NETGEAR is aware of a growing number of phone and online scams. To learn how to stay safe click here.
Forum Discussion
Printing segregated to VLAN by itself
For the life of me, can't get the printer to be alive on its own VLAN.. The SRX5308 is the fw-router (no VPNs just VLANs) Identified 12 VLANs and treating these as port based VLANs and there's a M...
UPDATE and also for the benefit of future seekers of this functionality.
After 2 marathon remote support sessions with support (over 3 hrs each session) in last 2 days i have come to some conclusions:
FIRST AND FOREMOST:
Do not waste your time with L2 tech support, poorly trained, if you are not a newbie, chances are you know more than they do, it may be that Netgear's plain old L2 support is outsourced (not even NETGEAR) and they have people that can breathe as a qualification, (and most need serious ESL training as well to be understood)
Having said that, TRY to get moved to Tier 2 tech support BUT labeled as 'Medium Enterprise Experts Level2 ' group, which is option 4 off the main 888NetGEAR main support number.
These folks are a cut above and they are what support should be! SPELLED PROFICIENT IN THEIR PRODUCT!
Diffrent experience here! Better and more positive, I coulda saved tons of time if I'd known that almost a week ago when this started. (we're pushing more than a week now)
AND these are brand new outa the box products that come with free 90 day installation support...
OK, where are we sitch wise?
Getting closer to a solution, little by little,
It seems the first approach was the right one after all, having a SEPARATE VLAN (if only for a single printer to start with) which IS NOT the default LAN (VLAN 1) that will be a shared with all others VLAN member.
So typical scenario is LEAVE your default LAN (VLAN 1) as tagged to carry internet traffic, and as I am learning the VLAN rule applies that "edge ports" (ports that end up feeding flat LANS) stay U, untagged, AND ports that carry traffic or Trunks are tagged.
This I am learning is just setting up simple port based VLANs, not setting up 802.1q VLANs here..
SO why is this so difficult,
Well it wouldnt be at all IF we just enabled "interVLAN" routing on ALL VLANs as in all being a FLAT LAN.. BUT that's not the intent. The intent is to keep the VLANs from snooping each other's traffic and resources, yet share a common printer pool (and possible future common pool resources, servers, email sharepoint etc, )
SO that's where a separate "common" VLAN comes into play.
So, Between the default LAN (VLAN 1) and the common pool VLAN which have "interVLAN" traffic enabled all works well.
It's the majority of VLANs that we wanna segregated that the problem arises, these can't ping to teh "common pool" VLAN.
Altho internet access and services such as incoming RDP and private Https servers work great. So all services mapped incoming and all users outgoing still work great and SEPARATE as intended.
So the solution with the aid of the Medium Enterprise Experts Level2 Tech Suppt group at Netgear is moving towards this:
Created the separate VLAN with all ports untagged except port 1 which is the default LAN (VLAN 1), that's tagged. ALl other member VLAN ports untagged.
They concur that writing ACLs in the M4100 port based VLAN switch is the direction.
First try they locked up the M4100 and all traffic in building site came to a halt, a hard reset fixed it because thank the stars the config had not been saved to firmware and the reboot brot back teh config that worked. Regardless I have saved working configs on both the SRX5308 and the M4100 switch.
Now, instead of writing a bunch of ACLs, (which slows down switching as a whole, from what I am told by them because more rules guta take processor time being processed), common rules would be better with a couple ACLs total.
That's the plan.
I will keep the group posted and also post the solution when we arrive there.
Hopefully another couple of days ( or anuther week at most? hopefully not).
AND I guta say this, when buying IT routing/switching eqpt, reliability and SUPPORT SUPPORT SUPPORT have been my main criteria, This experience makes me wonder about moving up to "more" name brand products JUST to take adavnatage of more readily available expert & "proficient in their product "support instead of "learning on the job" while learning type experiences with support on other end.
Also the non-escalation of support cases and taking days to even approach the correct support dept which eventually gets one to people that approach proficiency as support in their field.
I suspect other similar brands like D-link at same level.
What has people's experiences been with switching/router eqpt support from more name brand players like Cisco, Sonicwall, Juniper and such, realizing that the price diffrence is there and some of these have a standard ticket item oft times at a sizable portion of the buy price of the eqpt for pre-configuration charge?
I am scratching my head wondering if in the future that wouldnt be a much better approach than to kill entire week long periods getting nowhere on decently priced eqpt....
