VLAN on Dell PowerConnect - How?

M

marley1

Supreme [H]ardness
Joined
Jul 18, 2000
Messages
5,447
I am trying to put my grasp around Port Based VLAN. The way I am thinking about it is as followed:

16 port switch
Port 1 is plugged into the gateway - 192.168.1.1 which hands out DHCP 192.168.1.100 to 200

I create VLAN2 - Port 1 is in it, and Port 2 through 8 are in it
I create VLAN3 - Port 1 is in it, Port 9 through 16 are in it

So computers plugged into VLAN2 should get IP in that range as should VLAN3 but computers in VLAN2 shouldn't be able to get access to VLAN3 computers (ping, files, etc). Correct?

How exactly do I set this up with a Dell Powerconnect 27xx series (I have a 2716 I am messing with in the office)? It by defaults have VLAN1 that you cannot modify. I tried this 2 ways.

I created VLAN2, Tagged Port 1, and Untagged Port 2-9.
I created VLAN3, Tagged Port 1, and Untagged Port 10-16

Plugged machines in, one machine in VLAN2 got a 192.168.1.179 ip. one machine in VLAN3 got a 192.168.1.199 IP. I could ping each from any side.

I then did same thing VLAN2 - Tagged Port 1 through 9, Vlan3 - Tagged Port 1 and 10-16. Same issue.

What am I doing wrong?

Thanks,
Dan
 
I'm assuming your subnet masks are 255.255.255.0 for both computers?
 
yup

gateway - 192.168.2.1, 255.255.255.0 hadning out dchp - 1921.68.2.100 to 200
 
vlan 1 members: 1-9
vlan 2 members: 1&10-16

no? I'm not entirely sure, but with the 3rd vlan your creating a 'route' for traffic between the two.

afaik vlans shouldn't be used for any form of serious 'security'.

*edit - just read your post again re: vlan "1" - if you cant remove it then just make 2&3 and remove port 1 from vlan 1, you will probably need to add it to vlan 2 and changeits vid to 2 aswell before you can remove it from vlan 1.

actually quite interested how todo this on a single device!
 
gateway - tomato router

Port 1 - plugged into gateway

Vlan1 - Port 1 and Port 2-9
Vlan2 - Port 1 and Port 10-16

I just called dell, and he said I need a router that is vlan aware? I thought you could do this with any type of device. I thought that you could share a signle wan connection between 2 vlan, each vlan would get onto the web, but not see each other?
 
marley1 said:
gateway - tomato router

Port 1 - plugged into gateway

Vlan1 - Port 1 and Port 2-9
Vlan2 - Port 1 and Port 10-16

I just called dell, and he said I need a router that is vlan aware? I thought you could do this with any type of device. I thought that you could share a signle wan connection between 2 vlan, each vlan would get onto the web, but not see each other?
Click to expand...

Should work fine..that's how I have a few setup....different brand switches...but I've never needed a router that was "vlan aware". Port 1 (the router) is a member of both vlans...so it's accessible from both vlans as the gateway.
 
The router needs to support VLAN tagging so that it can send the packets back to the appropriate VLAN which it originated from. More than likely when you ping you are sent to the router and the router dumps it back without any regard for VLAN security.

Are you using a WRT54G v1.x? These units do not support vlan tagging.
 
i have it plugged into a buffalo hp-g54 flashed with tomato. i am just messing around with it at the office, usually use something like an RV at clients.

just had a few switches lying around so grabbed one to mess with.

dell guy said i need to create the vlan, so i created vlan2 and vlan3. port 1 went to both, port 2-9 went to vlan2, port 10 thorugh 16 went to vlan3. he also mentioend to make sure to give each port a PVID? make sense or no?
 
