2 Types in with NETGEAR

·         Port Based Vlans

And

·         802.1Q Vlans ß MOST COMMON AND CURRENT INDUSTRY STANDARD

Port Based Vlans

–      Rare and on old switchs

–      VLAN information determined by the port its received on

–      Frames don’t get tagged

–      1 Port can only belong to 1 VLAN

–      Ports in a port-based VLAN are referred to as untagged ports and frames received on the ports as untagged frames

–      Frames received on a port hold no info on what VLAN it belongs to. Where the switch forwards the frame depends on the ports PVID (Port VLAN ID).

–      Each port has PVID and switch forwards frame to all other ports with same PVID

802.1Q Vlans

–      Industry Standard

–      VLAN information determined by the frame instead of port

–      On Ingress (as frame enters switch)

•       Does this frame have an 802.1Q tag?

•       No: Assign the VLAN ID (VID) of the Port VLAN ID (PVID) to the frame. [In other words: Tags the frame]

•       Yes: Let the frame Ingress [In other words the frame stays tagged and leaves the switch]

–      On Egress (as frame leaves switch)

•       Is this port participating [tagged or untagged] in this VLAN?

•       No [In GUI: VLAN configured BLANK]: Drop the frame

•       Yes: Is this port configured to tag (port tagging)?

•       Yes (Participating TAG): Preserve the Tag & egress [Leaves w/ Tag]

•       No (Participating UNTAG): Strip the Tag & egress [Leaves w/out TAG]

Interesting Things to Note

•       All traffic in a managed switch has an 802.1q tag on it

•       Even if no VLANs are created, everything still is tagged for VLAN 1

•       Avoid using VLAN 1 – leave it for management and trunk ports pvids

•       On some switches you will see an Audio and Video VLAN. That cant be deleted. They have QoS settings and make Audio VLAN more important. So avoid both of them if you don’t want the QoS effect.

•       PVID determines what VLAN a port belongs to

•       Tagging and Untagging determines who can talk to who

Firewall/Routers

•       With Firewalls/Routers: The firewall should have all the same VLANs created on it as are on the switch.

–      Firewall and Routers:

•       Membership:  This is like auto tagging and untagging

–      When it connects to a switch it tags

–      When it connects to a host it untags

•       Default VLAN: This is like the PVID

–      If firewall/router doesn’t have the the VLAN:

•       Create VLAN on the switch to disperse the internet out, by untagging all the ports with it and setting the PVID on the port uplinking to the router/firewall as the Internet VLAN PVID

Trunks between switches

•       Trunk Links Connecting Switchs

–      PVID doesn’t matter so just leave it as 1.

–      Because all traffic that leaves out of it is tagged previously therefore PVID doesn’t matter.  (Look at Above)

VoIP

–      Good to have Data and Voice VLAN separate

•       Security: So computers cant record phone data

•       Can apply QoS (Quality of Service) on it so that Phone traffic is more important

•       VoIP traffic is sensitive to delays and differences in delays (jitter) both measured in units of time (millisecond to microsecond)

•       Best quality = minimizing delay as much as possible and having 0 jitter

–      Phones: VoIP phones tag their traffic so PVID doesn’t matter for the performance of the phone. However set PVID to computer VLAN, if computer is attached to phone

–      Think of a VoIP phone as a 2 port switch. All voice traffic is tagged automatically by the phone and computer traffic goes through it untagged.

•       So on the switch we catch the untagged computer traffic with a PVID

•       And distribute VoIP data by tagging

•      Trunk Port – Cisco will Tag all VLANs across (Since PVID doesn’t matter here its just like Tagging every VLAN), can control with pruning or “allowed VLANs” command

•      Access Port – Cisco untags the appropriate VLAN here and also sets the PVID (this is like a PVID and Untagging at the same time)

•      Native VLAN in Cisco is similar to PVID. Tags traffic that comes in without a tag.

•      On Cisco when connecting to a Phone-PC combo set the Cisco port as a Trunk Port and the Native VLAN on that port to match the PCs VLAN

•      In the configuration process just treat the Cisco switches as if it were Netgear device, Untagging and Tagging as needed

•      Do not configure a Cisco device, let the customer configure it. (We are not CISCO Tech Support)

Connecting With DHCP Server

•       3 Scenarios

–      Netgear Device has the VLANs configured on it

•       Just as Example: Gateway that understands VLANs, except configure the VLANs to have DHCP Server Enabled

–      PC has DHCP Scope for 1 VLAN, Each VLAN has its own dedicated PC to give out DHCP

•       Untag & PVID that port for the VLAN # that DHCP server is in

–      1 DHCP Server for the entire Network

•       Untag all VLANs that need DHCP on that port

•       Set the PVID to whatever VLAN that DHCP server belongs in

•       Use IP-HELPER or DHCP RELAY to point the other VLANs to the DHCP Servers IP

Wireless VLANs

•      Usually want to have a Guest VLAN and Main Office VLAN

•      Each SSID on the Access Point gets its own VLAN ID

–      GUEST SSID – VLAN 3

–      MAIN SSID – VLAN 2

•      Tag Wireless VLANs to the Access points

•      Make sure VLANs have a path thru all the switches to get to all the Access points, controller/s (?) and to the gateway

–      Make sure gateway has both VLANs created on it

–      If gateway doesn’t have VLANs created on it then make sure there is an internet VLAN used to disperse the internet

Summary [corrections on 11/19/2013 listed below]

•      PC1 and PC2 cant communicate

–      To PC1: Untag PC1 VLAN, PVID PC1 VLAN

–      To PC2: Untag PC2 VLAN, PVID PC2 VLAN

•      PC1 and PC2 can communicate with each other

–      To PC1: Untag PC1 & PC2 VLANs, PVID PC1 VLAN

–      To PC2: Untag PC1 & PC2 VLANs, PVID PC2 VLAN

•      Trunk to Switch handling VLANs: Tag all VLAN, PVID 1 (Doesn’t matter)

•      Trunk to unmanaged switch serving VLAN PC1: Untag PC1 VLAN, PVID PC1

•      PC-1+Phone: Untag DATA PC1 VLAN, Tag PHONE VLAN, PVID DATA PC1

•      Phone: Tag PHONE VLAN, PVID 1 (Doesn’t matter)

•      DHCP Server Serving many VLANs:  Untag ALL VLANs, PVID PC1 VLAN

•      Gateway which has VLANs: Tag ALL VLANs, PVID 1 (doesn’t matter)

•      Gateway which has no VLANs: Untag ALL VLANs, PVID INTERNET VLAN

•      Access Point: Tag ALL VLANs that SSIDs talk with, PVID 1 (doesn’t matter) – Correction on 11/19/2013: untag mgmt vlan,pvid mgmt vlan, tag ssids

•       To Controller: Tag ALL VLANs that SSIDs talk with, PVID 1 (doesn’t matter) – Correction on 11/19/2013: only untag mgmt vlan and pvid mgmt vlan

EXTRA GUIDES – EXAMPLE CONFIGS – FOR NETGEAR L2 AND L3 SWITCHES (found on support.netgear.com as well): 

SWITCH-EXAMPLES-L2L3.7z