Need some guidance on VLAN setup
I'm working on setting up one or more VLANs to keep traffic from a subnet of camera systems isolated from the rest of my network. I'm a bit unsure of exactly what I need to do, and I'm hoping for some guidance. There is a bit of a wrinkle in that my WiFi access points need to support two separate SSIDs, each with access to either the camera system, or the rest of the network, but not both.
Network topology I'm aiming for:
Other --------------------+ ports -------------------+ | go to ------------------+ | | +--------------- Ports 21-23 primary -------+ | | | | +------------ connect to Ubiquiti network --+ | | | | | | +-------- Unifi Wifi APs devices | | +-+ | | | | | | | | ++ | | | | +----------+ | | | | | | | | | | +---------+--+--------+--+--+-----+--+--+--+---+ | | 5 6 7 8 13 14 15 16 21 22 23 24 | | | | | | TP+Link JetStream T1600G+28PS | | | | | | 1 2 3 4 9 10 11 12 17 18 19 20 | | +---+-----------------------------+--+---------+ | | | | | | | | Ports 17 | | | +---- thru 20 go | | +------- to VLAN4 | | camera | | subnets | | +-------------------------------------+ | | +---+-----------+-------------+ | 1 2 3 4 <-LAN | Port 1 runs DHCP server for | | xx.xx.88.xx subnet. | Peplink Balance 20 Router | Port 4 is VLAN4 (tagged), and | | runs DHCP server for | 1 2 3 <-WAN | xx.xx.44.xx subnet. +---+-------------------------+ | | +----------> ISP1
Goals I want to achieve:
- Devices on ports 2-16 are in default VLAN (88.xx IP subnet) and can all see each other.
- Devices on ports 17-20 are in VLAN4 (44.xx IP subnet) and can see each other.
- Devices in different VLANs (different IP subnets) cannot see each other.
- WiFi access points on ports 21-23 need to forward traffic for both VLANs (both IP subnets)
- Router runs separate DHCP server for each IP subnet.
Current setup:
- Router has a default VLAN (untagged) that is assigned to ports 1-3. It has VLAN4 (ID=4) and is assigned to port 4.
- Router does have DHCP servers setup for the separate VLANs (and I've tested this via direction connection to port 4 on the router -- it works as planned).
- Switch is not yet configured (this is what I need some guidance on).
- WiFi APs are configured with one SSID for main network, which is not associated with a VLAN, and another SSID for the camera network, which is tagged for VLAN4. This is not yet tested because the switch config is obviously pretty critical to get this working...
Questions (and apologies in advance if these are really basic -- I'm fairly new to VLANs as a concept, and have never configured one before):
- Can the switch be configured to do what I need with the router and WiFi APs configured as they are now ("default" network is untagged -- only VLAN4 is tagged)? Or do I need to change router and WiFi AP config to tag everything?
- If I change router/WiFi configs to tag everything, is there any configuration on endpoint devices required to ensure access isn't broken or limited in unexpected ways?
- Do I need to be careful about other switches on the network, and how they are configured (assuming there are no loops downstream, of course)?
Grateful for any advice or feedback!
- Copy Link
- Subscribe
- Bookmark
- Report Inappropriate Content
@RonNaija , thanks for these comments. Really helped me crystalize some key points in my understanding. More importantly, your comments correctly shifted my attention to settings on the ROUTER, where the port was in the wrong mode for communicating with the VLAN-aware switch. I've fixed my problem now, and everything works as I'd hoped!
I think I have a correct matrix of rules and behaviors now that seems consistent with the behavior I've seen (explains both the incorrect behavior and the correct behavior I now have). I'll post it here in case it helps others. And of course, if I got something wrong here, I'd be very grateful to have someone point out the error in my thinking! And others will likely find it helpful to. So please, shoot at this!
