Help with Switching and VLANs

Discussion in 'Networking & Security' started by ThatITGuy, Mar 12, 2019.

  1. ThatITGuy

    ThatITGuy Limp Gawd

    Messages:
    238
    Joined:
    May 5, 2017
    Hi all,
    I need help understanding switching and how to get VLAN IDs passed through to my router successfully.
    Current State -
    I have a wired router (Mikrotik hEX) that has a wireless access point connected to it. That access point has 5 SSIDs, each assigned their own VLAN ID. On the router, I have each ID mapped to a VLAN "interface" under the physical port. I then have each of the interfaces set up with their own address pool/network/DHCP server. This currently works well, and depending on which VLAN someone connects to, they are put onto the correct "network", and i have cross network communications blocked.
    I recently picked up a Netgear Prosafe GS728TP for $50, and i wanted to connect the access point to it, and have it pass those VLAN IDs through from the access point to the router. I am lost as to where to go from there. It would appear that I would need to set up the VLANs on the switch (matching what I have on the access point and router), which I have done. I played with assigning membership (tagging and untagging) the port where the access point was plugged in to each of the VLANs, without any luck. I plugged the switch in the same port i had been plugging in the access point, so it should not be an issue with where the router is expecting the VLANs to be coming from.
    So how does switching work with VLANs? if i tag a port, does it assign all traffic coming in on that port that VLAN ID? Does tagging just mean that if a device inserts the VLAN in the message header, that the switch can read that header and pass it along? Is the fact that vlan 1 is set as untagged for all the ports causing an issue (seems it has something to do with that being the management vlan)?
     
  2. FNtastic

    FNtastic [H]ard|Gawd

    Messages:
    1,419
    Joined:
    Jul 6, 2013
    If you just want to pass the VLAN tagging through the switch, and continue to have your router handle the VLANs, it should work like:
    - the switch needs to have the capability to be "aware" of the tagging and not muck it up
    - no VLAN configuration on the switch should be done. Default settings and plug it in
    I say should because it all depends on capabilities, features, and compatibility of devices, etc. Some switches will pass the appropriate information right through properly. Others don't.

    If you want the switch to handle the VLANs (better performance and less load on your router):
    - configure trunk between AP and switch with appropriate VLAN IDs
    - set static routes in router for each VLAN
    - don't forget to do DHCP, DNS, etc on either the switch or the router depending on where you want these services to live (based on capabilities, etc)
     
  3. Cmustang87

    Cmustang87 [H]ardness Supreme

    Messages:
    4,405
    Joined:
    Oct 4, 2007
    • So how does switching work with VLANs?
      • Tagging and Untagging ports is for traffic that is leaving (egress) the switch. You'll want to make the correct choice depending on if the connecting device is VLAN aware or not. If it's not VLAN aware, you do not tag it; tag it if it's a VLAN aware device
      • Traffic that arrives on a switch interface with a tag that the interface is a member of, the frame will be forwarded on; if that VLAN does not exist on that tagged interface (trunk) the frame will be dropped
    • If i tag a port, does it assign all traffic coming in on that port that VLAN ID?
      • No, this is what's called port-VLAN ID (PVID). What this does is it takes incoming untagged frames on a switch interface and assigns it to that VLAN. For example, you had a downstream switch that wasn't VLAN aware and you wanted to take all incoming frames from that switch on your VLAN aware device, you could assign all incoming traffic to a different VLAN other than 1.
    • Does tagging just mean that if a device inserts the VLAN in the message header, that the switch can read that header and pass it along?
      • No, tagging means that any frames leaving this interface will have a VLAN tag assigned to it from which the frame originally sourced. Example: Host A connecting to port 10 on switch A (switchport 10 is assigned to VLAN 5), is trying to reach the internet. The switch needs to send this frame upstream to the router and as it exits the interface connecting to the router will tag the frame with VLAN ID 5 so that way the upstream router knows the source VLAN. The default gateway on HOST A would be the subinterface on router's VLAN 5.
    • Is the fact that vlan 1 is set as untagged for all the ports causing an issue (seems it has something to do with that being the management vlan)?
      • It shouldn't - this just means that VLAN 1 is the default VLAN
    What you should do:
    • Create all the VLANs you plan on using on your switch
    • Create a tagged interface between your AP and switch (only Cisco calls this a trunk)
    • Make this tagged interface a member of all VLANs that exist on your AP - Your users are assigned to a VLAN based on which SSID they are connected to from the AP. So when frames are inbound to the switch, the switch will be aware of where to forward on the frames as they traverse the network. If these frames need to go upstream to the router, it will tag the frame with the appropriate VLAN ID.
    • Create a tagged interface with all VLANs between your switch and router
    • Your router should have a subinterface IP address associated with each VLAN, if this is already configured leave it as is.
    • You shouldn't need static routes on the router since these interfaces are all directly attached to each network. You only need routes if a destination network requires a hop.
     
