NETGEAR is aware of a growing number of phone and online scams. To learn how to stay safe click here.
Forum Discussion
VLAN Puzzle
I would appreciate assistance diagnosing a VLAN problem. Now that many homes have Ethernet cables installed from most rooms to a central patch panel, some users find that the patch panel is not a gre...
Why on earth yet another new thread? Please merge accordingly!
CrimpOn wrote:
So, all we need to do is tell this pair of Smart switches:
- If a frame comes in from the router/switch LAN port with no VLAN tag, temporarily assign a tag to it (maybe "3") so that it can find it's way to the tagged port leading to the other switch. When it gets to the other switch, find the correct port and output the frame with no tag.
- If a frame comes in with VLAN tag 4093, send it to the tagged port to the other switch. When it gets to the other switch, send it to the right port and send it out, keeping the VLAN tag on it.
I can find NO 802.1Q VLAN setting to make this happen.
This quoted section only? This is exactly my proposal from before! So I try again...
Simple:
As per your example, define the port where the untagged frames are coming in (the Orbi router facing one, same for the switch2switch connection trunk link) to work on VLAN 3: Make it [U]ntagged and VLAN 3, PVID 3. (the switch will assign these frames into the VLAN 3). Add additional [T]agged ports needed - so this port becomes a trunk, plain Ethernet for VLAN 3, plus all the other VLANs
On the Orbi satellite end same story:
Make it [U]ntagged and VLAN 3, PVID 3. (the switch will assign these frames into the VLAN 3). Add additional [T]agged ports needed - so this port becomes a trunk, plain Ethernet for VLAN 3, plus all the other VLANs
Voila, here is your trunk connection.
When it comes to IEEE1905, only IEEE1905 compliant devices can communicate. IEEE 1905 can establish dedicated control channels and actions, reconfiguring things. This might include the ability to "generate" not only plain Ethernet connections, but also tagged connections.
"Simple:
As per your example, define the port where the untagged frames are coming in (the Orbi router facing one, same for the switch2switch connection trunk link) to work on VLAN 3: Make it [U]ntagged and VLAN 3, PVID 3. (the switch will assign these frames into the VLAN 3). Add additional [T]agged ports needed - so this port becomes a trunk, plain Ethernet for VLAN 3, plus all the other VLANs
On the Orbi satellite end same story:
Make it [U]ntagged and VLAN 3, PVID 3. (the switch will assign these frames into the VLAN 3). Add additional [T]agged ports needed - so this port becomes a trunk, plain Ethernet for VLAN 3, plus all the other VLANs"
So with this configuration, I presume this can be all configured on 1 switch in between the RBR and RBS and avoid the use of two switches and the extra LAN cable?
Appreciate the patience. (I REALLY do.)
Now, to the mechanics to make this happen.
- The WAN-ISP link must be separate from all other traffic. No broadcast packets (like DHCP requests) from network devices hitting the ISP except for the router itself.
- The switch port connected to the router LAN port must accept both untagged frames and VLAN 4093 tagged frames. Untagged frames addressed to other devices have to go through the switch and come out the correct port. Both untagged and tagged frames addressed to the satellite (or a device connected to the satellite) must go through the switch and come out the same way they came in (untagged and VLAN 4093 tagged).
- Likewise, both untagged and VLAN 4093 frames sent from the satellite to the router must come out this port the same way they went in. (some untagged. some VLAN 4093 tagged.)
- This is the setting I cannot find.
- This would seem to indicate that the ports connecting both switches must be 802.1Q tagged. (otherwise, broadcast and multicast frames would go 'everywhere') But, that means that both switches must be set up as 802.1Q VLAN. Not "Port Based" VLAN.
Here is the design
Your theory seems to lead to some think I've thought about. GN is isolated from the main lan and I believe tied directly to the WAN port for internet resources. I presume may not be behind any firewall layer either.
How you have this laid out has the RBS at the 1st switch with the ISP services on same switch. Seems to have some credence on getting around the GN isolation barrier when in normal configuration modes.
Guest WiFi is definitely behind a NAT firewall that prevents access from the internet or from the primary network. Devices on the Guest WiFi can open a connection TO the internet, which allows applications to communicate with cloud resources.
The problem is when a device is on the Guest WiFi of a satellite, and has to communicate with the Guest WiFi on the router through the LAN ports. I would have thought, "no problem. Primary IP subnet is 192.168.1.x. Guest subnet is 192.168.2.x. Just set up a static route." It appears that Netgear decided to use VLAN tag 4093 for any frames going from Guest WiFi on one Orbi to Guest WiFi on another Orbi.
As long as the entire network is "ordinary Ethernet" (wires or dumb switches), these VLAN packets just go where they are supposed to go. The ARP based switch mechanisms will route frames through the switches and cables until they get where they need to go.
What kills things is (a) using the 'wired' router to satellite connection, and (b) running the connection through managed switches.
What would be really cool is if someone could capture the traffic between router and satellite on a BE system. i.e. put a tap on an Ethernet cable. Start Wireshark. Connect the cables. Capture a couple of minutes.
BE Router >--cable--> Tap <---cable--->BE Satellite (leave this cable off until ready)
||
Wireshark
NETGEAR Academy
Boost your skills with the Netgear Academy - Get trained, certified and stay ahead with the latest Netgear technology!
Join Us!