-signed: frustrated presently but hopefully optimistic about a resolution in the coming week... "hopefully" ...
After 2 marathon remote support sessions with support (over 3 hrs each session) in last 2 days i have come to some conclusions:
FIRST AND FOREMOST:
Do not waste your time with L2 tech support, poorly trained, if you are not a newbie, chances are you know more than they do, it may be that Netgear's plain old L2 support is outsourced (not even NETGEAR) and they have people that can breathe as a qualification, (and most need serious ESL training as well to be understood)
Having said that, TRY to get moved to Tier 2 tech support BUT labeled as 'Medium Enterprise Experts Level2 ' group, which is option 4 off the main 888NetGEAR main support number.
These folks are a cut above and they are what support should be! SPELLED PROFICIENT IN THEIR PRODUCT!
Diffrent experience here! Better and more positive, I coulda saved tons of time if I'd known that almost a week ago when this started. (we're pushing more than a week now)
AND these are brand new outa the box products that come with free 90 day installation support...
OK, where are we sitch wise?
Getting closer to a solution, little by little,
It seems the first approach was the right one after all, having a SEPARATE VLAN (if only for a single printer to start with) which IS NOT the default LAN (VLAN 1) that will be a shared with all others VLAN member.
So typical scenario is LEAVE your default LAN (VLAN 1) as tagged to carry internet traffic, and as I am learning the VLAN rule applies that "edge ports" (ports that end up feeding flat LANS) stay U, untagged, AND ports that carry traffic or Trunks are tagged.
This I am learning is just setting up simple port based VLANs, not setting up 802.1q VLANs here..
SO why is this so difficult,
Well it wouldnt be at all IF we just enabled "interVLAN" routing on ALL VLANs as in all being a FLAT LAN.. BUT that's not the intent. The intent is to keep the VLANs from snooping each other's traffic and resources, yet share a common printer pool (and possible future common pool resources, servers, email sharepoint etc, )
SO that's where a separate "common" VLAN comes into play.
So, Between the default LAN (VLAN 1) and the common pool VLAN which have "interVLAN" traffic enabled all works well.
It's the majority of VLANs that we wanna segregated that the problem arises, these can't ping to teh "common pool" VLAN.
Altho internet access and services such as incoming RDP and private Https servers work great. So all services mapped incoming and all users outgoing still work great and SEPARATE as intended.
So the solution with the aid of the Medium Enterprise Experts Level2 Tech Suppt group at Netgear is moving towards this:
Created the separate VLAN with all ports untagged except port 1 which is the default LAN (VLAN 1), that's tagged. ALl other member VLAN ports untagged.
They concur that writing ACLs in the M4100 port based VLAN switch is the direction.
First try they locked up the M4100 and all traffic in building site came to a halt, a hard reset fixed it because thank the stars the config had not been saved to firmware and the reboot brot back teh config that worked. Regardless I have saved working configs on both the SRX5308 and the M4100 switch.
Now, instead of writing a bunch of ACLs, (which slows down switching as a whole, from what I am told by them because more rules guta take processor time being processed), common rules would be better with a couple ACLs total.
That's the plan.
I will keep the group posted and also post the solution when we arrive there.
Hopefully another couple of days ( or anuther week at most? hopefully not).
AND I guta say this, when buying IT routing/switching eqpt, reliability and SUPPORT SUPPORT SUPPORT have been my main criteria, This experience makes me wonder about moving up to "more" name brand products JUST to take adavnatage of more readily available expert & "proficient in their product "support instead of "learning on the job" while learning type experiences with support on other end.
Also the non-escalation of support cases and taking days to even approach the correct support dept which eventually gets one to people that approach proficiency as support in their field.
I suspect other similar brands like D-link at same level.
What has people's experiences been with switching/router eqpt support from more name brand players like Cisco, Sonicwall, Juniper and such, realizing that the price diffrence is there and some of these have a standard ticket item oft times at a sizable portion of the buy price of the eqpt for pre-configuration charge?
I am scratching my head wondering if in the future that wouldnt be a much better approach than to kill entire week long periods getting nowhere on decently priced eqpt....
-signed: frustrated presently but hopefully optimistic about a resolution in the coming week... "hopefully" ...
NETGEAR Academy
Boost your skills with the Netgear Academy - Get trained, certified and stay ahead with the latest Netgear technology!
Join Us!
