VLAN 101.....again

[HCHTech]

I need a bit of guidance for a simple setup - just when I think I've got the barest grip on this stuff, some little perturbation comes along and I'm off the rails again.

So, We have an small assisted living center client. There are two floors. We currently have a Sonicwall at the edge, 2 Unifi APs on the first floor and a single Unifi AP on the 2nd floor. We have the APs broadcasting a "resident" SSID (= guest network) with a VLAN tag and a private SSID that is untagged. I have the resident VLAN setup as a sub-interface on the Sonicwall for 3 of the ports that are part of the LAN zone. This means that untagged wifi traffic is part of the private network and wifi traffic with the VLAN tag is part of the resident network (which is in a guest zone on the Sonicwall). So far so good. This all works as desired. Guest network connections are individually isolated and cannot communicate with the private LAN. Private wifi traffic is not isolated and can communicate with the private LAN.

The Client wants to add an 2 additional APs on the 2nd floor AND provide some wired connections to a couple of the resident rooms. We want those wired connections to be on the resident (guest) network instead of the private LAN, of course.

They have a managed TP-Link (TLGS2008) switch they'd like to use for this purpose on the 2nd floor (The Sonicwall is on the first floor, and running additional lines to the 2nd floor is problematic, so they would like to avoid that). It's got 4 POE+ ports and 4 non-POE ports. For the APs, I believe I just need to tag the POE ports with the correct VLAN tag and I'm done. For the non-POE ports where we want to force the wired connections to be on the guest network, I'm trying to force all traffic on those ports to have that VLAN tag, I believe that's possible, but can't seem to make that happen.

Can someone translate my verbiage into the correct terms and give me a hint on how to accomplish this? TIA!

 

[putz]

For the non-POE ports where we want to force the wired connections to be on the guest network, I'm trying to force all traffic on those ports to have that VLAN tag, I believe that's possible, but can't seem to make that happen.

Can someone translate my verbiage into the correct terms and give me a hint on how to accomplish this? TIA!

Typically you would just configure these ports to be untagged as the guest vlan. Assuming PCs and such are connecting to them, the PC wouldnt be examing vlan tags and removing them, so setting the port untagged for the guest vlan is perfectly fine.

How are you bridging the gap between the 1st and second floor for the connectivity? A wireless bridge? You mentioned something about running cables not being a possibility? Anyway depending on how the switch is connected back to the first floor, you would want to make sure that the link between the 2 also has your vlans tagged on it on each side, so it can pass them.

 

[HCHTech]

There is 1 hard line between the first and second floor, adding more is possible but a ton of work, so onsite maintenance guy wants to avoid that. So we're connecting the line that originally went to the 2nd floor AP to the switch, and plugging the 2nd floor AP into that switch.

So, there are Tagged and Untagged ports, there is the default VLAN ID setting (PVID), there is what they call "Ingress Checking", and finally "Acceptable Frame types".

"Untagged port - The selected ports will forward untagged packets in the target VLAN"
"Tagged port - the selected ports will forward tagged packets in the target VLAN"
"PVID - Set the default VLAN ID of the port. When the port receives an untagged packet, the switch inserts a VLAN tag to packet based on the PVID"
"Ingress Checking - With this function enabled, the port will accept the packet of which the VLAN ID is in the ports VLAN list and discard others. With this function disabled, the port will forward the packet directly."
"Acceptable Frame Types - Admit All: The port will accept both tagged and untagged packets, and "Tagged Only: the port will accept tagged packets only."

So, I think I need to have the ports my APs are connected to Tagged - because I want tagged packets to be forwarded in the target VLAN.

Also, I do NOT want a PVID setting for that port since I don't want the switch to insert a VLAN tag on already untagged traffic

Also, I want Ingress Checking disabled since I do not want traffic to be discarded if it is not tagged.

Finally, I want Acceptable Frame Type to be "Admit all" since I want the port to accept both tagged and untagged packets.

At least that's the way I'm reading it. Of course, it doesn't work - haha.

 

[HCHTech]

Ok, too many variables. In "try everything" mode, I somehow left the uplink port untagged - no wonder it didn't work. Most of these things are simple in the end, but I've lost a lot of hair from that middle part when it drives you crazy!

 

[YeOldeStonecat]

So think of "tagged"...as, the VLAN ID that you assign to that device...gets passed through the switch port with that ID...it's told to "keep going out this port, and that port, and the other port", and whatever port has your number tagged...you're piggy backing along for the ride to keep going to find your DESTINATION.

When you take a switch port and UNtag a VLAN on that port, that's basically the big red flashy sign telling that VLAN number .."Hey, here is your exit that you take by yourself, nobody else comes along, and by the way, we'll also remove that big number on your back. So your VLAN ID is stripped, and you're sent down the chute!

What I normally do, well, one thing, if you want me to manage your network, if you want wireless, you're getting Unifi switches and APs. I don't any micky mouse switches in the mix. Sure you can fiddle and make them work...but you end up losing so much insight of the network that you get in the Unifi controller. Which causes you more work, more time, costs the client more in the long run. Just rip out whatever switches are there, and Unifi switch goes in!