  4. FNtastic

    FNtastic [H]ard|Gawd

    Messages:
    1,419
    Joined:
    Jul 6, 2013
    Who recommends to do it that way? I've never read a manufacturer's instructions, read an article, or watched a video that recommended it the way you have. There's no need to create VLANs on the router. Create static routes. Here's a reference for you from 2013. The same holds today https://www.smallnetbuilder.com/lan...ow-to-use-a-layer-3-switch-in-a-small-network

    I am interested in seeing your reference/source for your configuration recommendations.
     
  5. boss6021

    boss6021 Limp Gawd

    Messages:
    346
    Joined:
    Oct 11, 2006
    Could you be more specific on the devices you are referencing?
     
  6. FNtastic

    FNtastic [H]ard|Gawd

    Messages:
    1,419
    Joined:
    Jul 6, 2013
    I'm not referencing any devices. I gave a source for the process I recommended to OP. Then, I requested a source for the process Cmustang87 recommended. If you are looking for device recommendations, there are some other threads about that
     
  7. Cmustang87

    Cmustang87 [H]ardness Supreme

    Messages:
    4,405
    Joined:
    Oct 4, 2007
    You would create static routes on your router if the switch is acting as the L3 for all the VLANs. If it's a L2 switch, you need to tag all traffic to the upstream router and then use sub-interfaces on the router to for L3 interfaces as gateways for each VLAN. No need to create static routes on a router if all networks are directly attached to it.
     
  8. Cmustang87

    Cmustang87 [H]ardness Supreme

    Messages:
    4,405
    Joined:
    Oct 4, 2007
    A super basic example of L2 switch trunk to a perimeter firewall:

    Paloalto-firewall-Inter-vlan-routing-diagram.png

    OP is having a tough enough time getting the L2 structures to work on their network and already has the subinterfaces on their firewall. Having them change their switch to function as L3 and then using static routes would just be overcomplicating it.

    But otherwise yes, you are right - normally your L3 switch would route all the inter-VLAN traffic, and then use static routes on your router/firewall to use the L3 interface of your switch as the next hop for all the return traffic to all VLANs attached to the switch.
     
  9. FNtastic

    FNtastic [H]ard|Gawd

    Messages:
    1,419
    Joined:
    Jul 6, 2013
    Not leveraging L3 on a switch that's capable puts unnecessary load on the router. And, is actually much slower. Sending traffic through the switch to the router every time is wasteful. What you're suggesting is that if I want to transfer a 10GB file from my PC on VLAN 30 to another PC on VLAN 70, all of my traffic must pass through the router. The router then becomes a bottleneck, and an issue. Handling everything on the switch (typically a much more appropriate and capable device) is much more efficient, and faster! In the case that you suggested, if load gets high on the router, the transfer will slow to a crawl.

    My suggestion less steps than creating VLANs on both devices. What's more complicated? He's setting a few static routes in the router, and that's it. Then creating all the VLANs on the switch (which he'd be doing even using your suggestion), and making sure there's DHCP range/server for those VLANs... With this solution, transferring that same 10GB file goes directly through the switch and the router is never touched. In this solution, since the transfer is independent of the router, the router could be completely unplugged (or under high CPU load) and the transfer would still be going at full 1Gbps (or whatever the speed is on your switch ports)
     
    schizrade likes this.
  10. Cmustang87

    Cmustang87 [H]ardness Supreme

    Messages:
    4,405
    Joined:
    Oct 4, 2007
    I understand the technology thoroughly - transferring a 10GB file was no where near what the OPs use case was and I didn't say this is the right design for everyone. Under most circumstances, I always recommend to route your inter-VLAN traffic on your L3 capable switches.
     