Sounds like you're trying to do router-on-a-stick. I don't know if the Tomato firmware supports that.
 
not to sure what that means, but i figured this would work from reading some threads here.

i should be able to share 1 internet on a vlan right? i am messing with it now. any ideas would be great.
 
looked up that, but they dont need to be different subnets

each vlan could be handed out ips in the same range for all i care, i just dont want them talking to each other. that isn't possible without higher end equipment?

people mentioned in a few threads about how they wanted to have seperate wifi for customers but that cant have access to company computers, they recommended vlans. i have a Linksys SRW switch that I could try but I believe it has the same options as the dell switches.
 
When I've employed tagged VLAN'ing..that's when you have switches share a common uplink, and you have VLANs share that same uplink from switch to switch. So the tagging identifies the traffic as it comes out on each end..and the switch separates it again based on VLAN.

In Marleys case, he doesn't need tagged VLANs...IMO.

I've set up what I posted above several times..and it's still working. No fancy router..just Linksys RV0s, an Untangle firewall, or a netopia box in place. Nice simple port based VLANs.

Example
Router plugged into port 1
VLAN 1 has port 1 and ports 2-8 as members
VLAN 2 has port 1, 9-20 as members


I didn't use Dells switches, but did with Linksys/Cisco SRW series switches, and I think an HP Procurve 1800.
 
Your setup is great in all if you don't need to route traffic to the internet. Having 1 port carry both VLANS is the same thing as a trunk port. Trunk ports carry ALL vlan traffic.

However, you still need dot1q tagging because the router needs to know where to route traffic to. It also needs a sub interface on it's ethernet interface so the hosts in the other network have a gateway.
 
okay i will mess around some more.

but all i should have to do for the setup is:

vlan 2 - port 1 and port 2-5
vlan 3 - port 1 and port 6-9

everything untagged?

I have a freedom9 freeguard 100 that should be 802.1q as its a UTM device.
 
soni said:
make port 1 a trunk port. No need to assign vlans to it.
Click to expand...

Exactly, your port that connects the device to your router should be trunk so it can carry traffic from any vlan. your router will need tagging to send the data back out to the right vlan.
 
YeOldeStonecat said:
When I've employed tagged VLAN'ing..that's when you have switches share a common uplink, and you have VLANs share that same uplink from switch to switch. So the tagging identifies the traffic as it comes out on each end..and the switch separates it again based on VLAN.

In Marleys case, he doesn't need tagged VLANs...IMO.

I've set up what I posted above several times..and it's still working. No fancy router..just Linksys RV0s, an Untangle firewall, or a netopia box in place. Nice simple port based VLANs.

Example
Router plugged into port 1
VLAN 1 has port 1 and ports 2-8 as members
VLAN 2 has port 1, 9-20 as members


I didn't use Dells switches, but did with Linksys/Cisco SRW series switches, and I think an HP Procurve 1800.
Click to expand...

What you're talking about sounds like router on a stick. You have the router in both VLANs doing the routing, no? You're still tagging the traffic.
 
Nope I never did tagging on the router, never setup trunking. I'm talking about simple port based VLANS. The routers port (port 1) is simply a member in both VLANs...it's a node that both VLANs can access, that's all.

When you're talking about just 1x switch or a stack of switches at the same wiring distro...not really a need to overcomplicate things with tagged VLANs. Keep it simple, port based.
 
The only way I can see that working is if both VLANs were the same subnet, and I don't know why'd you'd do that. What's the point? And "port based" VLANs don't really have anything to do with tagging or not tagging.
 
Ockie said:
The router needs to support VLAN tagging so that it can send the packets back to the appropriate VLAN which it originated from. More than likely when you ping you are sent to the router and the router dumps it back without any regard for VLAN security.

Are you using a WRT54G v1.x? These units do not support vlan tagging.
Click to expand...

Correct, I don't know how anyone that doesn't have a router (supporting tagging) can get this to work, we have multiple HP Procurve 5406zl's and a few 4100gls.
 
