× NETGEAR is aware of a growing number of phone and online scams. To learn how to stay safe click here.
Orbi WiFi 7 RBE973
Reply

VLAN Sanity check for GS105Ev2

Tagit446
Tutor

VLAN Sanity check for GS105Ev2

Hi after some digging/reading I think I have my switch setup correctly for the most part. Hoping someone can verify my configruation is correct for what I want to accomplish which is VLAN isolation and management access. The config is for 802.1Q.

 

VLAN Configuration / VLAN Identifier Setting:

VLAN ID      Port Members

     1                       1 2

    50                      1 2

    60                      1  3

    70                      1   4

    80                      1    5

-----------------------------------------------

VLAN Membership:

VLAN ID 1 -   Ports 1  2  3  4  5

                                U U

VLAN ID 50 - Ports 1  2  3  4  5

                                T U

VLAN ID 60 - Ports 1  2  3  4  5

                                T     U

VLAN ID 70 - Ports 1  2  3  4  5

                                T         U

VLAN ID 80 - Ports 1  2  3  4  5

                                T             U

-----------------------------------------------

PORT PVID Configuration:

PORT      PVID

    1                1

    2               50

    3               60

    4               70

    5               80

-----------------------------------------------

I'm fairly sure I have it right but do question VLAN 1 membership and tagging. The pc I use to access the GS105Ev2 is on VLAN 50. From what I understand, VLAN 1 is a management VLAN? I am making the assumption that Port 2 needs to be an untagged member of VLAN 1 to be able to access the GS105Ev2 web gui, is that correct?

 

My GS105Ev2 is connected to a router/firewall (pfSense) with all VLAN's setup in pfSense except for VLAN 1. VLAN 1 in the GS105Ev2 is using the subnet address off the physical interface it is connected to.

 

So, I want each VLAN to be isolated from one another and want to be able to access the GS105Ev2 web gui from a pc located on  VLAN 50. Is my configuration correct or do I need to make changes?

Model: GS105Ev2|ProSafe Plus 5 ports switch
Message 1 of 6
schumaku
Guru

Re: VLAN Sanity check for GS105Ev2

Hello @Tagit446 

 

Perfect information - a pleasure to help you here!

 

Somewhere on port 2 there is a mistake - only one VLAN can be untagged on a port in a 802.1q config:

 

VLAN Membership:

VLAN ID 1 -   Ports 1  2  3  4  5

                                U U

VLAN ID 50 - Ports 1  2  3  4  5

                                T U

VLAN ID 60 - Ports 1  2  3  4  5

                                T     U

VLAN ID 70 - Ports 1  2  3  4  5

                                T         U

VLAN ID 80 - Ports 1  2  3  4  5

                                T             U

 

To operate this set-up, you would need one more port available.

 

I suggest to rethink what/how you want to manage your security appliance, the switch, and probably other devices on your network. Don't make your networking life unnecessary complex. What is the point for isolating this VLAN 1 to just the switch, but you want to use a system on VLAN 50 for the management?

 


@Tagit446 wrote:

From what I understand, VLAN 1 is a management VLAN? I am making the assumption that Port 2 needs to be an untagged member of VLAN 1 to be able to access the GS105Ev2 web gui, is that correct?


Afraid, no. Please note the (most) Smart Manged Plus have a little disadvantage: The tiny management processor is not hard limited to a single VLAN. One one hand, there is no config for the management VLAN (because there is none). On the other hand, it's IP address can be reached by IP on any VLAN.

Message 2 of 6
Tagit446
Tutor

Re: VLAN Sanity check for GS105Ev2

Hello @schumaku ,

 

Thank you kindly for your reply.

 

I am afraid I do not fully understand what you are trying to say in regards to needing another port?

 

I may be misunderstanding how the switch should be set up? I do have a complicated network but it works well. I have an NVR surveillance camera system on this switch (Port 4, VLAN 60) that I do not trust and is why I want it isolated from the other VLANS.

 

Port 1 of the switch is plugged into the router NIC and I have NOT created a VLAN 1 in the router. I thought I read that in this scenario at the very least Port 1 has to be untagged on VLAN 1. Is this correct? I only untagged Port 2 on VLAN 1 because I thought it was the only way to access the web gui for the switch from VLAN 50. After reading your reply I do understand now that Port 2 on VLAN 1 does not need to be tagged or untagged. I went ahead and left Port 2 on VLAN 1 empty and can still access the switches web gui, so thank you.