  11. FNtastic

    FNtastic [H]ard|Gawd

    Messages:
    1,419
    Joined:
    Jul 6, 2013
    There's no reason OP shouldn't follow the best practice, whether he's transferring a 10GB file or not. That was used as an example. There are a multitude of benefits, which you seem to agree with, but didn't recommend the proper practice to OP. That's why I got curious and asked.
     
    Last edited: Mar 14, 2019
  12. purple_monster

    purple_monster Gawd

    Messages:
    617
    Joined:
    Jun 1, 2018
    this is classic datacenter practice- access -> agger -> core design. i have a feeling though that OPs gear is sitting next to his shoes in the closet though.
     
  13. pek

    pek prairie dog

    Messages:
    930
    Joined:
    Nov 7, 2005
    +1 for this, keep layer 2 close to the devices, route at edge on layer 3, separate devices if possible.
     
  14. ThatITGuy

    ThatITGuy Limp Gawd

    Messages:
    238
    Joined:
    May 5, 2017
    Actually my basement under-stairs network closet, but close! I do work in IT at a corporate level (though just as a technical analyst) and would like to know more about the principles to help my understanding there.
     
    Last edited: Mar 21, 2019
    purple_monster likes this.
  15. ThatITGuy

    ThatITGuy Limp Gawd

    Messages:
    238
    Joined:
    May 5, 2017
    I would prefer to lessen the load on the router as much as possible. I just have trouble understanding how to acheive the same results without relying upon the router ( a mikrotik hEX, but eventually want to turn this into a pfsense/custom built router).
    As mentioned, I have the 1 AP, with 5 SSIDs. One for IOT device isolation (vlan 6), 2 for the kids (1 for each kid, different schedules and locked to MAC of their specific devices) both sharing vlan 5, one for the wife and guests (vlan 7, note - kids devices blocked on this) and one for me that is hidden(vlan 8). I also have a number of wired devices, all connected to the router through unmanaged switches. On the router, I removed bridging from all ports other than the port my personal computers connect to, and vlan 8. I have each port (or bridge) getting it's own dhcp server, network pool, etc, so I can keep everything logically separated, especially since I have cross network traffic dropped. Obviosly I want the IOT stuff to be separated from everything else (but not so isolated I cannot access for setup activites). I prefer the cat-6 wired xbox, "connnected" TV, "connected" AV Receiver, etc. not be on the same network as my personal computers, and also separate from the kids devices (16 yr old was driving me crazy AirPlay`ing her crappy music to my home theater setup). I also wanted to keep the wife and guests separated from everyone else, on their own network. Other than my cluster of devices, everyone else's device is just used for internet consumption.

    With this setup I can easily see who is connected to the network and via what mechanism, through the dhcp lease screen inside the mikrotik. I also know that everyone has their own little walled garden to play in and cannot do much damage, especially to any of my devices. The separate dhcp servers let me easily add devices to the correct network just by controlling how the device connects (with only adding devices for the kids requiring any intervention). I can also go from wired to wireless for my laptop, with no loss of access to my private network. Once I got everything set up, it has become very much "set and forget". Of course, I like to tinker.... and the $50 for a gs728tp seemed too good to pass up for a new toy to tinker with.

    Ideally, I would eventually plug all of the wired devices into the new netgear switch, leaving just that switch and the unmanaged switch connecting my home media server and the 2 computers in my basement office (my personal PCs) to the router. I still think I would need to have the router handle the vlan data to acheive what I want to acheive. Once I get the as- is segmentation of wireless traffic working, I will play with that.
    I am open to ideas for a better configuration, i.e. best practices to deploy something that acheives what I want to. I don't know if it is more overhead to have everything split into separate networks, or have a bunch of devices all put into one. Still learning when it comes to networking.
    Also, the gs728tp is said to be Layer3 "lite", if that makes any difference.
     
    Last edited: Mar 21, 2019
  16. ThatITGuy

    ThatITGuy Limp Gawd

    Messages:
    238
    Joined:
    May 5, 2017
    Thanks for the link to the article. I may play with this with the wired traffic to figure some things out.
     
    FNtastic likes this.
  17. ThatITGuy

    ThatITGuy Limp Gawd

    Messages:
    238
    Joined:
    May 5, 2017
    Cmustang87, Thanks for your help. This should at least get me to my "Step 3" solution, while I figure out the long term best design.
     
