× NETGEAR is aware of a growing number of phone and online scams. To learn how to stay safe click here.
Orbi WiFi 7 RBE973

Re: VLAN configuration between switches is not working as expected...

TheoJones
Tutor

VLAN configuration between switches is not working as expected...

I have three netgear switches, Orbi, and a pfsense Firewall. The configuration is simple enough - GS324T is the "main" switch. It connects to the pfsense firewall on Port 24, and has a series of VLANs configured;

 

VLAN IDVLAN NameVLAN TypeMember Ports
1DefaultDefaultg1 - g3, g5, g7, g9, g11 - g21, g23 - g24
20DMZStaticg22, g24
100TRUSTEDStaticg3, g7 - g8, g10, g23 - g24
101A_GuestStaticg7, g23 - g24
102B_GuestStaticg3, g23 - g24
200IOT_TRUSTStaticg1, g6, g23 - g24
201IOT_NOTRUSTStaticg4, g23 - g24

 

Fairly obvious stuff - each VLAN is an interface in the firewall, and has a DHCP scope and appropriate rules for each zone. VLAN 100 can go anywhere, 200 talks to the internet and some pinholed services, 201 talks to the internet only. 

 

Orbi is running in AP mode and is connected to port 23, and I use Mac Based VLANs to place all of the WiFi devices into the right place. 

 

A Guest and B Guest are enclaves for my partner's work and mine - all of the devices to do with our respective jobs; laptop, mobile phone, printer etc. are placed in those VLANs, and allowed to see the Internet - but not any other internal networks. 

 

Port 7 has a GS105Ev2 using 802.1q VLAN tagging - It has a PVID of 1 and VLANs 100 and 101 tagged onto the port. Port 5 of the GS105Ev2 has the same config, then I have ports 1 and 2 with a PVID of 100 and ports 3 and 4 with a PVID of 101. 

 

This all works. devices get placed in the right VLAN, get an IP address in the right range, and the correct firewall rules are in place. On the GS105Ev2, a device plugged into port 1 is placed on VLAN 100, gets a 192.168.100.x address, and works. a device plugged into port 3 gets VLAN 101, an IP of 192.168.101.x. flawless. 

 

I am trying to replicate this with a new GS308T on port 3 (my desk). 

 

I configure VLANS 100 and 102. I set port 8 as the trunk back to the GS324T - it has a PVID of 1, and VLAN 100 and 102 tagged onto it (basically the same as port 7, my partner's desk). port 8 on the GS308T is configured the same. PVID 1, tagged on 100 and 102.  I configure ports 1-4 to be PVID 102 (my work enclave), and configure ports 5-7 to be PVID 100. 

 

I instantly lose connectivity. despite the port being PVID 100, and VLAN 100 being passed back down to the main switch, I don't get an IP address. if I force a 192.168.100.x address, no traffic is passed. 

 

I have tried leaving VLAN 1 untagged on the ports - still nothing. If I set the PVID back to 1, then I get a default LAN IP address, and from what I can see, VLAN 100 is not being honoured.

 

The irony here is that I had services at my own desk "working" by using a dumb old unmanaged GS105, and applying MAC Based VLAN rules for the devices manually. (Note: I have removed the MAc based VLAN rules)

 

Help! 

 

Model: GS105Ev2|ProSafe Plus 5 ports switch, GS308T|NETGEAR® S350 Series 8-Port Gigabit Ethernet Smart Managed Pro Switch, GS324T|NETGEAR® S350 Series 24-Port Gigabit Ethernet Smart Managed Pro Switch with 2 SFP Ports
Message 1 of 3

Accepted Solutions
TheoJones
Tutor

Re: VLAN configuration between switches is not working as expected...

Thanks so much for responding. I thought I had some fundamental misunderstaning - but the problem was so mind numbingly basic that it hurts. 

 

At the new GS308T  switch on my desktop, it turns out that the cable running to Port 8 (the trunk) and port 5 (my desktop PC), got muddled up in the desk's cable management. 

 

I had them plugged in the wrong way around. Smiley Surprised 

 

Set it up fresh this morning when I spotted the mistake... and it all worked first time. 

 

embarrasing, but at least it's working 😄

View solution in original post

Message 3 of 3

All Replies
schumaku
Guru

Re: VLAN configuration between switches is not working as expected...

Very confusing information on your post. Matter of fact, it's rather easy - considering we talk of real 802.1q VLANs, here each makes it's own broadcast domain, and has it's with individual IP subnetwork. From the description, we only see which VLANs are configured on each port - and not how the VLANs are associated on the ports. Considering you have several ports being members of multiple VLANs check this:

 

For an access port where you need a single system to a specific VLAN, put the port (or LAG) to VLAN xxx [U], PVID xxx.

 

Where you need multiple VLANs on the same port - this can be for links to systems with VMs, serving mutliple VLANs, or for switch-to-switch connections AKA. trunks - only _one VLAN can be used [U]ntagged (same PVID), all other VLANs must be carried as [T]agged. The same config must be in place on the peer, being on another switch, or on a host (and VM) config.

Message 2 of 3
TheoJones
Tutor

Re: VLAN configuration between switches is not working as expected...

Thanks so much for responding. I thought I had some fundamental misunderstaning - but the problem was so mind numbingly basic that it hurts. 

 

At the new GS308T  switch on my desktop, it turns out that the cable running to Port 8 (the trunk) and port 5 (my desktop PC), got muddled up in the desk's cable management. 

 

I had them plugged in the wrong way around. Smiley Surprised 

 

Set it up fresh this morning when I spotted the mistake... and it all worked first time. 

 

embarrasing, but at least it's working 😄

Message 3 of 3
Top Contributors
Discussion stats
  • 2 replies
  • 1749 views
  • 2 kudos
  • 2 in conversation
Announcements