Unifi does switch port profiles, which, once you get it, is a really...REALLY cool way to do things. You realize the benefit as you get larger and larger networks. It won't be obvious with something like a single 8 or 16 port switch size network.

I typically do VLAN2 for VoIP, and VLAN6 for guest networks.

I usually have a profile for switch ports facing the APs...default VLAN data, and tagged VLAN 6, POE enabled.
For data jacks facing computers at desks, with VoIP phones, I'll have a switch port profile, default VLAN data, and tagged VLAN2 (with "is voice network" checked to auto lldp med it), POE enabled.

For the switch port facing the clients on prem PBX device (edgewater), I'll have the profile as...default VLAN is changed to VLAN2, no POE,...which UNtags VLAN2 on that switch port, nobody else coming along through that exit. Assuming the PBX isn't holding a tag for VLAN2...if it does, than tag VLAN2 on the switch port facing.

I typically take guest wifi and dump that to a dedicated ethernet interface on the Untangle firewall, so the switch port facing that has default VLAN assigned to VLAN6, nobody else tagged, and no POE.

 

[HCHTech]

Now that this is working and I can relax about that bit, I'd like to clarify some of the terminology because I'm sure these settings are common among different switch brands, but may have different names. I'm also aware that a lot of configuration happens "under the covers" if you are using equipment all from one manufacturer.

Making specific ports "members" of a defined VLAN. I am assuming here that in order to have any VLAN setting "apply" for a particular port, it needs to be a member of that VLAN. I don't think it means anything beyond that.

"Untagged port - The selected ports will forward untagged packets in the target VLAN" - I think this is saying that untagged packets will be tagged with a VLAN tag, but I'm not sure which one. Is it the PVID (defined below), or something else? Or maybe it just means "I'll forward these untagged packets on without adding tags". Looking elsewhere for definitions, An "Untagged" port will only forward packets for a single VLAN, while a "Tagged" port is capable of forwarding packets for multiple VLANs, aka a "Trunked" port. So does "will only forward packets for a single VLAN" imply "I will force all traffic to be on that VLAN" or just that "I will only recognize and forward traffic that arrives with a specific VLAN tag"? - Cross-posted with @YeOldeStonecat - his explanation makes it clearer, if I understand: an untagged port will immediately forward on VLAN traffic for any VLAN it is a member of, but it will strip the tag in the process. So that after it is forwarded, that packet loses it's identity as belonging to a specific VLAN. I'll have to think about this a bit as I'm not sure why you would want this.

"Tagged port - the selected ports will forward tagged packets in the target VLAN" - from the above alternate definition, "Tagged" ports are capable of forwarding packets for multiple VLANs, but as with Untagged, does this imply any default action, or only that the port can recognize traffic that arrives already tagged, and can deal with packets originating from more than one VLAN. - add on from @YeOldeStonecat 's explanation: Tagged ports will forward VLAN traffic for any VLAN it is a member of, and it WILL NOT strip the tag in the process. This seems far and away setting you would want: the whole point of having a VLAN is to identify traffic, so what point is there to removing that identity?

"PVID - Set the default VLAN ID of the port. When the port receives an untagged packet, the switch inserts a VLAN tag to the packet based on the PVID" - This seems obvious: If I get a packet without a tag, I'm going to put one on before forwarding. i.e. force all untagged traffic that goes through this port to be on one particular VLAN. One potential roadblock that DIDN'T appear with todays exercise on that TP-Link switch, was that every port HAD to have a PVID. The default management VLAN was tag "1", and of course you can add others. So for any port, you could choose a PVID of either 1 or one of the additional VLANs tags you have defined, but you couldn't remove this setting. There was no way to have traffic that hit the switch without a VLAN tag be forwarded on without adding a tag. I thought I would end up rebuilding my rules in the Sonicwall to deal with this, but it turned out I didn't need to since everything without the specific guest VLAN tag was considered LAN traffic (as opposed to having two separate VLAN tags).

"Ingress Checking - With this function enabled, the port will accept the packet of which the VLAN ID is in the ports VLAN list and discard others. With this function disabled, the port will forward the packet directly." This must work hand-in-hand with a ports "membership" in the defined VLAN(s). Only accept traffic for VLANs for which this port is a member, drop everything else.

"Acceptable Frame Types - Admit All: The port will accept both tagged and untagged packets, and "Tagged Only: the port will accept tagged packets only.": Slightly different - allow everything if set to Admit All, but drop all untagged traffic if set to Tagged-only.

These last two would seem identical if you only had a single VLAN.

I think that's enough for one day. I understand this better now than I did this morning for sure. We'll see if it makes a difference the next time one of these setups comes along (Evernote FTW).

