NETGEAR is aware of a growing number of phone and online scams. To learn how to stay safe click here.
Forum Discussion
Solved
Prosafe Plus Switches/VLAN Config
Hello!
I'm trying to set up VLANs for a guest network in my structure. I use the GS116Ev2 (#1) as primary switch connecting it to a GS108Ev1 (#2) as room-distributor and that again connected to another GS108Ev3 (#3) in another room.
The task I'm trying to achieve is to have one port of the 116 to provide the internet connection for guests. Within the structure I want to assign specifc ports of the 108's to provide connection to guest systems. In order to configure this, I set up the following:
All switches are set to 802.1Q Advanced VLAN Settings
#1 (GS116Ev2)
- Port 1 Guest connection to the internet, VLAN 02, untagged, PVID=2
- Port 2 Cooperate connection to the internet, VLAN 01, untagged, PVID=1
- Port 16 Uplink to Switch #2, VLAN 01 and 02, untagged, PVID=1
- all other ports: VLAN 01, untagged, PVID=1
#2 (GS108Ev1)
- Port 7 Uplink to Switch #3, VLAN 01 and 02, untagged, PVID=1
- Port 8 Uplink to Switch #1, VLAN 01 and 02, untagged, PVID=1
- all other ports: VLAN 01, untagged, PVID=1
#3 (GS108Ev3)
- Port 1 Uplink to Switch #2, VLAN 01 and 02, untagged, PVID=1
- Port 7 Guest Access port, VLAN 02, untagged, PVID=2
- all other ports: VLAN 01, untagged, PVID=1
When I connect my notebook to Switch #3, Port 7, I can't get a connection to the Internet-Gateway connected to Switch #1, Port 1. What did I miss?
BTW: I'm using this configuration as I want to add Accesspoints supporting VLAN-Tagging and offering seperate WLANs for my Users (VLAN 01) and Guests (VLAN 02) later.
Hello,
again thanks to DaneA for pointing me in the right direction. After some testing I found the correct solution. To conclude all findings as one solution (and give some more info for people requiring something like this:
Basic prerequisites:
- we're talking about VLANs using 802.1Q in Advanced mode(!)
- I'm using Netgear Prosafe Plus Switches only (while more sophisticated models from Netgear shouldn't be a problem)
- when I speak of the primary VLAN, I mean ID 01, which is the company network for me (all common systems are in it and there should be no limitiations to "talk" to each other)
- when I speak of secondary VLAN, I mean ID 02, which is the guest network; it's supposed to provide internet access only, systems in this network are allowed to "talk" to each other, but (of course) not to any components in the primary VLAN
- I'm using UniFi AP-Accesspoints which are capable of serving several WiFi-Networks, the company WiFi is configured to be default VLAN (as "1" can not be configured), while the guest WiFi is configured to be VLAN 2.
1.) All uplink ports on any switch (connecting one switch to another) have this config:
- Member of the primary VLAN (01) tagged
- Member of the secondary VLAN (02) tagged
- PVID = 1
2.) All ports being connected to guest-systems and to the guest gateway have this config:
- Member of the secondary VLAN (02) untagged
- PVID = 2
3.) All ports for my accesspoints have this config:
- Member of the primary VLAN (01) untagged
- Member of the secondary VLAN (02) tagged
- PVID = 1
Please note the following things (I also mention some quite obvious things, just to make sure):
- you need to provide seperate DHCP-Servers for both VLANs
- you would want to use seperate IP-Ranges for both VLANs
- you need some kind of internet-gateway that is capable to work for both ranges and does not interconnect them (I'm using a AVM Fritzbox 7490 here: LAN1 is connected to the primary VLAN, DHCP is disabled (as there is a DHCP on our main server); LAN4 is configured to provide guest lan and always has it's own DHCP which cannot be disabled) - this port is connected to the secondary VLAN using the normal "guest-system"-config mentioned above under (2).
3 Replies
Hi MarcWinter,
Welcome to the community! :)
I think you should set the uplinks as tagged(T) ports with PVID = 1.
Regards,
DaneA
NETGEAR Community Team
Hello DaneA,
thanks for the info. To be sure: in advanced mode, I can tag the uplinks-ports for both VLANs: 01 and 02. Am I supposed to do so?
Best regards,
Marc
Hello,
again thanks to DaneA for pointing me in the right direction. After some testing I found the correct solution. To conclude all findings as one solution (and give some more info for people requiring something like this:
Basic prerequisites:
- we're talking about VLANs using 802.1Q in Advanced mode(!)
- I'm using Netgear Prosafe Plus Switches only (while more sophisticated models from Netgear shouldn't be a problem)
- when I speak of the primary VLAN, I mean ID 01, which is the company network for me (all common systems are in it and there should be no limitiations to "talk" to each other)
- when I speak of secondary VLAN, I mean ID 02, which is the guest network; it's supposed to provide internet access only, systems in this network are allowed to "talk" to each other, but (of course) not to any components in the primary VLAN
- I'm using UniFi AP-Accesspoints which are capable of serving several WiFi-Networks, the company WiFi is configured to be default VLAN (as "1" can not be configured), while the guest WiFi is configured to be VLAN 2.
1.) All uplink ports on any switch (connecting one switch to another) have this config:
- Member of the primary VLAN (01) tagged
- Member of the secondary VLAN (02) tagged
- PVID = 1
2.) All ports being connected to guest-systems and to the guest gateway have this config:
- Member of the secondary VLAN (02) untagged
- PVID = 2
3.) All ports for my accesspoints have this config:
- Member of the primary VLAN (01) untagged
- Member of the secondary VLAN (02) tagged
- PVID = 1
Please note the following things (I also mention some quite obvious things, just to make sure):
- you need to provide seperate DHCP-Servers for both VLANs
- you would want to use seperate IP-Ranges for both VLANs
- you need some kind of internet-gateway that is capable to work for both ranges and does not interconnect them (I'm using a AVM Fritzbox 7490 here: LAN1 is connected to the primary VLAN, DHCP is disabled (as there is a DHCP on our main server); LAN4 is configured to provide guest lan and always has it's own DHCP which cannot be disabled) - this port is connected to the secondary VLAN using the normal "guest-system"-config mentioned above under (2).
NETGEAR Academy
Boost your skills with the Netgear Academy - Get trained, certified and stay ahead with the latest Netgear technology!
Join Us!
