× NETGEAR is aware of a growing number of phone and online scams. To learn how to stay safe click here.
Orbi WiFi 7 RBE973
Reply

Re: VLANs and connecting two GS108Ev3 Switches

Jake_D
Aspirant

VLANs and connecting two GS108Ev3 Switches

Hi,

I bought 2 GS108E ProSafe Plus switches in order to "extend my network" (2 Rooms) and I would like to use VLANs.

 

Switch A is directly connected to my modem. Switch B is connected to a port on Switch A. The ports used for connecting A <-> B are trunk ports/tagged. I have created a VLAN for testing the following setup:

 

Switch A:

Port 7 (VLAN10, trunk port connected to switch B)

Port 8 (VLAN10, trunk port connected to the modem for internet access)

 

Switch B:

Port 1 (VLAN10, trunk port connected to switch A)

Port 2 (VLAN10, Workstation, untagged)

Port 3 (VLAN10, ESXi with various VMs, including a pfSense VM for routing my VM network)

 

So far, the workstation and VMs only reach the internet if I remove the VLANS and use VLAN 1 for everything.

Should the test setup work or am I approaching this completely wrong?

My ultimate goal would be, to have my VMs in their own VLAN and all other devices (workstation, etc) in another VLAN.

 

Can I do this by using 2 GS108E switches or is this not possible because switch B is connected to a single port on switch A?

 

Thanks,

Jake

 

 

 

Model: GS108E|8 ports ProSafe Plus switch
Message 1 of 8

Accepted Solutions
schumaku
Guru

Re: VLANs and connecting two GS108Ev3 Switches


@Jake_D wrote:

After reading your post for a couple of times, I decided to create a quick sketch (attached on the left) of what I am trying to accomplish because I think the details might be important and I guess I explained it wrong in my post above.

Thabt's about what I understood - OK. Please add on each link the VLAN numbers plus if the VLAN is tagged or not. eg. switch<->Internet Router VLAN 1 U, PVID 1 (only)  ... and put the updated sektch for a review.

 


@Jake_D wrote:

Basically, the ESXi virtualized machines should only be able to talk to eachother and reach the internet. They have their own subnet, pfSense take care of that. As long as I don't use any VLAN settings on the switches, this part works. One part that I didnt mention before is, that both switches are connected using 2 Powerline adapters and the ESXi is also connected using a Powerline adapter. Since these work on Layer 2, that shouldn't be a problem and is quite fast (I can't use ethernet cables unfortunately).

Well, you have the "normal" LAN as an intermediate transfer network between the VM VLAN and the Internet router. Fully block this on the pfSense might be a challenge.

 

Can't help on that PLC side - earlier days these devices struggled on the additional tag information. But that should be easy to figure out.

 


@Jake_D wrote:

So this means, i have switch A, a trunk connection goes into the powerline, on another outlet, a trunk connection goes into a NIC in the ESXi (physical machine) and another trunk connection goes into switch B. By trunk I mean that I have seleced "T" on the swiches. Is that correct?

You don't have to strictly isolate it switch by switch - you can configure access-type ports for the workstations for both the normal VLAN (VLAN 1, PIVD1) as well as for the VM VLAN (VLAN10,PVID10) on each switch as with the effective trunk between the two switches (I suggest VLAN 1, PVID1, [U]natgaged and VLAN 10, [T]agged for the connection between the two switches making up the trunk.

 

Note: A trunk (by port, or by LAG) can carry many VLANs, where either all are [T]agged, or one does run [U]ntagged, the other VLANs [T]aged. The [T] indicates that all frames leaving the switch carry a tag with a VLAN ID, and frames coming into the switch with a tag are associated to the VLAN ID.

 

Tagging the frames on a link does not imply it's a trunk, but often used as one - but there can be many VLANs.

 


@Jake_D wrote:

What I would like to achieve is that I have a VLAN (x) for the trusted devices on switch A, another one (VLAN y) for the trusted devices on switch B and another one (VLAN x) for all VMs on the ESXi. VLAN x should be able to reach only the internet, VLAN y should be able to reach the internet and 2 ports on switch A, VLAN x should be only able to reach the internet. All VLANs should be able to talk to hosts within the same VLAN.

