NETGEAR is aware of a growing number of phone and online scams. To learn how to stay safe click here.
Forum Discussion
VLAN Sanity check for GS105Ev2
Hi after some digging/reading I think I have my switch setup correctly for the most part. Hoping someone can verify my configruation is correct for what I want to accomplish which is VLAN isolation and management access. The config is for 802.1Q.
VLAN Configuration / VLAN Identifier Setting:
VLAN ID | Port Members
1 1 2
50 1 2
60 1 3
70 1 4
80 1 5
-----------------------------------------------
VLAN Membership:
VLAN ID 1 - Ports 1 2 3 4 5
U U
VLAN ID 50 - Ports 1 2 3 4 5
T U
VLAN ID 60 - Ports 1 2 3 4 5
T U
VLAN ID 70 - Ports 1 2 3 4 5
T U
VLAN ID 80 - Ports 1 2 3 4 5
T U
-----------------------------------------------
PORT PVID Configuration:
PORT | PVID
1 1
2 50
3 60
4 70
5 80
-----------------------------------------------
I'm fairly sure I have it right but do question VLAN 1 membership and tagging. The pc I use to access the GS105Ev2 is on VLAN 50. From what I understand, VLAN 1 is a management VLAN? I am making the assumption that Port 2 needs to be an untagged member of VLAN 1 to be able to access the GS105Ev2 web gui, is that correct?
My GS105Ev2 is connected to a router/firewall (pfSense) with all VLAN's setup in pfSense except for VLAN 1. VLAN 1 in the GS105Ev2 is using the subnet address off the physical interface it is connected to.
So, I want each VLAN to be isolated from one another and want to be able to access the GS105Ev2 web gui from a pc located on VLAN 50. Is my configuration correct or do I need to make changes?
5 Replies
Hello Tagit446
Perfect information - a pleasure to help you here!
Somewhere on port 2 there is a mistake - only one VLAN can be untagged on a port in a 802.1q config:
VLAN Membership:
VLAN ID 1 - Ports 1 2 3 4 5
U U
VLAN ID 50 - Ports 1 2 3 4 5
T U
VLAN ID 60 - Ports 1 2 3 4 5
T U
VLAN ID 70 - Ports 1 2 3 4 5
T U
VLAN ID 80 - Ports 1 2 3 4 5
T U
To operate this set-up, you would need one more port available.
I suggest to rethink what/how you want to manage your security appliance, the switch, and probably other devices on your network. Don't make your networking life unnecessary complex. What is the point for isolating this VLAN 1 to just the switch, but you want to use a system on VLAN 50 for the management?
Tagit446 wrote:From what I understand, VLAN 1 is a management VLAN? I am making the assumption that Port 2 needs to be an untagged member of VLAN 1 to be able to access the GS105Ev2 web gui, is that correct?
Afraid, no. Please note the (most) Smart Manged Plus have a little disadvantage: The tiny management processor is not hard limited to a single VLAN. One one hand, there is no config for the management VLAN (because there is none). On the other hand, it's IP address can be reached by IP on any VLAN.
Hello schumaku ,
Thank you kindly for your reply.
I am afraid I do not fully understand what you are trying to say in regards to needing another port?
I may be misunderstanding how the switch should be set up? I do have a complicated network but it works well. I have an NVR surveillance camera system on this switch (Port 4, VLAN 60) that I do not trust and is why I want it isolated from the other VLANS.
Port 1 of the switch is plugged into the router NIC and I have NOT created a VLAN 1 in the router. I thought I read that in this scenario at the very least Port 1 has to be untagged on VLAN 1. Is this correct? I only untagged Port 2 on VLAN 1 because I thought it was the only way to access the web gui for the switch from VLAN 50. After reading your reply I do understand now that Port 2 on VLAN 1 does not need to be tagged or untagged. I went ahead and left Port 2 on VLAN 1 empty and can still access the switches web gui, so thank you.
Could you recommend specific changes I should make on the switch at this point?
Also, since Port 1 is attached to the router and I have no VLAN 1 setup in the router, should Port 1 VLAN 1 be tagged, untagged, or empty? Or should I create a VLAN 1 in the router and tag Port 1 VLAN 1 and leave the rest of the Ports on VLAN 1 empty?
Nothing overly complex, nice four VLAN set-up! If you don't use the VLAN1 on the security appliance - you can keep it untagged towards the security appliance - what's the point?
As mentioned before, there is no management VLAN design on most Smart Managed Plus.
If you had a switch like a Smart Managed Pro or Managed class (or some 10G Smart Managed Plus model), there would be a management VLAN you could freely configure. And I would assume you d'take it to the VLAN 50 where your management station is (I guess also for the pfsense).
When the network is growing - currently it looks you fan-out the four VLANs to four untagged ports and dedicated hardware (that's why you have the four VLAN ports untagged, right?) you would run VLAN trunks to the next switch, configured very similar to the port connecting to the pfsense.
NETGEAR Academy
Boost your skills with the Netgear Academy - Get trained, certified and stay ahead with the latest Netgear technology!
Join Us!
