NETGEAR is aware of a growing number of phone and online scams. To learn how to stay safe click here.
Forum Discussion
GS116Ev2 using 802.1Q VLAN ID 7
Hi,
Using a managed GS116Ev2 switch (firmware 2.6.0.48) connected to another switch. I use a 802.1Q VLAN's. There are two hosts without VLAN (VLAN 1/ untagged): A Linux host and a printer. I can ping the printer without problems.
Now I enable 802.1Q VLAN with ID 7 for a separated network. On both switch I set the trunk port to tagged for VLAN 7. I also use 802.1Q VLAN support on my Linux host, and connect other devices on ID 7 untagged ports on the other switch. Everything works as expected: I can ping the VLAN 7 hosts of the other switch. However, I can no longer ping the printer! Disabling VLAN 7 on the Netgear (closer) switch makes pinging work again.
Sniffing traffic shows that my Arp request makes it through to the other switch and the other switch also passed back the Arp reply without VLAN tagging. However, it seems the GS116Ev2 discards the Arp response: It never makes it to the Linux host (listening on the Ethernet interface in promiscous mode).
In a desperate attempt I switched to 17... And magically, all started to work exactly as I would expect it: I can ping hosts on the VLAN 17 network as well as the printer on the untagged network...
Is VLAN ID 7 special? What could I observe here?
Best regards,
Stefan
3 Replies
Do you relly have to correct, individual VLANs, VLAN1 and VLAN7 resp. VLAN1 and VLAN17 _and_ a router handing the routing between the two different IP sunet on VLAN1 and VLAN7 resp. VLAN17?
Are we facing some strange attempts of somewhow wildly connecting these two VLANs by overloading the ports VLAN configs, creating some asymmetric VLAN config?
Provide screenshows of all VLAN configs, the individual port VLAN configs, and the PVID config for the untagged VLAN.
I can ping the hosts in VLAN7/VLAN17 respectively, the problematic host (the printer) is the one in the untagged LAN.
Port 1 is upstream (behind which the printer is connected on a untagged "VLAN 1" port).
Port 2 is the Linux host
Port 3 I just used to test: If I connect Linux host to that port, ping still does not work
But I can use Port 4 (or any other port for that matter) and I can ping pint host.
Or I can disable the VLAN 7 tagging on Port 2, and things start to work.
And most confusing, I can change VLAN 7 to VLAN 17 on both sides, and things work too.
falstaff321 wrote:
I can ping the hosts in VLAN7/VLAN17 respectively, the problematic host (the printer) is the one in the untagged LAN.
I'm still lost what the "other side" is. Unless there is a router and there are two properly configured VLANs with individual subnets the two VLAN (tagging or untagging is a definition of the different purpose ports), making up TWO (resp. with 1, 10, and 17 THREE) different individual networks, there must be NO communication between these networks (leaving some spanning tree alone).
falstaff321 wrote:
Port 1 is upstream (behind which the printer is connected on a untagged "VLAN 1" port).
Port 2 is the Linux host
So both the upstream and the Linux host port does connect to systems/devices configued to support three individual VLAN, one probably untagged with the same PVID, the other two tagged e.g. the uplink of all three networks to a router supporting three VLANs, and the Linux host with three networks on the same adapter, e.g. one for the Linux host access, one for some virtual machines, and one for some containers (or any other mix and match).
falstaff321 wrote:
Port 3 I just used to test: If I connect Linux host to that port, ping still does not work
But I can use Port 4 (or any other port for that matter) and I can ping pint host.
All I see is that the port #3 is somehow member of the VLAN1, 10, and 17. How is this Linux host test adapter configured for the three VLANs? How is the Port #3 configured for the three VLAN?
To gain some experience I strongly suggest a test port (or more three test ports for each VLAN, even better two for each VLAN), one configured ONLY for the VLAN1, PVID 1, one configured for VLAN10 and PVID 10, one configured for VLAN17 and PVID 17 - so each of thee test ports makes an untagged access port to each VLAN, and neither of these are member in any other way of the other VLANs.
When you have two access ports for each VLAN, you can discover that these two ports are connecting together like a patch cable.
If you want now these three VLAN networks and IP subnets talking to another VLAN and IP subnet, a router must be in place. This can be a router with one untagged physical port connecting each to a dedicated subnet, or a router with a single adapter configured for all two or three VLANs (one probably untagged and the same PVID, all others tagged) - again configured on the switch accordingly.
falstaff321 wrote:
Or I can disable the VLAN 7 tagging on Port 2, and things start to work.
And most confusing, I can change VLAN 7 to VLAN 17 on both sides, and things work too.
I'm still lost what the "other side" is. Unless there is a router and there are two properly configured VLANs with individual subnets the two VLAN (tagging or untagging is a definiton of the different purpose ports), making up TWO (resp. with 1, 10, and 17 THREE) different individual networks, there must be NO communication between these networks (leaving some spanning tree alone).
Key are not just the memberships of the VLAN to the port, much more if these are all tagged (then the host must support the tagging), or only ONE port untagged (this can be to any VLAN with the PVID configured the same).
I fear we're facing an invalid config or insufficient understanding of the 802.1Q VLAN concepts here I'm afraid. Be aware that 802.1q VLANs don't make up something like an telephone/audio/video cross switch board allowing to mix and match multiple devices together. Each VLAN is a individual network, carrying it's own dedicated IP subnet.
NETGEAR Academy
Boost your skills with the Netgear Academy - Get trained, certified and stay ahead with the latest Netgear technology!
Join Us!
