NETGEAR is aware of a growing number of phone and online scams. To learn how to stay safe click here.
Forum Discussion
Solved
Prosafe Plus Switches/VLAN Config
Hello! I'm trying to set up VLANs for a guest network in my structure. I use the GS116Ev2 (#1) as primary switch connecting it to a GS108Ev1 (#2) as room-distributor and that again connected to a...
Hello,
again thanks to DaneA for pointing me in the right direction. After some testing I found the correct solution. To conclude all findings as one solution (and give some more info for people requiring something like this:
Basic prerequisites:
- we're talking about VLANs using 802.1Q in Advanced mode(!)
- I'm using Netgear Prosafe Plus Switches only (while more sophisticated models from Netgear shouldn't be a problem)
- when I speak of the primary VLAN, I mean ID 01, which is the company network for me (all common systems are in it and there should be no limitiations to "talk" to each other)
- when I speak of secondary VLAN, I mean ID 02, which is the guest network; it's supposed to provide internet access only, systems in this network are allowed to "talk" to each other, but (of course) not to any components in the primary VLAN
- I'm using UniFi AP-Accesspoints which are capable of serving several WiFi-Networks, the company WiFi is configured to be default VLAN (as "1" can not be configured), while the guest WiFi is configured to be VLAN 2.
1.) All uplink ports on any switch (connecting one switch to another) have this config:
- Member of the primary VLAN (01) tagged
- Member of the secondary VLAN (02) tagged
- PVID = 1
2.) All ports being connected to guest-systems and to the guest gateway have this config:
- Member of the secondary VLAN (02) untagged
- PVID = 2
3.) All ports for my accesspoints have this config:
- Member of the primary VLAN (01) untagged
- Member of the secondary VLAN (02) tagged
- PVID = 1
Please note the following things (I also mention some quite obvious things, just to make sure):
- you need to provide seperate DHCP-Servers for both VLANs
- you would want to use seperate IP-Ranges for both VLANs
- you need some kind of internet-gateway that is capable to work for both ranges and does not interconnect them (I'm using a AVM Fritzbox 7490 here: LAN1 is connected to the primary VLAN, DHCP is disabled (as there is a DHCP on our main server); LAN4 is configured to provide guest lan and always has it's own DHCP which cannot be disabled) - this port is connected to the secondary VLAN using the normal "guest-system"-config mentioned above under (2).
Hi MarcWinter,
Welcome to the community! :)
I think you should set the uplinks as tagged(T) ports with PVID = 1.
Regards,
DaneA
NETGEAR Community Team
Hello DaneA,
thanks for the info. To be sure: in advanced mode, I can tag the uplinks-ports for both VLANs: 01 and 02. Am I supposed to do so?
Best regards,
Marc
Hello,
again thanks to DaneA for pointing me in the right direction. After some testing I found the correct solution. To conclude all findings as one solution (and give some more info for people requiring something like this:
Basic prerequisites:
- we're talking about VLANs using 802.1Q in Advanced mode(!)
- I'm using Netgear Prosafe Plus Switches only (while more sophisticated models from Netgear shouldn't be a problem)
- when I speak of the primary VLAN, I mean ID 01, which is the company network for me (all common systems are in it and there should be no limitiations to "talk" to each other)
- when I speak of secondary VLAN, I mean ID 02, which is the guest network; it's supposed to provide internet access only, systems in this network are allowed to "talk" to each other, but (of course) not to any components in the primary VLAN
- I'm using UniFi AP-Accesspoints which are capable of serving several WiFi-Networks, the company WiFi is configured to be default VLAN (as "1" can not be configured), while the guest WiFi is configured to be VLAN 2.
1.) All uplink ports on any switch (connecting one switch to another) have this config:
- Member of the primary VLAN (01) tagged
- Member of the secondary VLAN (02) tagged
- PVID = 1
2.) All ports being connected to guest-systems and to the guest gateway have this config:
- Member of the secondary VLAN (02) untagged
- PVID = 2
3.) All ports for my accesspoints have this config:
- Member of the primary VLAN (01) untagged
- Member of the secondary VLAN (02) tagged
- PVID = 1
Please note the following things (I also mention some quite obvious things, just to make sure):
- you need to provide seperate DHCP-Servers for both VLANs
- you would want to use seperate IP-Ranges for both VLANs
- you need some kind of internet-gateway that is capable to work for both ranges and does not interconnect them (I'm using a AVM Fritzbox 7490 here: LAN1 is connected to the primary VLAN, DHCP is disabled (as there is a DHCP on our main server); LAN4 is configured to provide guest lan and always has it's own DHCP which cannot be disabled) - this port is connected to the secondary VLAN using the normal "guest-system"-config mentioned above under (2).
NETGEAR Academy
Boost your skills with the Netgear Academy - Get trained, certified and stay ahead with the latest Netgear technology!
Join Us!