I've used 1 for (x) and 10 for (y) above - less confusion.

 

A strict diferentiation could only be done if your Internet router would support multiple LANs, either by port, or by VLAN tag. Typical consumer routers don't. That's why you can't bring the VLAN 10 direct to the router (where another set of NAT rules would be required, a DHCP server for the additional network, ... you get the point if you master pfSense.

 

For a test if the PLC devices can deal with the VLAN tags, you can temporely link the VLAN 10, PVID 10 [U] to the router, configure an access port on the Switch B with VLAN 10, PVID 10, [U] - a computer on that port must be able to get an IP address from the ISP router and acess the Internet. 

Next challenge would be configuring the software switch on the VM platform. 

View solution in original post

Message 6 of 8

All Replies
schumaku
Guru

Re: VLANs and connecting two GS108Ev3 Switches

Whatever a port trunk config is in your set-up - all VLANs tagged on the port?

 

Another detail unclear - is the aim having just this VLAN 10? Permitting this is the case, the loss of the Internet access might be caused by this:

 

"Port 8 (VLAN10, trunk port connected to the modem for internet access)"

 

Consumer/SOHO Internet modem/routers rarely support VLANs, if you try to handle the uplink for the Internet access don't support tagging (and VLANs) - towards the ISP modem/router, the traffic for going towrds the Internet must be untagged, and the PVID must be set accordingly.

If you intend to run VLAN 1 and VLAN 10 with different IP subnetworks, the VLAN 1 mut be run (wild guess) untaged and with PVID 1 becaue this does also serve Internet access, the pfSense must take care of the routing, plus the ISP router needs to configured by adding a static route for the other VM VLAN subnet.

Over a trunk port (or a trunk LAG) you can run multiple VLANs. Either use Tagging for all VLANs, or keep one untagged and with that PVID configured.

Message 2 of 8
Jake_D
Aspirant

Re: VLANs and connecting two GS108Ev3 Switches


@schumaku wrote:

> Whatever a port trunk config is in your set-up - all VLANs tagged on the port?

 

I am not completely sure what you mean by that. Do you ask if the trunk ports are tagged? If yes, then yes, that is the case.

 

>Another detail unclear - is the aim having just this VLAN 10? Permitting this is the case, the loss of the Internet access might be >caused by this:

 

The ultimate goal would be to have all my VMs (including pfSense, which is also just a VM) in their own VLAN. Basically I want to separate my homelab (ESXi based) completely from the rest of my network.

 

>"Port 8 (VLAN10, trunk port connected to the modem for internet access)"

>Consumer/SOHO Internet modem/routers rarely support VLANs, if you try to handle the uplink for the Internet access don't >support tagging (and VLANs) - towards the ISP modem/router, the traffic for going towrds the Internet must be untagged, and the >PVID must be set accordingly.

 

This is an interesting point, I did not think about that. I will try if setting the uplink port to untagged + PVID changes anything.


>If you intend to run VLAN 1 and VLAN 10 with different IP subnetworks, the VLAN 1 mut be run (wild guess) untaged and with >PVID 1 becaue this does also serve Internet access, the pfSense must take care of the routing, plus the ISP router needs to >configured by adding a static route for the other VM VLAN subnet.

 

VLAN 1 is the default "management VLAN" (as far as I understood it). It was configured by default. I am not sure if I even need it to be honest.

>Over a trunk port (or a trunk LAG) you can run multiple VLANs. Either use Tagging for all VLANs, or keep one untagged and with >that PVID configured.

 

Do you mean, I should not differentiate between "access ports" (untagged) for regular devices and ports (tagged) that are used to connect the 2 switches?

 

Thanks for your help so far!

 


 

Message 3 of 8
schumaku
Guru

Re: VLANs and connecting two GS108Ev3 Switches

There is no word of a management VLAN in the Smart Managrd Plus documentation. To make it a little bit more complicted, the tiny management controller on these swiches does listen to all VLANs - should there be multiple VLAN wiht individual IP subnets I stronlgy suggest to set a static IP config on these switches, e.g. wiht an IP of your primay network - I understand it's VLAN1 now where all your other computers and devices are connected.

