, he suggested not trying to get a switch to do this, which I certainly agree with. I don't hate people who try to use devices inappropriately, I just try to point out their mistakes and steer them to a better path. – David Schwartz – 2016-08-29T01:55:44.483

Answers

None of the ports for your endpoints need to be tagged. All of the endpoint ports should be configured as Access ports.
You need to configure the switch port that links to your other switch as a trunk port. Likewise, the port on the other switch that connects to the Dell switch needs to be configured as a trunk port.
You'll need a router to route traffic between the VLAN's.
You'll need to configure each set of endpoints with ip addresses accordingly. Endpoints in the same VLAN will need an ip address in the same IP network. The endpoints in each VLAN must not use ip addresses in the same IP network as those in a different VLAN. For example; all of the devices in VLAN 1 could be configured with an ip address in the 192.168.1.0/24 IP network. All of the devices in VLAN 2 could be configured with an ip address in the 192.168.2.0/24 IP network.
Yes, you need to configure "matching" VLAN's on both switches. You also need to make sure that the trunk ports are configured to carry traffic for the VLAN's that you configure.
You can use ACL's on the router to control (allow or restrict) traffic between the VLAN's.

joeqwerty

Posted 2016-08-28T03:18:08.203

Reputation: 5 259

can you elaborate a bit on point 6? are you suggesting that traffic/access can be granted between vlans without a router? – nick fox – 2017-05-15T11:03:39.333

No. I'm suggesting that traffic can be controlled (allowed or restricted) between VLAN's through the use of ACL's (Access Control Lists). – joeqwerty – 2017-05-15T17:43:03.533

If your devices are NOT VLAN-aware (and their interfaces are connected in different VLANs) then communication among them can be only achieved in Layer 3. Set up a router and route or block the traffic according to your needs.

Vikelidis Kostas

Posted 2016-08-28T03:18:08.203

Reputation: 156

Figured it out. Since I really didn't want to add a router.

I tested with 4 hosts: 2 "clients" and 2 "servers", none VLAN-aware.
Clients are plugged into ports 3 and 4.
Servers are plugged into ports 19 and 20.
Made all four ports "General", created a VLAN for each port (since I'm simulating 4 logical network segments, 151 and 152 for ports 3 and 4 resp., 153 and 154 for the "servers" ports 19 and 20).
Made port 3 member of VLAN 153 and 154 untagged, port 4 member of VLAN 154 only untagged.

Result is, client 1 can see both servers (in ports 19 and 20 on VLANs 153/154), and client 2 can only see server 2 in port 20.

Config below:

console# show running-config
port jumbo-frame
interface range ethernet g(3-4,19-20)
switchport mode general
exit
vlan database
vlan 151-154
exit
interface ethernet g3
switchport general pvid 151
exit
interface ethernet g4
switchport general pvid 152
exit
interface ethernet g19
switchport general pvid 153
exit
interface ethernet g20
switchport general pvid 154
exit
interface range ethernet g(3,19-20)
switchport general allowed vlan add 151 untagged
exit
interface range ethernet g(4,20)
switchport general allowed vlan add 152 untagged
exit
interface range ethernet g(3-4,19)
switchport general allowed vlan add 153 untagged
exit
interface range ethernet g(3-4,20)
switchport general allowed vlan add 154 untagged
exit
interface vlan 151
name Client151
exit
interface vlan 152
name Client152
exit
interface vlan 153
name Server153
exit
interface vlan 154
name Server154
exit
interface vlan 1
ip address 192.168.1.5 255.255.255.0
exit
ip default-gateway 192.168.1.1
ip name-server  8.8.8.8 8.8.4.4

Guess it was just a matter of limiting my variables and using a test environment. Thanks all for the answers! Next up, testing the trunk.

Mike Rysanek

Posted 2016-08-28T03:18:08.203

Reputation: 11

I should note: all four test hosts are on the same IP segment, 192.168.1.0/24 (IPs 192.168.1.151-154). Other devices on the same switch cannot see either client nor server since they are currently on VLAN 1 (admin). – Mike Rysanek – 2016-08-29T03:33:37.120