    Last edited: Mar 21, 2019
  18. FNtastic

    FNtastic [H]ard|Gawd

    Messages:
    1,419
    Joined:
    Jul 6, 2013
    First, good on you for taking the steps to separate and segment your networks. In the long run, as you've already seen and benefited from, it makes management easier.

    Second, I've run VLANs from my firewall before too. All of the functions of DHCP, checking leases, DNS, blocking access between VLANs, tagging, etc, etc are all functions of a Layer 3 switch. This is what's important. I've already outlined the benefits in past posts. So, I'll spare everyone from that again.

    I'd recommend that if you are going to move all of your VLANs to the L3 switch, to plan it out first. Lay out the steps, and set aside a weekend. Just to make sure you have the time to get it right, test, then get it right again ;)
     
  19. ThatITGuy

    ThatITGuy Limp Gawd

    Messages:
    238
    Joined:
    May 5, 2017
    The trick is to fit it in without disrupting the family's youtubing, facebooking, instagramming and other requirements, i.e. my down time windows are tighter at home than at work.
    I now have all of the wired devices other than my private cluster connected to the switch. I may just play with setting up the vlans for segmenting the wired devices first, and keep the AP connected directly to the router for now. Worst case, they cannot stream Netflix or whatever show on the connected TV for a little while. I am a bit lost on moving some of the DHCP functionalities from the router to the switch (and setting up paths on the router) so will try to follow that guide to understand it and get it working with those wired devices. Also, I am not sure how this switch being L3 "lite" affects any of this. I guess some of this stuff is especially confusing in part because I just started feeling comfortable in my knowledge of doing the network/address pool/dhcp server setups, bridging ports to vlans, dropping chains from a network trying to access a different network, etc. on the router.
     
    FNtastic likes this.
  20. FNtastic

    FNtastic [H]ard|Gawd

    Messages:
    1,419
    Joined:
    Jul 6, 2013
    I was trying to find a definitive source for you. But, unfortunately I couldn't with the short amount of time I have this morning. I'm sure your plan was already to do some good Google-fu and find some steps on how others have done it. That would be a good start.

    If you run into a snag, I'd be happy to help. Based on the definition of "L3 Lite" that I found, it's very similar in featureset to many of the switches that I've configured. And, if I'm unable to help, I'm sure there are others here that can.

    I would suggest configuring everything without a router/firewall. That will give you a better idea what you are depending on the router for. You should be able to do just about everything without the router hooked up. The most common snag I see people hit is that the Windows firewall blocks ICMP packets (pings). So, you may want to make it part of your steps to turn off the firewalls during testing.
     
  21. ThatITGuy

    ThatITGuy Limp Gawd

    Messages:
    238
    Joined:
    May 5, 2017
    This part is the mental roadblock i seem to be currently having. For years i always mentally attributed DHCP assignment to being handled by the router. In order to get an IP and get a gateway to the internet connection, you had to have a router. Switches allowed me to be able to talk between the computers directly without having to hit the router (other than for initial DHCP lease assignment), since it routed based on MAC addresses. I get how L3 (IP based) switching just takes that up a level (but without static IPs for all of the devices, I get lost on how setting up some of the rules, as well as the mentioned "route" on the router is possible).
    I also get that for VLANs, as long as I want the VLANs to be able to talk (i.e. some of my wired devices on different VLANs) , it makes sense to set up the switch to handle processing the VLAN so that i do not need to hit the router for every request. For the wireless devices, that i really just want to utilize the VLAN to get it segmented to different networks/address pools/etc, and do not want to them to talk, only give access to internet, it is less important.
    Having the switch handle DHCP duties throws me off, since that has always been the primary purpose of the router. I would like to balance loads between router and switch as much as possible.
     
  22. FNtastic

    FNtastic [H]ard|Gawd

    Messages:
    1,419
    Joined:
    Jul 6, 2013
    Word of caution. You don't want two DHCP servers on the same subnet (unless they are configured properly and aware of each other)
     
  23. ThatITGuy

    ThatITGuy Limp Gawd

    Messages:
    238
    Joined:
    May 5, 2017
    No worries there, each dhcp pool on the router has it's own network that is on its own subnet. I have the available addresses set up to be 192.168.*.0/24.