cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
1800
Views
10
Helpful
5
Replies

VLAN question from new user

NH6Y
Level 1
Level 1

I have an RV345 router.  I would like to isolate 4 devices with a VLAN.  These devices need internet access and access to each other.  However they are not all connected (physically) to the same LAN port.  Also there are other devices connected to these LAN ports thru several switches.  Is this possible?  Or must these 4 devices and only these 4 devices be connected to a single LAN port?  I haven't been able to find much documentation about this and the HELP is confusing.  The help dialog says "at least one LAN port should be untagged for each VLAN"  However if I try to TAG  a port for both VLANs (in the hope of getting the traffic of both VLANs to go thru but kept separate)  I get an error that says "Each LAN port should have one untagged VLAN"

Any help or pointers to help would be appreciated.

Tom

1 Accepted Solution

Accepted Solutions

Where are they located in the same place or different area? are they belong to the same IP address space ?

 

Since Dumb switch don't have capabilities ( may be don't know depends on models, but most don't have separated port config, or ACL)

 

The best is to bring those  C, D, E, and G  devices and connect them to the RV345 router. make them different VLAN, rest all stay as it is in the same VLAN , that is best I can see here.

 

 

 

BB

***** Rate All Helpful Responses *****

How to Ask The Cisco Community for Help

View solution in original post

5 Replies 5

balaji.bandi
Hall of Fame
Hall of Fame

Make a small Network Diagram for you and us to understand, how we can solve the objective (is this can be done ? if yes how, if not what other options we have to think).

 

If you like to isolate 4 devices - they are in the same VLAN or different VLANs, where are they connected?

If you have other switches are they intelligently managed switches that can accept ACL  ? (what makes those switches ?)

 

 

 

 

 

 

BB

***** Rate All Helpful Responses *****

How to Ask The Cisco Community for Help

NH6Y
Level 1
Level 1

I will try to attach a simplified network diagram.  Devices A, B, C and the upper (dumb) switch are connected to ports on the router.

Devices D, E, F and the lower (also dumb) switch are connected to the upper switch.  Devices G and H are connected to the lower switch.

I would like to isolate C, D, E and G on a separate VLAN. 

Where are they located in the same place or different area? are they belong to the same IP address space ?

 

Since Dumb switch don't have capabilities ( may be don't know depends on models, but most don't have separated port config, or ACL)

 

The best is to bring those  C, D, E, and G  devices and connect them to the RV345 router. make them different VLAN, rest all stay as it is in the same VLAN , that is best I can see here.

 

 

 

BB

***** Rate All Helpful Responses *****

How to Ask The Cisco Community for Help

Yes, if I plug the 4 devices directly into the router ports, everything works fine.  Just not as convenient.

(I should have added an network closet to my home rather than using a corner of the living room

Thanks, Tom

nagrajk1969
Spotlight
Spotlight

Hi

 

1. It all depends on whether the "dumb" switches (both upper and lower switches) support "forwarding" of vlan-tagged ethernet-frames?
a) you should confirm that these "dumb" switches, eventhough not supporting vlans, still able to forward vlan-tagged ethernet frames across their ports

b) Earlier almost all dumb switches would simply drop any ethernet frames with vlan-tag as error frames (becos it could not parse these vlan-tagged frames that it received on its ports)

c) BUT, Some or most of the latest "dumb/unmanaged" swithes atleast continue to simply "forward" vlan-tagged ethernet frames

2. So a quick test would be:


a) IF D/E/G are linux machines AND connected to the upper-dumb switch and lower-dumb-switch, then you may simply configure on each of them as below:

- assuming that on all 3 hosts D/E/G, the eth0 interface is used to connect to the switch ports
- assuming that all these hosts are to be configured in vlan30


On
-----
vconfig add eth0 30
ifconfig eth0.30 172.16.30.4 netmask 255.255.255.0 up

On E:
-----
vconfig add eth0 30
ifconfig eth0.30 172.16.30.5 netmask 255.255.255.0 up

On G:
-----
vconfig add eth0 30
ifconfig eth0.30 172.16.30.6 netmask 255.255.255.0 up

b) Next on D start sending "ping 172.16.30.5" to E.


