Can someone here kindly explain and share clear examples on how to setup Native Vlans on 1 switch. For example we have a 24 port switch, we want to create 2 vlans vlan 10 and vlan 20 4 Computers in each vlan. We want to protect the vlans from hacks / vlan hopping etc. We all know to not use vlan 1 etc, but what is the exact meaning and how do we setup for this situation.
A native VLAN is not something you explicitly configure. All the things people make a lot of noise about in the net is related to (in Cisco terms) trunk ports, where you have multiple VLAN tagged as a connection between two switches or to a router with multiple VLAN (and multiple IP subnetworks of course). Since a trunk port can carry multiple VLAN, and is not assigned to a single untagged VLAN, what VLAN tag should it apply to that untagged packet? This is where the termNative VLANcomes in. The Native VLAN is the VLAN associated with all untagged packets on a tagged/trunk port. By default, the Native VLAN is usually the same as the default VLAN on the switch e.g. VLAN 1. On the Netgear Smart Managed Plus and Pro switches you can define the PVID on the port, defining to which VLAN the untagged frame is associated to.
Most of these concerns are related to shortcomings on some vendor switch model and OS. Yes, it was Cisco and IOS, but other vendors suffered from the same. Lot of hot air...
In your set-up, with four (again in Cisco terms) access port for VLAN 10 [u]ntagged, PVID 10 and four access ports for VLAN 20 [u]ntagged, PVID 20 - so all eight ports are used on your eight port unit are alread in use. There is no trunk port on your config, and oyu can fully configure everything exactly to the point you want. No other VLAN IDs are allowed, so injecting other VLAN tags is off the table, and the port PVID setting does define the VLAN you want the untagged frames going to.
Said that, you can use VLAN 1 and VLAN 10 for example - will make things much easier, especially for the newbee.
Instead of fighting ghosts, you should be much more concerned on how you intend to use the two VLAN 10 and 20 with four computers - no router connected, no DHCP services, ...
Can you clarify the meaning of clearing ports 1 thru 5 on Vlan i.e setting the U or T to blank. For example ports 1 thru 5 are in (vlan 10) and these ports are set to U. Port 6 is set to T. PVID 10 for ports 1 thru 5. Why must we go back to vlan 1 members and set ports 1 thru 5 to blank? What is the purpose of setting it to blank? what happens if we leave it as U instead?
--------------
Also for native vlans the lab scenario we have is TWO gsm7224/v2 switches.
Example: SW1 (vlan10 U) <----(T) is on port 6 ---> SW2 (vlan 10 U) Ports 1 - 5 vlan10
What happens if we connect PC1 to port 18 on SW1 and ping PC2 on port 22 on SW2. will this work because ports 18 and 22 but are not part of any vlans?
Can you clarify the meaning of clearing ports 1 thru 5 on Vlan i.e setting the U or T to blank. For example ports 1 thru 5 are in (vlan 10) and these ports are set to U. Port 6 is set to T. PVID 10 for ports 1 thru 5. Why must we go back to vlan 1 members and set ports 1 thru 5 to blank? What is the purpose of setting it to blank? what happens if we leave it as U instead?
You only want to allow a port to be in the single VLAN you want it to be. You configure 1..5 as an access port type VLAN 10 [u]ntagged, PVID 10. And nothing else. You don't want to see any traffic from VLAN 1 - that's why you have to remove it.
Anything else goes into the area of asymmetric VLAN configuration - something you don't wnat to deal with.
Also for native vlans the lab scenario we have is TWO gsm7224/v2 switches.
Example: SW1 (vlan10 U) <----(T) is on port 6 ---> SW2 (vlan 10 U) Ports 1 - 5 vlan10
i don't fully understand your notation. For the connection between the switches, the so called trunk port, you use a trunk and configure [T]agged on both ends.
This will create a single network (aka. broadcast domain) on VLAN 10). The PC can communicate, the trunk will run the VLAN 10 traffic tagged, and nothing else:
PC1 on SW1, SW1 Port X, VLAN 10 U, PVD 10 (only, an nothing else) (Access Port VLAN10)
Link to SW2, SW1 Port Y, VLAN 10 T, PVID whatever (can be any "catch all" dummy VLAN ID, no other [U] VLAN membership), trunk port
Link to SW1, SW2 Port A, VLAN 10 T, PVID whatever (can be any "catch all" dummy VLAN ID, no other [U] VLAN membership), trunk port
PC2 on SW2 Port X VLAN 10 U, PVD 10 (only, an nothing else) (Access Port VLAN10)
This works the same on any Netgear Smat managed Plus/Pro/managed switch.
What happens if we connect PC1 to port 18 on SW1 and ping PC2 on port 22 on SW2. will this work because ports 18 and 22 but are not part of any vlans?
Talking of the switch in it's default configuration? VLAN 1 is also a VLAN, by default all ports on both switches are configured for VLAN 1 [u]ntagged, PVID 1. A cable can connect two default config ports on the two switches. Your two switches will run like a non-managed switch out of the box.
As for the Management Vlan 1 Is this management vlan 1 for web access into the switch? if so what happens if we want two vlans to access management then such as vlan 10 and vlan 20 ?
Although this may seem redundant with PVID and VLAN Memberships, its kind of strange example: you first Create a Vlan 10, then go to VLAN 10 members, add the ports 1 thru 5 set it to U. Then you go into PVID again set 1 - 5 as 10. what does PVID do in this instance?
Netgear dos not differentiate Access and Trunk Ports.
They allow "free" config, including asymmetric VLANs. When you set a port to VLAN 10 and Access Port, the switch does make it untagged for the VLAN 10, remove any other VLAN assignments, and sets the PVID to 10 (indicating incoming frames on this port have to go to the VlAN 10).
The port setting as [U] for VLAN 10 does tell the switch that frames form this network (VLAN 10) will be sent to the port.
The PIVD 10 does tell the switch to put incoming frames to the VLAN 10.
Because of the lack of the access port mode, you have to remove any other U or T from the same port.
