Reply

Making a PC a member of more than one VLAN

nigpig
Aspirant

Making a PC a member of more than one VLAN

I'm sorry to post this here as it should go in the enterprise forums. I am considering purchase of a GP724 switch and cannot get access to these forums until I purchase. Hence my general question on vlans.

I'm trying to understand vlans. I want to have a pc a member of two vlans and for it to be able to communicate through a switch to other devices in those vlans. Is this a matter of using a tagged port for that pc? Will this work ok or is there something else that needs setting up?
Thanks
Nigel
Message 1 of 8

Accepted Solutions
fordem
Mentor

Re: Making a PC a member of more than one VLAN

Think of it this way - you have two separate networks - completely separate - separate switches, separate servers, separate clients - two physically separate LANs.

Now put them on a single switch, separated logically into two virtual LANs - or VLANs.

If you need to communicate between the physically separate LANs, you need to link them with a router, with each LAN being connected to a different interface.

If you need to communicate between your two virtual LANs you need to link them with a router, either one with physically separate interfaces, or one that supports VLANs - this router can also be a "route switch", or layer 3 switch.

It's quite unusual to have a client system connected to two VLANs simultaneously, the norm would be to have it on one VLAN and access the other VLAN through the router linking the two - it is however possible to have a server connected that way, especially if you're running virtualization on that server.

You could configure a switch port as a trunk port or tagged port so that it passes the VLAN tags, but if the PC does not know how/what to do with the VLAN tags, it won't work.

Give a man a fish, feed him for a day
Teach a man to fish, feed him for life.

View solution in original post

Message 2 of 8

All Replies
fordem
Mentor

Re: Making a PC a member of more than one VLAN

Think of it this way - you have two separate networks - completely separate - separate switches, separate servers, separate clients - two physically separate LANs.

Now put them on a single switch, separated logically into two virtual LANs - or VLANs.

If you need to communicate between the physically separate LANs, you need to link them with a router, with each LAN being connected to a different interface.

If you need to communicate between your two virtual LANs you need to link them with a router, either one with physically separate interfaces, or one that supports VLANs - this router can also be a "route switch", or layer 3 switch.

It's quite unusual to have a client system connected to two VLANs simultaneously, the norm would be to have it on one VLAN and access the other VLAN through the router linking the two - it is however possible to have a server connected that way, especially if you're running virtualization on that server.

You could configure a switch port as a trunk port or tagged port so that it passes the VLAN tags, but if the PC does not know how/what to do with the VLAN tags, it won't work.

Give a man a fish, feed him for a day
Teach a man to fish, feed him for life.
Message 2 of 8
nigpig
Aspirant

Re: Making a PC a member of more than one VLAN

Thank you fordem.
"If you need to communicate between your two virtual LANs you need to link them with a router, either one with physically separate interfaces, or one that supports VLANs - this router can also be a "route switch", or layer 3 switch."

I have a Draytek 2820v that supports VLANS. Im not sure if it will link two if them though so will investigate this further. It has four ports that can each become a seperate VLAN connection.

I have a NAS and a network printer that I want all devices to see. I could leave these connected to the router and then run off two trunk connections to a Switch with two VLANS.
One secure and one for my wireless that I am trying to seperate for PCI compliance reasons.
Im I right in thinking that each of the two VLANs will see the printer and NAS on the router?
Message 3 of 8
fordem
Mentor

Re: Making a PC a member of more than one VLAN

If the Draytek supports four VLANs it will most likely allow interVLAN routing - and no the computers on the two VLANs will not see the printer and NAS on the router unless you specifically configure the network(s) to allow it. I am not certain what is required for PCI compliance - you MAY need to run three VLANs - one with the shared devices (#1), one as the secure VLAN (#2), and one as wireless (#3), and permit communication between #1 & #2, and #1 & #3, whilst blocking communication between #2 & #3 - you WILL need to verify what is required, because it would theoretically possible for someone to gain access via wireless, and from there to the NAS, and if they knew what they were doing, manipulate the NAS to get access to the secure VLAN. Security is not something that should be taken lightly.

Give a man a fish, feed him for a day
Teach a man to fish, feed him for life.
Message 4 of 8
nigpig
Aspirant

Re: Making a PC a member of more than one VLAN

I have managed to configure the Draytek at level 3 to provide 3 VLANS.
VLAN 1 is our network of a few PCs, NAS, TV and Sky box all RJ45.
VLAN 2 is the printer which is shared with VLAN1
VLAN 3 for wireless and shared with VLAN 2 as occasionally I print from an android phone.

Only VLAN 1 is connected to the router.

All DNS is managed from the Draytek on 192.168.0.x. I'm hoping this is secure enough as the only question was seperating the wireless network devices from the normal network.
I did buy a GS724TV4. Slightly overkill. However, with the lifetime guarantee and upgradeabilty through firmware updates, I'm hoping that I will have many years of high performance and able to utilise the same kit should our business expand in the future. It also satisfies my need to have a play and better learn the technology.
Message 5 of 8
fordem
Mentor

Re: Making a PC a member of more than one VLAN

To be honest, I don't think that lifetime guarantee and upgradability means that much - I have a pair of FS728TS switches here, lifetime guarantee and all that, but if go into the support portal, my hardware warranty is shown as "expired", and the "most recent" firmware has a build date of June 20, 2011.

Give a man a fish, feed him for a day
Teach a man to fish, feed him for life.
Message 6 of 8
nigpig
Aspirant

Simple VLAN setup

My setup is not working so I am starting from a simple scenario and would be grateful for some help.

I have port 1 as a connection to the router for DHCP and Internet. It is set as untagged.
I realise it is a member of vlan 1 the default vlan. All works fine with Internet access.

I have set up my first additional vlan 100 on ports 20-24 all untagged and removed them from the vlan 1. I have given these ports the PVID of 100. What more do I need to do to connect this to the router? Do I have to add port 1 as untagged to vlan 100.
Message 7 of 8
fordem
Mentor

Re: Simple VLAN setup

I've merged your threads - to make it easier to keep track of. Go look at my first reply - the idea of a VLAN is to separate the traffic - if you want the router to be connected to two VLANs (plus the internet), it must either have a minimum of three interfaces (WAN, LAN1 & LAN2) - or - it must support VLANs. You said your Draytek allowed each of the four switch ports to a separate VLAN, the easy way is to connect the VLANs on the switch to the VLANs on the router with a separate cable. The other way is to use what is known a trunked VLAN in which you configure one port on the switch to be a trunk (which by definition will pass traffic from all VLANs) to the Draytek, but the Draytek must be able to support "trunked" VLANs - this will allow a single cable to connect the two.

Give a man a fish, feed him for a day
Teach a man to fish, feed him for life.
Message 8 of 8
Top Contributors
Discussion stats
  • 7 replies
  • 25975 views
  • 1 kudo
  • 2 in conversation
Announcements