NETGEAR is aware of a growing number of phone and online scams. To learn how to stay safe click here.
Forum Discussion
Solved
Odd VLAN behavior?
I'm having a vendor install a suite of security products from Verkada and will be placing the equipment on its own VLAN (VLAN42). My setup is as follows:
Comcast Router >> Dumb Switch >> Two (2) Sophos Firewalls in HA >> Switch A >> Switch B >> Switch C
Yes, ideally each switch would be connected to the FWs, but instead they're connected to each other.
Switch A: GS324TP S350 v1.0.0.43
Switch B: GS324TP S350 v1.0.0.43
Switch C: GS724TPv2 ProSAFE v2.0.8.18
Switch A:
Port1: Uplink to FWs: VLAN1 untagged, VLAN42 tagged
Port25&26 (LAG): VLAN1 untagged, VLAN42 tagged
Switch B:
Port1: VLAN1 untagged, VLAN42 tagged
Port24: VLAN1 untagged, VLAN42 tagged
Port25&26 (LAG): VLAN1 untagged, VLAN42 tagged
Switch C:
Port1: Endpoint; VLAN42 tagged/untagged (should be an untagged access port, see below).
Port24: VLAN1 untagged, VLAN42 tagged
Certainly, lots of other ports are untagged VLAN1, but trying to avoid information overload and focus on what should be trunk ports (Port1 on Switch A to FWs, the LAG between A & B, and ports 24 between B & C).
Here's my problem:
If I connect a device to Port 1 on Switch C, I was testing with my Microsoft Surface, it will not obtain a DHCP address from VLAN42. However, if I tag Port 1 and configure my NIC for VLAN42 it works, I obtain a DHCP address in the applicable scope (not from VLAN1), I can ping 8.8.8.8, etc. This should all but eliminate any concerns around the DHCP config, trunk ports, etc. It clearly demonstrates the traffic and tagging is traveling through all the devices. I'm just terribly confused as to WHY it's not working if the port is untagged.
Reading another post, I thought I figured it out, and a working configuration at our other location would suggest this to be the case, where the PVID of the port should be the VLAN, in this case 42. I just tried that and it's still not working. Granted, I'm not currently onsite, so...I just tried setting the PVID of the port where the camera is connected to VLAN42, but it won't grab an IP and the camera goes offline. I set it back to VLAN1, it comes online. I need to get onsite with my Surface and see if I can get an IP from VLAN42 if the ports PVID is set the same.
Any other thoughts?
With only the [U]ntagged - and only that single VLAN config (no other [U]ntgged VLANs associated, and no [T]gged unless required) - on that single port for VLAN 42 (and the PVID 42 so the switch does assign untagged frames to the VLAN intended) this will work as intended.
5 Replies
Nothing that stops the network admin from using one VLAN untagged on all trunks, here VLAN1 for example.
Rneal1973 wrote:
Switch C:
Port1: Endpoint; VLAN42 tagged/untagged (should be an untagged access port, see below).
Port24: VLAN1 untagged, VLAN42 tagged
--- I'm just terribly confused as to WHY it's not working if the port is untagged.
Reading another post, I thought I figured it out, and a working configuration at our other location would suggest this to be the case, where the PVID of the port should be the VLAN, in this case 42.
The problem here appears to be the overloaded config for what is supposed to be the access port 1 on switch C serving the end point.
Ensure it's -only- [U]ntagged for VLAN 42 along with the PVID 42.
This is why I'm always pointing out - along with the ubiquitous PVID - that the same VLAN should not be carried as [T]agged -and- [U]ntagged on a single port-
On a side note, these are all Smart Managed switches, so I'll suggest moderator moving this thread to the Plus And Smart Switches Forum for discussing Smart Switches (T) and Plus Switches (E), including Local and Remote Management.
Regards,
-Kurt.
Thank you for the response, Kurt!
I probably muddied the waters a bit...
What I was attempting to explain was I can seemingly only get it working if I tag the port as VLAN42. Everything tells me on an access port, it should be untagged. But the behavior thus far has been if I leave it untagged, the device, whether it be my Surface, or the POE camera, is unable to obtain an IP. If I put VLAN1 on the port, untagged, both devices are able to get an IP from our main LAN & DHCP scope. If my post read as if the port was both tagged and untagged on VLAN42 simultaneously (is that even possible?), that's not the case.
I was trying to express I've tried the port in both configurations, and I can only get an IP (on my Surface) if I tag the port for VLAN42, and also configure my NIC as VLAN42. However, while this solution technically could work, I can't set a VLAN tag on the POE cameras. But I did overlook setting the PVID on the port to VLAN42. I'm heading to the office now to give it a try.
Thanks again!
With only the [U]ntagged - and only that single VLAN config (no other [U]ntgged VLANs associated, and no [T]gged unless required) - on that single port for VLAN 42 (and the PVID 42 so the switch does assign untagged frames to the VLAN intended) this will work as intended.
NETGEAR Academy
Boost your skills with the Netgear Academy - Get trained, certified and stay ahead with the latest Netgear technology!
Join Us!
