- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark
- Subscribe
- Printer Friendly Page
Re: VLAN configuration between switches is not working as expected...
- Mark as New
- Bookmark
- Subscribe
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
I have three netgear switches, Orbi, and a pfsense Firewall. The configuration is simple enough - GS324T is the "main" switch. It connects to the pfsense firewall on Port 24, and has a series of VLANs configured;
VLAN ID | VLAN Name | VLAN Type | Member Ports |
1 | Default | Default | g1 - g3, g5, g7, g9, g11 - g21, g23 - g24 |
20 | DMZ | Static | g22, g24 |
100 | TRUSTED | Static | g3, g7 - g8, g10, g23 - g24 |
101 | A_Guest | Static | g7, g23 - g24 |
102 | B_Guest | Static | g3, g23 - g24 |
200 | IOT_TRUST | Static | g1, g6, g23 - g24 |
201 | IOT_NOTRUST | Static | g4, g23 - g24 |
Fairly obvious stuff - each VLAN is an interface in the firewall, and has a DHCP scope and appropriate rules for each zone. VLAN 100 can go anywhere, 200 talks to the internet and some pinholed services, 201 talks to the internet only.
Orbi is running in AP mode and is connected to port 23, and I use Mac Based VLANs to place all of the WiFi devices into the right place.
A Guest and B Guest are enclaves for my partner's work and mine - all of the devices to do with our respective jobs; laptop, mobile phone, printer etc. are placed in those VLANs, and allowed to see the Internet - but not any other internal networks.
Port 7 has a GS105Ev2 using 802.1q VLAN tagging - It has a PVID of 1 and VLANs 100 and 101 tagged onto the port. Port 5 of the GS105Ev2 has the same config, then I have ports 1 and 2 with a PVID of 100 and ports 3 and 4 with a PVID of 101.
This all works. devices get placed in the right VLAN, get an IP address in the right range, and the correct firewall rules are in place. On the GS105Ev2, a device plugged into port 1 is placed on VLAN 100, gets a 192.168.100.x address, and works. a device plugged into port 3 gets VLAN 101, an IP of 192.168.101.x. flawless.
I am trying to replicate this with a new GS308T on port 3 (my desk).
I configure VLANS 100 and 102. I set port 8 as the trunk back to the GS324T - it has a PVID of 1, and VLAN 100 and 102 tagged onto it (basically the same as port 7, my partner's desk). port 8 on the GS308T is configured the same. PVID 1, tagged on 100 and 102. I configure ports 1-4 to be PVID 102 (my work enclave), and configure ports 5-7 to be PVID 100.
I instantly lose connectivity. despite the port being PVID 100, and VLAN 100 being passed back down to the main switch, I don't get an IP address. if I force a 192.168.100.x address, no traffic is passed.
I have tried leaving VLAN 1 untagged on the ports - still nothing. If I set the PVID back to 1, then I get a default LAN IP address, and from what I can see, VLAN 100 is not being honoured.
The irony here is that I had services at my own desk "working" by using a dumb old unmanaged GS105, and applying MAC Based VLAN rules for the devices manually. (Note: I have removed the MAc based VLAN rules)
Help!
Solved! Go to Solution.
Accepted Solutions
- Mark as New
- Bookmark
- Subscribe
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Thanks so much for responding. I thought I had some fundamental misunderstaning - but the problem was so mind numbingly basic that it hurts.
At the new GS308T switch on my desktop, it turns out that the cable running to Port 8 (the trunk) and port 5 (my desktop PC), got muddled up in the desk's cable management.
I had them plugged in the wrong way around.
Set it up fresh this morning when I spotted the mistake... and it all worked first time.
embarrasing, but at least it's working 😄
All Replies
- Mark as New
- Bookmark
- Subscribe
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Re: VLAN configuration between switches is not working as expected...
Very confusing information on your post. Matter of fact, it's rather easy - considering we talk of real 802.1q VLANs, here each makes it's own broadcast domain, and has it's with individual IP subnetwork. From the description, we only see which VLANs are configured on each port - and not how the VLANs are associated on the ports. Considering you have several ports being members of multiple VLANs check this:
For an access port where you need a single system to a specific VLAN, put the port (or LAG) to VLAN xxx [U], PVID xxx.
Where you need multiple VLANs on the same port - this can be for links to systems with VMs, serving mutliple VLANs, or for switch-to-switch connections AKA. trunks - only _one VLAN can be used [U]ntagged (same PVID), all other VLANs must be carried as [T]agged. The same config must be in place on the peer, being on another switch, or on a host (and VM) config.
- Mark as New
- Bookmark
- Subscribe
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Thanks so much for responding. I thought I had some fundamental misunderstaning - but the problem was so mind numbingly basic that it hurts.
At the new GS308T switch on my desktop, it turns out that the cable running to Port 8 (the trunk) and port 5 (my desktop PC), got muddled up in the desk's cable management.
I had them plugged in the wrong way around.
Set it up fresh this morning when I spotted the mistake... and it all worked first time.
embarrasing, but at least it's working 😄