 

[YeOldeStonecat]

Think of it this way. Managed switches need to take traffic, and...have a way to separate it into multi lane highways that don't mix....picture something like 4x lane highway, that does not allow you to change lanes. YET...some lanes are allowed to get off of the highway at offramps...to continue onto other highways...all while remaining separated. (keep their tagging). So they enter the next 2 or 4 lane highway...still separated into their appropriate lanes. Also, some exits (off ramps)...may be specific for a certain VLAN...say the off ramp leads to either another smart switch (road)..in which case you'd leave it tagged, or perhaps the off ramp leads to a dumb switch that is not VLAN aware (a country bumpkin dirt road)...in which case you'd UNtag your chosen VLAN at the switch port facing that device.

If you take a managed switch, and start plugging stuff into it, a router, some workstations, a server, an access point, a networked printer...without any programming, the switch will have all those devices into the default VLAN...aka VLAN0.

Now, say you want to create a guest network. For both plugged in devices, and for wireless devices. For consistency, we usually do a common theme, just to make it easier for us to support lots of different networks. Like I mention above, we do guest wifi networks as VLAN6. And we do VoIP networks as VLAN2. You don't need to progress in numerical order...you don't have to do VLAN 0, 1, 2, etc.

All switch ports will default to being VLAN0. If you want to include VoIP on a port, along with the default network (let's call that "data"), you'd tag VLAN2 on top of default VLAN0. If you want to also add guest wifi...you'd also tag VLAN6, so that switch port will have Data, VoIP, and Guest pass out it.

If I have a network jack only for a wired computer to be on the guest network, on the switch port facing it, I'd UNtag VLAN6 on that switch port. Nobody else is a member, nobody else is tagged. This way, only guest traffic exits that switch port...going to the computer that is no VLAN away, and as far as the computer is concerned...that's its only network connection. UNtagging VLAN6 on that switch port means any traffic coming from that computer, automatically gets shoved into VLAN6 within the switch...shoved into its lane on the multi lane highway.

 

[NETWizz]

How to explain a complex subject correctly and completely to where anybody will have a Eureka moment!


==> I looked up the best way tot each this to Computer Technicians, Desktop Support Folks, Helpdesk people, and others at work who want to learn computer networking.


Hands down this is the very BEST tutorial I have EVER come across that explains VLANS and how they are used and actually configured!

VLAN Concept

LAN switches and BUM traffic Before understanding the VLAN concept, you must first have an understanding of two core concepts about the Ethernet standard - what is a broadcast domain and what is BUM traffic. Let's start with the BUM data type. BUM stands for broadcast, unknown unicast, and...

www.networkacademy.io

It even gets the terminology right (i.e. we are talking "FRAMES" NOT "packets" for layer-2)

 

[HCHTech]

Thank you both - I'm getting it, and certainly understand it better. I think part of the problem for me is that the definitions I could find, while not wrong, were not complete. For example - Untagged was defined as

The selected ports will forward untagged packets in the target VLAN

What I didn't get at first was that this meant "will forward only untagged packets" as well as "will remove tags before forwarding". Those facts together make it impossible to misunderstand what will happen if you set a port as untagged. The original definition isn't wrong, just not complete. I think each of the salient terms have this same problem, so there were just too many unanswered questions even though I was staring at the definitions.

The other confusion comes from which direction of traffic you are talking about. Data both goes out TO a device and comes in FROM a device on the port in question, so when we're talking about forwarding it is not necessarily obvious which direction we're talking about, so it is easy to confuse things if you think about them too much. I go through this every time I setup a site-to-site VPN. On one end this is the "FROM" IP and on the other end, it's the "TO" IP. I guess my brain isn't wired quite right to have that particular "aha" moment easily. I'm sure it's related my lack of an internal compass. Some people intuitively know directions and can find their way to places without much guidance. I'm not one of those people - haha.

I'm going to have my guys go through that tutorial.

 

[YeOldeStonecat]

So to possibly answer your wonderment.....or confuse you more, it also depends if the device itself is "tagging".
For example. The old way of setting up VoIP phones (pre-LLDP-MED days)...you'd program the phone to be on VLAN2 for example And most office phones do the ethernet passthrough to the computer. So the data jack in the office by the desk, will have default VLAN0 for data (the computer), and it will "tag" VLAN2 for the VoIP. The phone, itself tagging VLAN2, will "grab that traffic". The computer, not being VLAN aware, will default to...default VLAN0...data.

Say I set up an all Ubiquiti Unifi network, including the Unifi gateway, switch, and APs.
I want a data network, and I want a guest network.
So for the guest network I make VLAN6.
Since there's a Unifi gateway there, it will create the >guest" VLAN including the router, the router itself will tag it. So for the Unifi switch port facing the LAN port of the gateway, we'll have a profile which has default VLAN0 AND VLAN6 Guest. Since the Unifi gateway is actually terminating it. And I'd only have the Unifi switch port profile of VLAN0 with VLAN6 tagged on the ETH ports facing the gateway, and facing the APs. I don't like to tag VLANs to switch ports unless they need it. Less/simple is better, IMO.

I can do that with Untangle also, but I prefer to peel out the guest network and put it on a dedicated separate ethernet interface on Untangle...so for the Unifi switch port facing that ETH port, I'd UNtag VLAN6. I could leave it tagged, and have Untangle also tag vlan6 on that ETH port..but I prefer to strip things down as much in the switch as I can.