Am I stupid?

Notice: Page may contain affiliate links for which we may earn a small commission through services like Amazon Affiliates or Skimlinks.

SorinST8

New Member
Jun 11, 2024
1
0
1
I became lately an IoT enthusiast and trying to find my way into this (complicated) world :)
One thing I came across is that in order to keep things clean and secure I need to learn about networking. But for some reason I seem to not properly understand the VLAN arrangements so I hope I can get some support here.

Specifically, I am trying to set-up a 8 port managed switch. Network config. is: Router <=> Switch <=> APs
I have 3 networks set-up in the router: Private (VLAN ID1), Guest (VLAN ID2) and IoT (VLAN ID3).

In the switch, port 1 is connected to the router.
I would like to have the ports 1-7 to allow traffic for Private and Guest networks only, while port 8 for the IoT only. After reading and reading, I have configured the switch like this:
VLAN1 (Private): ports 1-7 untagged
VLAN2 (Guest): ports 1-7 tagged
VLAN3 (IoT): ports 1-7 tagged, port 8 untagged

but for some reason not all connected devices are working properly.

Any advice? What have I done wrong? Are the ports correctly assigned to the VLANs?

Many thanks in advance!
 

louie1961

Active Member
May 15, 2023
180
74
28
I may be wrong but I believe (or at least this is the behavior I have seen in my switch) that you can only have one VLAN (or more appropriately said I guess is one Primary VLAN ID or PVID) on an untagged/access port. The ports between your VLAN aware devices need to be tagged/trunked ports. So, as an example, in my lab I have a pfSense firewall that connects to the WAN (cable modem) and connects to my managed switch. On the switch the port that I plug my firewall into has to be tagged. Likewise, I have a wireless access point that is VLAN aware, and it connects to a tagged port. Same for my Proxmox servers. They all connect to tagged/trunk ports, and the PVID for those ports is 1, the default VLAN.

Then I have devices that are not VLAN aware such as my ring alarm, my NAS machines, my Pi-Star hotspot, etc. that all connect to untagged/access ports. I have to know what VLAN I want those devices to be on, and I designate a specific port (or in my case since I have a 24 port switch, sets of ports) to specific PVIDs. So I have 4 ports for my private VLAN, 4 ports for my guest VLAN, and 4 ports for my IOT VLAN, as an example. If I change the port I plug a device into from one dedicated to Guest to one dedicated to IOT, that device will then get a different IP address through DHCP and be part of the IOT VLAN instead of the Guest VLAN. Maybe I have been doing it all wrong but this set up works for me

In your case, I would set the ports for the router and the APs to PVID 1 and make them all tagged (assuming the APs are VLAN aware). If the APs are not VLAN aware, then I would set each port to a PVID corresponding to the VLAN you want that AP on and make it an untagged port in the switch.
 
  • Like
Reactions: Rain

Whaaat

Active Member
Jan 31, 2020
344
180
43
I would like to have the ports 1-7 to allow traffic for Private and Guest networks only, while port 8 for the IoT only. After reading and reading, I have configured the switch like this:
VLAN1 (Private): ports 1-7 untagged
VLAN2 (Guest): ports 1-7 tagged
VLAN3 (IoT): ports 1-7 tagged, port 8 untagged
Why did you make ports 1-7 to be members of VLAN3 then?
 

Rain

Active Member
May 13, 2013
278
124
43
I'd also suggest staying away from VLAN2 and VLAN3, or any low-number VLAN. Some consumer/business switches (Netgear, for example) reserve them for VOIP and other functions which generally cause weirdness. What router, switch, and APs are you using?
 

dante4

Member
Jul 8, 2021
56
10
8
But for some reason I seem to not properly understand the VLAN arrangements so I hope I can get some support here.
My best advice spent a bit of time and read or watch youtube's courses about CCNA.

I have 3 networks set-up in the router: Private (VLAN ID1), Guest (VLAN ID2) and IoT (VLAN ID3).
VLAN ID1 is often what's called default VLAN depending on your vendor. So for simplification let's say you have
VLAN 100
VLAN 200
VLAN 300

Network config. is: Router <=> Switch <=> APs
I would like to have the ports 1-7 to allow traffic for Private and Guest networks only, while port 8 for the IoT only. After reading and reading, I have configured the switch like this:
VLAN100 (Private): ports 1-7 untagged
VLAN200 (Guest): ports 1-7 tagged
VLAN300 (IoT): ports 1-7 tagged, port 8 untagged

First at all. Your example:
Since you need to have multiple tags incoming from single port - you are talking about trunk ports.
In your example it will not work at all. The reason behind it - you add VLAN to interface, not interface to VLAN.

Second.
Let's for example talk about this scheme:
Port 1 - Router
Port 2-6 - APs for Private and Guest (seems like you use two SSID, right?)
Port 7 - AP for IoT

On Cisco it will be:

Interface eth1-7
switchport mode trunk
switchport allowed vlan 100,200
switchport trunk native vlan 200

interface eth8
switchport mode trunk
switchport allowed vlan 300


And from AP you will need to define VLANs based on connected SSID. For port 8 you may change configuration to access then you don't need to change anything in AP itself.