[HELP] VLANs can't fetch internet
Hello everyone !
I'm writting here today because i feel a little bit uncomfortable with the VLANs on the T1600G-52TS.
I would like here to separate my 48 ports switch into 3 VLANs of 12 ports.
I would like the 3 VLANs to don't communicate between them but i want them to have an internet access.
Actually, here is some exemples of what i've done.
I first created 3 VLANs of 12 ports each:
After this, i was in Port config and i set the PVID for each port.
So, 1-12 have PVID 1
13-24 have PVID 10,1
25-36 have PVID 20, 1
37-48 have PVID 30,1
The problem is:
When i plug my computer on 1-12 port wich is part of VLAN 1 (basic vlan) everything is ok. But,
when i plug it on VLAN 10, 20 or 30, i can't acces to internet... ports wich are part of VLAN 10, 20, 30 are part of VLAN 1 too.
Why can't i get acces to internet on these VLAN ? And what can i do to make this 3 separated VLAN who can't communicate but still have an internet acces on each ?
Thank you a lot for yours answers and have a nice day !
Best regards, Nihsa.
- Copy Link
- Subscribe
- Bookmark
- Report Inappropriate Content
I had a similar problem until i added the port connected to router to each of my VLANs.
I'm totally new at working with a managed switch. My problem is after I created a couple of VLANs I can't access the switch from any of the ports in the VLANs. Any thoughts?
Router: port 1
PC#1: port 2
PC#2: port 3
VLAN1 - 1-3
VLAN10 - 1, 2
VLAN20 - 1, 3
Again, the problem is I can't login to the switch from ports 2 or 3.
- Copy Link
- Report Inappropriate Content
Nihsa wrote
Why can't i get acces to internet on these VLAN ?
Because the port connected to the router isn't a member of VLANs 10, 20 and 30.
You could assign one port connected to the router to VLANs 1, 10, 20 and 30. PVID is 1. All other ports are members of the individual VLAN (10 or 20 or 30) and have the corresponding PVID. So, all frames arriving on ports in VLANs 10, 20 or 30 are tagged with the corresponding PVID and are being forwarded to the router. Responses from router are tagged with PVID 1 and are being forwarded to all VLANs.
Note that such a setup still uses a common broadcast domain over all VLANs.
A truly isolated setup would be to use a VLAN-aware router using a trunk port to the switch, three different subnets assigned to three VLANs on the router (yielding three separate broadcast domains) and switch ports with membership in only one VLAN (10, 20 or 30), but not in Default VLAN 1. The router's firewall setup would then block inter-VLAN traffic and allow access from each VLAN to the Internet. This will effectively isolate all three subnets.
- Copy Link
- Report Inappropriate Content
Rduhb wrote
My problem is after I created a couple of VLANs I can't access the switch from any of the ports in the VLANs. Any thoughts?
You could create a virtual interface for each VLAN. But you need different IPs for each interface, which is normally no problem since usually every VLAN is assigned an unique subnet. The switch's UI then can be reached through the IP of the virtual interface.
- Copy Link
- Report Inappropriate Content
But the router is connected to port 1, which is included in each vlan. Unless you’re referring to the actlan port on the router.
- Copy Link
- Report Inappropriate Content
Rduhb wrote
But the router is connected to port 1, which is included in each vlan. Unless you’re referring to the actlan port on the router.
A port can not be "included in each VLAN". A port can be a member of one or more VLANs and in order to get Ethernet frames from other VLANs, the port must be a member of those VLANs, too. Thus, a VLAN could include each port (which makes it the Default or Native VLAN), but not the other way around.
The PVID of the port decides which VLAN ID is used to tag an Ethernet frame with on ingress. So, ingress frames on port 1 must be tagged with VLAN ID 1 (or any other VLAN ID) by either the switch (if it receives "untagged frames") or by the connected router/server/laptop (then it receives "tagged frames") and to get forwarded inside the switch to other ports those other ports must be members of VLAN 1 (resp. any other ID choosen for the VLAN), too.
The point regarding the thread opener's setup is that for egress frames on port 1 being forwarded from other ports, which can be tagged either with VLAN ID 10, 20 or 30, port 1 must also be a member of those VLANs in addition to its Primary VLAN 1, which makes up its Primary VLAN ID (PVID). The other ports also have a Primary VLAN; it's PVID 10 for VLAN 10, PVID 20 for VLAN 20 and PVID 30 for VLAN 30. They are by default members of VLAN 1, the Default VLAN.
No idea, though, what an "actlan port" should be.
- Copy Link
- Report Inappropriate Content
Sorry, that was a serious typo. Meant to say "...actual port...". Thanks for the help!!! I've got a lot of research and studying to do.
- Copy Link
- Report Inappropriate Content
Rduhb wrote
Sorry, that was a serious typo. Meant to say "...actual port...". Thanks for the help!!! I've got a lot of research and studying to do.
You're welcome. Good guides for VLAN can be found here:
Hope this helps!
- Copy Link
- Report Inappropriate Content
Information
Helpful: 0
Views: 3722
Replies: 7
Voters 0
No one has voted for it yet.