- IF the ping is working then check on E host by capturing the packets on eth0 interface using the below tcpdump command:

tcpdump -eni eth0

 

- In the output of tcpdump, on E, you shoud be able to see clearly the vlan30 tag info on each of the inbound and outbound ethernet frames

sample output of "tcpdump -eni eth0""

 

02:20:48.381579 00:04:9f:06:19:b6 > 00:0a:f7:69:10:82, ethertype 802.1Q (0x8100), length 102: vlan 30, p 0, ethertype IPv4, 172.16.30.2 > 172.16.30.3: ICMP echo request, id 4623, seq 842, length 64
02:20:48.381605 00:0a:f7:69:10:82 > 00:04:9f:06:19:b6, ethertype 802.1Q (0x8100), length 102: vlan 30, p 0, ethertype IPv4, 172.16.30.3 > 172.16.30.2: ICMP echo reply, id 4623, seq 842, length 64


c) IF the ping is NOT working, then it clearly means that this dumb-switch DOES NOT SUPPORT PROCESSING/FORWARDING OF VLAN-TAGGED ETHERNET FRAMES


d) similarly you could also check with sending ping 172.16.30.6 from D to G

 

3. So the point of above checks is that

NOTE: By default when you create a vlanX on RV345, its configured as "Tagged" on ALL 16 LAN-ports AND by default vlan1 is set as "untagged" on ALL 16-LAN ports


a) IF THE DUMB SWITCHES SUPPORT PROCESSING/FORWARDING OF VLAN-TAGGED ETHERNET FRAMES EVENTHOUGH IT DOES NOT SUPPORT VLAN-CONFIG ON ITS PORTS, then

>>>I would like to isolate C, D, E and G on a separate VLAN.

 

- you have created a vlan30 interface on RV345 with the ipaddr 172.16.30.1/24
- in the vlan-settings on RV345, set the LAN-port that is connected to upper-dumb-switch as "Untagged" for VLAN-30
- And we will assume that all the 4 hosts C/D/E/G are configured as "untagged" interfaces with ipadfress in the 172.16.30.0/24 subnet, meaning

Host C ip: 172.16.30.2/24 Def-Gw: 172.16.30.1
Host D ip: 172.16.30.4/24 Def-Gw: 172.16.30.1
Host E ip: 172.16.30.5/24 Def-Gw: 172.16.30.1
Host G ip: 172.16.30.6/24 Def-Gw: 172.16.30.1


b) Next if we assume that F & H hosts are in vlan40, then on RV345 create a vlan40 with ipaddr 172.16.40.1/24
- Next keep the default setting of vlan40 being "Tagged" on all LAN-ports (including the port connected to "Upper-dumb-switch)
- So in this case, YOU HAVE TO CONFIGURE ON F & H tagged vlan40 interfaces with ipaddresses in 172.16.40.0/24 subnet and their default-gw ipaddr as 172.16.40.1

 

4. And if the dumb-switches DONT SUPPORT PROCESSING/FORWARDING OF VLAN-TAGGED ETHERNET-FRAMES, THEN

a) ON RV345, in the the vlan-settings, YOU MUST configure as "untagged" for vlan-30 ON THE PORT CONNNECTED TO THE upper-dumb-switch
b) This will ensure that hosts D/E/G with ipaddress in 172.16.30.0/24 subnet will be in the same vlan30 as Host-C
c) One limitation in this case would be that you will HAVE TO ALSO CONFIGURE HOSTS F & H in the same vlan30. These 2 hosts CANNOT BE IN OTHER VLANS, becos the dumb swithces cannot forward vlan-tagged ethernet frames (vlan40)

 

5.Additional alternate config is to

a) move D/E/G to one dumb-switch and connect to say LAN-PORT-10 on RV345 and configure this port as "untagged" for vlan30
b) Next move F & H hosts to another separate "dumb" switch and connect this switch to say LAN-PORT-11 on RV345, AND configure this port as "untagged" for vlan-40

- Then it solves all your requirements in an efficient manner, till you replace both the dumb switches with "managed/vlan-supported" switches

 

best regards

 

Review Cisco Networking for a $25 gift card