Simple port-based VLAN setup using Netgear Smart Switch

Hi,

I'm trying to configure a simple office network using VLANs on my Netgear smart switch and I'm a little stuck.

I'm going down the port-based VLAN route although my switch does support 802.1Q VLANs - any reason why I shouldn't be using port-based?

At the moment, I have the VLANs configured like this:

ID Description Members Other Info
1 SHARED 01, 02 This is for our firewall / internet router and network printer to plug into
2 SERVERS 01, 02, 03, 04 This is for our DC and Exchange machines (WIN 2003)
3 WORKSTNS 01, 02, 05 - 24 This is for the Workstation machines (WIN XP)

So far, I have the two ports for the SHARED VLAN included in both of the other VLANs so that the Servers and Workstations can access the Internet connection and shared network printer. I realise that I want the Servers and Workstations to be able to communicate so do I need to include ports 02 - 24 in both VLAN 2 and 3?

Hope you can shed some light on this!

Also, how easy is it to get DHCP to work with this setup?

I'm guessing that the Servers and Workstations should be in a separate address range so do I need to setup two DHCP scopes?

TIA for any help!

Do you have a router that supports VLANs as well or is your switch an L3 switch? If you don't have something doing routing you will not be able to get any traffic between your VLANs.

computers on different vlans can not communicate between each other unless you have a router on a stick setup or layer 3 switch

I don't see why you're trying to do VLANs here..it seems you want all workstations to be able to work with the servers, and both servers and workstations with the internet and printer. Soo......which computer are you trying to separate out of your network?

Thanks for the replies.

I was led to believe that I could introduce a little bit of extra security by separating my servers from the workstations using VLANs but I'm beginning to question this logic now after a few responses I've gotten.

Is there any mileage in this or am I, as I now expect, over complicating things?

vlans do add an extra layer of security, but in order to make this work you need either a layer 3 switch or a router so that hosts on different vlans (networks) can communicate between each other

EdMacFly said:

Is there any mileage in this or am I, as I now expect, over complicating things?

Click to expand...

I just don't think you need a port based VLAN. You have 1x network that needs access to its resources. It appears all of your workstations need to access the server, correct? So what would you be trying to secure?

Here's an example of what you might use a port based VLAN for....
You want to setup an open wireless network for "guests" to use...all they need is access to the internet...you do not want them to be able to access your servers, or introduce anything like a virus to your network. So...take port 23...make it VLAN2...make port 1 (your router) a member of VLAN2....plug your access point into port 23. Now you have a separate VLAN for your wireless guests...which cannot touch your primary network.

Another example of VLANs..I did a setup at a small school....I created 3x VLANs.
Router...uplink to port 1 on the switch.
Office network..ports 2-9 on the switch
ComputerLab...ports 10-20 on the switch
Ports 21-23...Rest of the school, classrooms, access points, uplink to another 24 port switch.
Port 24...NOD32 antivirus server to manage the antivirus for the network

VLAN 1 for the office...members are ports 1, ports 2-9, port 24. Nobody else on the network can get to the office computers.
VLAN 2 for the computerlab, ports 1, 10-20, and 24. They cannot get to the office computers, not the rest of the classrooms.
VLAN 3 for the rest of the school, ports 1, 21-23, and 24. They cannot get to the office computers, nor the computer lab network.

You can have your VLAN's communicate (pass traffic) between one another if you have trunking (VTP) setup on the switch.

Gott said:

You can have your VLAN's communicate (pass traffic) between one another if you have trunking (VTP) setup on the switch.

Click to expand...

That is true only if there is a router/L3 switch to pass the traffic between the VLANs.

If I can tag on a similar question for those familiar with Netgear Smartswitches (GS748T)...

I only need to separate a couple PCs from the rest of the network, but keep WAN and printer access for them.

36 - printer
45 - WAN router
43 - PC to be separated
35 - main administrative PC

I went into the VLAN settings planning to remove 43 from VLAN 1 (default) and set up second VLAN. I created VLAN 2 and added 36, 45, and 43. After saving VLAN 2, VLAN 1 was empty and could not be modified. In fact VLAN 1 seems to be the only way to include all ports in a VLAN and it does not give an option for removing ports.

Does adding a VLAN wipe the default VLAN or is it still there? I figure it must be there so I can access the switch GUI. In fact it has to be there as the switch can only be managed from VLAN 1. If it is still there, how do I remove ports from it?

If the default is gone when a new VLAN is added, then I would need to make a VLAN 3 with all the ports except for 43, which does not appear possible as the VLANs have to comprise ports from only one of the two 24 port groups. Only the default VLAN 1 contains all ports. Do I need to use 802.1Q?

If I get it to work, can I access the VLAN 2 PC with my main PC (35) in the main VLAN (1)? It sounds like I would need a router to do that. My internet router supports IP static routes, IP maps, and Ethernet bridges. Could any of those be used to give me access to segregated PCs?

DDuckMan said:

If I can tag on a similar question for those familiar with Netgear Smartswitches (GS748T)...

I only need to separate a couple PCs from the rest of the network, but keep WAN and printer access for them.

36 - printer
45 - WAN router
43 - PC to be separated
35 - main administrative PC

I went into the VLAN settings planning to remove 43 from VLAN 1 (default) and set up second VLAN. I created VLAN 2 and added 36, 45, and 43. After saving VLAN 2, VLAN 1 was empty and could not be modified. In fact VLAN 1 seems to be the only way to include all ports in a VLAN and it does not give an option for removing ports.

Does adding a VLAN wipe the default VLAN or is it still there? I figure it must be there so I can access the switch GUI. In fact it has to be there as the switch can only be managed from VLAN 1. If it is still there, how do I remove ports from it?

If the default is gone when a new VLAN is added, then I would need to make a VLAN 3 with all the ports except for 43, which does not appear possible as the VLANs have to comprise ports from only one of the two 24 port groups. Only the default VLAN 1 contains all ports. Do I need to use 802.1Q?

If I get it to work, can I access the VLAN 2 PC with my main PC (35) in the main VLAN (1)? It sounds like I would need a router to do that. My internet router supports IP static routes, IP maps, and Ethernet bridges. Could any of those be used to give me access to segregated PCs?

Click to expand...

VLAN 1 is the default VLAN for all switchports. I'd suggest never deleting this.

If you have two switches, then setting up 802.1Q is the way to go because it can span VLANs across multiple switches. If you have one switch and still want to use VLANs, then you can use Port-Based VLAN.

I haven't used that Netgear switch so I don't know the specifics on how to remove a VLAN ID or move ports but I'd imagine the web management is pretty straightforward on how to do so.

I didn't want to delete VLAN 1, I just wanted to remove a port from the group.

It is a single switch, so I hoped to just use port based VLAN.

You are right, it does look pretty simple to set up port based VLAN, but without having the option to delete ports from the primary VLAN I am stuck.