 

So you want to have two VLANs

 

  • VLAN 1 - the standard network, with the IP adresses issued by DHCP on the ISP router, and using the ISP router LAN subnet), and
  • VLAN 10 - the VLAN and subnet for the VMware test lab.

1. Keep the VLAN 1 - for simplicity - alone, run it all untagged over the switch2switch trunk, and use an untagged port to connect the router (as the router does not know about a VLAN - well, or it does, but does not handle the tagged packets - each port on PVID 1. The pfSense "outer" or "work" VLAN is a plain untagged interface.

2. Create the VLAN 10. This is yet another broadcast domain, a dedicated IP subnet (handled e.g. by your pfSense or a host connected to it, e.g. a VM). For the connection between the two switches, add this VLAN as Tagged to the trunk ports. For the pfSense "VM" VLAN port, you can also run it untagged (VLAN 10, PVID 10), but this does not matter as long as you do the same on the switch port and the pfSense port. The pfSense does handle all traffic between the VLANs and subnets.

3. For a test workstation on the "VM" VLAN, configure a port without VLAN 1 ("empty"), VLAN 10 Untagged, PVID 10 - that's the common "access port" config on these devices for another VLAN (again not a member of VLAN 1).

4. Same as #3 for the VM host/server - unless you want to do more one day.

5. On the ISP router, don't forget to add a route for the "VM" VLAN subnet, pointing to the pfSense "outer" interface IP (from the VLAN 1 subnet). 

 

Absolute minimal config required to make this happen - as I said no need to touch the VLAN 1 (except for the trunk ports for interconnecting the switches), and on the acces ports for the test workstation and the VM host, which has to be "moved" from VLAN 1/PVID 1 to VLAN 10/PVID10.

Message 4 of 8
Jake_D
Aspirant

Re: VLANs and connecting two GS108Ev3 Switches

First of all, thank you for your time and your explanation @schumaku! I appreciate it!

After reading your post for a couple of times, I decided to create a quick sketch (attached on the left) of what I am trying to accomplish because I think the details might be important and I guess I explained it wrong in my post above.

 

Basically, the ESXi virtualized machines should only be able to talk to eachother and reach the internet. They have their own subnet, pfSense take care of that. As long as I don't use any VLAN settings on the switches, this part works. One part that I didnt mention before is, that both switches are connected using 2 Powerline adapters and the ESXi is also connected using a Powerline adapter. Since these work on Layer 2, that shouldn't be a problem and is quite fast (I can't use ethernet cables unfortunately).

 

So this means, i have switch A, a trunk connection goes into the powerline, on another outlet, a trunk connection goes into a NIC in the ESXi (physical machine) and another trunk connection goes into switch B. By trunk I mean that I have seleced "T" on the swiches. Is that correct?

 

What I would like to achieve is that I have a VLAN (x) for the trusted devices on switch A, another one (VLAN y) for the trusted devices on switch B and another one (VLAN x) for all VMs on the ESXi. VLAN x should be able to reach only the internet, VLAN y should be able to reach the internet and 2 ports on switch A, VLAN x should be only able to reach the internet. All VLANs shouAld be able to talk to hosts within the same VLAN.

 

Maybe this is not even possible with the hardware I have. If you or anybody else has a suggestion, I'd be very happy to hear them because I am starting to go nuts 😉

 

Thanks!

Message 5 of 8
schumaku
Guru

Re: VLANs and connecting two GS108Ev3 Switches


@Jake_D wrote:

After reading your post for a couple of times, I decided to create a quick sketch (attached on the left) of what I am trying to accomplish because I think the details might be important and I guess I explained it wrong in my post above.

Thabt's about what I understood - OK. Please add on each link the VLAN numbers plus if the VLAN is tagged or not. eg. switch<->Internet Router VLAN 1 U, PVID 1 (only)  ... and put the updated sektch for a review.