 

Could you recommend specific changes I should make on the switch at this point?

 

Also, since Port 1 is attached to the router and I have no VLAN 1 setup in the router, should Port 1 VLAN 1 be tagged, untagged, or empty? Or should I create a VLAN 1 in the router and tag Port 1 VLAN 1 and leave the rest of the Ports on VLAN 1 empty?

 

 

 

Message 3 of 6
schumaku
Guru

Re: VLAN Sanity check for GS105Ev2

Nothing overly complex, nice four VLAN set-up! If you don't use the VLAN1 on the security appliance - you can keep it untagged towards the security appliance - what's the point?

 

As mentioned before, there is no management VLAN design on most Smart Managed Plus.

 

If you had a switch like a Smart Managed Pro or Managed class (or some 10G Smart Managed Plus model), there would be a management VLAN you could freely configure. And I would assume you d'take it to the VLAN 50 where your management station is (I guess also for the pfsense).

 

When the network is growing - currently it looks you fan-out the four VLANs to four untagged ports and dedicated hardware (that's why you have the four VLAN ports untagged, right?) you would run VLAN trunks to the next switch, configured very similar to the port connecting to the pfsense.

Message 4 of 6
schumaku
Guru

Re: VLAN Sanity check for GS105Ev2


@Tagit446 wrote:

Port 1 of the switch is plugged into the router NIC and I have NOT created a VLAN 1 in the router. I thought I read that in this scenario at the very least Port 1 has to be untagged on VLAN 1. Is this correct?


Not sure where you had read this. in this set-up, and on this switch class, it's not used.

 


@Tagit446 wrote:

Could you recommend specific changes I should make on the switch at this point?


With the removal of the VLAN 1 from port 2 it's all fine.

 


@Tagit446 wrote:

Also, since Port 1 is attached to the router and I have no VLAN 1 setup in the router, should Port 1 VLAN 1 be tagged, untagged, or empty? Or should I create a VLAN 1 in the router and tag Port 1 VLAN 1 and leave the rest of the Ports on VLAN 1 empty?


It might be a good policy to keep the VLAN 1 on the switch, and configure an addiitonal network on the pfsense - just in case you ever need to connect an untagged or non-VLAN-aware witch to the pfsense port.

 

 

Message 5 of 6
Tagit446
Tutor

Re: VLAN Sanity check for GS105Ev2

Hi @schumaku,

Thank you for all of you help!

 

You wrote "Not sure where you had read this. in this set-up, and on this switch class, it's not used.".  In this article it says "All untagged traffic that enters the switch is assigned to the default or native VLAN, which is VLAN 1. VLAN 1 is also the management VLAN on switches that support management VLANs. For more information, see What is a management VLAN?."  I think I made the mistake of thinking this switch supported a management VLAN. While researching and trying to understand VLAN's I had also read in a few places that you should never use VLAN 1 for anything other then management access. Because I am fairly new to VLAN's I more or less assumed this was the case for all managed switches. I know better now.

 

As far as my setup goes, I simply do not trust most Internet enabled devices however they are a necessary evil in this day and age. I've created a local network that gives me fine grain control of all of my devices so to speak. My router is a beefed up HP 620+ thin client with an Intel quad port NIC running pfSense. One interface port for the WAN to cable modem, one interface port for LAN1 connected to the GS105Ev2, and one interface port for LAN2 connected to a TP-Link business class access point that supports 802.1Q VLAN's. Lastly one interface port being unused for now due to physical location of the router.

 

Each NIC port on the router is assigned its own subnet. You already know how I'm using the GS105Ev2, and the AP has 6 VLAN's running on it. Because of my distrust of the devices I use, having this type of setup allows me to control every aspect of how these devices communicate out to the internet and how they communicate with each other. If I need a device from one VLAN to communicate with a device on another VLAN or interface, I just create a firewall rule to allow the communication.

 

I have a few devices that are on there own VLAN and some devices that are grouped together on the same VLAN. For example, my smart tv's and Roku's share the same wireless VLAN but my surveillance sytem is on it's own wired VLAN by itself.



I know I did not need to write a lot of this but thought it would help give insight as to why I am trying to setup the GS105ev2 the way I am.

Model: GS105Ev2|ProSafe Plus 5 ports switch
Message 6 of 6
Top Contributors
Discussion stats
  • 5 replies
  • 1501 views
  • 3 kudos
  • 2 in conversation
Announcements