Vito_Corleone said:
The only way I can see that working is if both VLANs were the same subnet, and I don't know why'd you'd do that. What's the point? .
Click to expand...

To separate smaller networks. Example..the first time I did one...for a very small school with a small budget, K-12 under 50 students total (small island of inhabitants)

Network on a 192.168.10.xxx
Router (Untangle) at 192.168.10.1
Office comprised of 3x workstations plus a Citrix server to run their main app.
Right here is the main point for my port based VLANs...to keep the rest of the school out of the office network.

I made 4x VLANs using several switches. VLAN 1 for the office, other VLANs for the rest of the school..classrooms, library, computerlab.

Prior to using Untangle as their primary router/gateway..they were using an RV016 router..and it worked with that too.

I also have another larger network using Linksys/Cisco switches doing port based VLANs, as well as tagged VLANs. This is a golf resort..they have a fiber optic link between the main clubhouse and the beach house which also has some staff housing upstairs. The main beachhouse has some workstations on it which require access to the primary network/server. The staff housing upstairs is running some wireless for the staff..but they aren't allowed on the main network. They share the fiber link up to the main building..but I have tagging on both ends to split the VLANs again at the main switch.
 
YeOlde - could you log me into the switch so I could take a look? I tried it with a SRW switch I had lying around same things.

Or if you aren't catching up from eysterday i could have you log into my boxen
 
YeOldeStonecat said:
To separate smaller networks. Example..the first time I did one...for a very small school with a small budget, K-12 under 50 students total (small island of inhabitants)

Network on a 192.168.10.xxx
Router (Untangle) at 192.168.10.1
Office comprised of 3x workstations plus a Citrix server to run their main app.
Right here is the main point for my port based VLANs...to keep the rest of the school out of the office network.

I made 4x VLANs using several switches. VLAN 1 for the office, other VLANs for the rest of the school..classrooms, library, computerlab.

Prior to using Untangle as their primary router/gateway..they were using an RV016 router..and it worked with that too.

I also have another larger network using Linksys/Cisco switches doing port based VLANs, as well as tagged VLANs. This is a golf resort..they have a fiber optic link between the main clubhouse and the beach house which also has some staff housing upstairs. The main beachhouse has some workstations on it which require access to the primary network/server. The staff housing upstairs is running some wireless for the staff..but they aren't allowed on the main network. They share the fiber link up to the main building..but I have tagging on both ends to split the VLANs again at the main switch.
Click to expand...

I bet if you did a show trunk on your cisco switches you'll see they auto trunked.

the only way you can do "port based vlans" with a router and not trunk the ports or have a sub interface that does vlan tagging is to put the vlans in the same subnet. That defeats the purpose of vlans.
 
soni said:
I bet if you did a show trunk on your cisco switches you'll see they auto trunked.

the only way you can do "port based vlans" with a router and not trunk the ports or have a sub interface that does vlan tagging is to put the vlans in the same subnet. That defeats the purpose of vlans.
Click to expand...

He's not using Cisco switches for it, I don't believe. Cisco switches don't work like that, at least not the regular stuff, maybe the express stuff does. HP, Dell and other switches let you make ports members of multiple VLANs (without tagging), so you end up with separated hosts that can be on the same subnet using the same router. Doing that defeats the usual purpose of VLANs, but serves his purposes as all he wants is to isolate the hosts. It's kind of like using private VLANs with Cisco.
 
Correct...SRW series switches, not Cisco CATs.

And my goal is to keep people from VLANs from getting into other VLANs.
Example..students cannot mess with the school office computers from the network..they cannot dork around with them or mess around with them.

No traffic is crossing the VLANs...they cannot get replies if they ping machines in other VLANs..they cannot access them at all, nothing..nada.

There is my purpose and only goal of these VLANs. The switch basically chops the networks into isolated ones.
 
well thats what i want to do, not sure why i cant. yeolde im gonna bug you later =)
 
You must log in or register to reply here.
Back
Top