 


@Jake_D wrote:

Basically, the ESXi virtualized machines should only be able to talk to eachother and reach the internet. They have their own subnet, pfSense take care of that. As long as I don't use any VLAN settings on the switches, this part works. One part that I didnt mention before is, that both switches are connected using 2 Powerline adapters and the ESXi is also connected using a Powerline adapter. Since these work on Layer 2, that shouldn't be a problem and is quite fast (I can't use ethernet cables unfortunately).

Well, you have the "normal" LAN as an intermediate transfer network between the VM VLAN and the Internet router. Fully block this on the pfSense might be a challenge.

 

Can't help on that PLC side - earlier days these devices struggled on the additional tag information. But that should be easy to figure out.

 


@Jake_D wrote:

So this means, i have switch A, a trunk connection goes into the powerline, on another outlet, a trunk connection goes into a NIC in the ESXi (physical machine) and another trunk connection goes into switch B. By trunk I mean that I have seleced "T" on the swiches. Is that correct?

You don't have to strictly isolate it switch by switch - you can configure access-type ports for the workstations for both the normal VLAN (VLAN 1, PIVD1) as well as for the VM VLAN (VLAN10,PVID10) on each switch as with the effective trunk between the two switches (I suggest VLAN 1, PVID1, [U]natgaged and VLAN 10, [T]agged for the connection between the two switches making up the trunk.

 

Note: A trunk (by port, or by LAG) can carry many VLANs, where either all are [T]agged, or one does run [U]ntagged, the other VLANs [T]aged. The [T] indicates that all frames leaving the switch carry a tag with a VLAN ID, and frames coming into the switch with a tag are associated to the VLAN ID.

 

Tagging the frames on a link does not imply it's a trunk, but often used as one - but there can be many VLANs.

 


@Jake_D wrote:

What I would like to achieve is that I have a VLAN (x) for the trusted devices on switch A, another one (VLAN y) for the trusted devices on switch B and another one (VLAN x) for all VMs on the ESXi. VLAN x should be able to reach only the internet, VLAN y should be able to reach the internet and 2 ports on switch A, VLAN x should be only able to reach the internet. All VLANs should be able to talk to hosts within the same VLAN.

I've used 1 for (x) and 10 for (y) above - less confusion.

 

A strict diferentiation could only be done if your Internet router would support multiple LANs, either by port, or by VLAN tag. Typical consumer routers don't. That's why you can't bring the VLAN 10 direct to the router (where another set of NAT rules would be required, a DHCP server for the additional network, ... you get the point if you master pfSense.

 

For a test if the PLC devices can deal with the VLAN tags, you can temporely link the VLAN 10, PVID 10 [U] to the router, configure an access port on the Switch B with VLAN 10, PVID 10, [U] - a computer on that port must be able to get an IP address from the ISP router and acess the Internet. 

Next challenge would be configuring the software switch on the VM platform. 

Message 6 of 8
Jake_D
Aspirant

Re: VLANs and connecting two GS108Ev3 Switches

I think I am nearly there! Connecting the VMs is possible, access to LAN hosts seems to be restricted - so far so good 🙂 I still get a wrong IP assigned, but that's something with pfSense I am going to figure out.

 

Thanks again @schumaku!

Message 7 of 8
schumaku
Guru

Re: VLANs and connecting two GS108Ev3 Switches


@Jake_D wrote:

I still get a wrong IP assigned, but that's something with pfSense I am going to figure out.


On the LAN (VLAN ID 1) facing interface? How is the trunk configured for the VLANs towards the VM port - guess both VLAN and up there (the LAN one Untagged, the VM one Tagged). Because of my suggestion, you need to ensure that the right VLAN and subnet is used on the pfSense.  

Or is the VM-side (VLAN ID 10) interface - which in my opinion should be static to the VM IP subnet.

We can lok into this tomorrow if you still need it.

Message 8 of 8
Top Contributors
Discussion stats
  • 7 replies
  • 3319 views
  • 1 kudo
  • 2 in conversation
Announcements