First some general rules for designing a network with VLAN-aware components:
VLAN Network Design Rules:
Rule ID | Rule |
---|---|
ND1 | When considering what parts of the network are VLAN-aware, it's best to think of each link (i.e., a single piece of wire between two devices), rather than each device. Either the link is VLAN-aware, or it is a dumb link. |
ND2 | For a link to be VLAN-aware, both devices must be VLAN-aware, and must be configured to send VLAN-tagged frames on that link. |
ND3 | If either endpoint of the link is not VLAN-aware, the link can only be a dumb link. No frames should be VLAN-tagged on a dumb link, ever. So, if either device is VLAN-aware, it must be configured to send only untagged frames on that link. |
In my case, this last rule was the key. My router had the port for VLAN4 set in "Access" mode, which (in my router's terminology) meant that it assumed the device on the other end was not VLAN-aware, and it was sending only untagged frames. Changing the port to "Trunk" mode made everything work with the settings I have on the switch (which I'll show later).
Now, some general rules and behavior matrices for understanding what happens in the TP-Link switch:
TP-Link JetStream Switch: Rules for VLANs and Tags
Number |
Rule |
Comments |
J1 |
There is always at least one VLAN defined |
Initially there is one “default” VLAN defined, as VLAN 1. It is set up so that every incoming frame is forwarded to every other port. It’s possible to change that VLAN definition, of course, or even to remove it— so long as at least one other VLAN definition exists and other rules are satisfied. |
J2 |
Every port belongs to at least one VLAN, and has a Primary VLAN (PVID) |
Initially, all ports belong to the default VLAN. You can remove ports from the default VLAN, but only if they are first added to some other VLAN. |
J3 |
All frames are tagged inside the switch |
Inbound frames may be untagged when they reach the switch, but once they are admitted into the switch, they are tagged. The frames may end up being untagged again when they are forwarded, depending on the settings of the target port. But it’s important to understand that inside the switch, ALL frames are tagged with a VLAN id. |
TP-Link JetStream Switch: FRAME INGRESS (Frames coming into a given source port)
Port Config Ingress Checking |
Port Config Acceptable Frame Types |
If Inbound Frame is Untagged… |
If Inbound Frame is Tagged with VLAN, where port is a Member… |
If Inbound Frame is Tagged with VLAN where port is NOT a Member… |
ENABLED |
Admit All |
Frame is admitted and is tagged with PVID of ingress port |
Frame is admitted as-is (existing tag is preserved) |
Frame is dropped (rejected). |
ENABLED |
Tagged Only |
Frame is dropped (rejected). |
Frame is admitted as-is (existing tag is preserved) |
Frame is dropped (rejected). |
Disabled |
Admit All |
Frame is admitted and is tagged with PVID of ingress port |
Frame is admitted as-is (existing tag is preserved) |
Frame is admitted as-is (existing tag is preserved) |
Disabled |
Tagged Only |
Frame is dropped (rejected). |
Frame is admitted as-is (existing tag is preserved) |
Frame is admitted as-is (existing tag is preserved) |
TP-Link JetStream Switch: FRAME EGRESS (Frames being forwarded to a given target port)
(and remember, by rule J3 above, ALL frames are tagged inside the switch, so for egress, there are only these three cases to consider...)
Considering the frame’s VLAN tag, if… |
…then: |
Port is in VLAN as TAGGED Port |
Frame will be forwarded on this port (existing VLAN tag will be preserved) |
Port is in VLAN as UNTAGGED Port |
VLAN tag will be stripped, and frame will be forwarded as untagged on this port |
Port is NOT a Member of VLAN |
Frame will not be forwarded on this egress port |
So applying these rules to my scenario, my settings needed to be:
VLAN4 (have to define this first):
- UNTAGGED Ports: 17-20
- These are the ports that connect to the camera subnets, which are not VLAN-aware. Rule ND3 says this has to be a dumb link, and therefore should not have tagged frames, so these ports must be UNTAGGED in this VLAN.
- TAGGED Ports: 21-24
- Ports 21-23 connect to the Unifi WAPs, which are VLAN-aware, and port 24 connects to the router, which is also VLAN-aware. Rule ND2 says VLAN-aware links need to use tagged frames on both ends, so these ports must be set as TAGGED in this VLAN.
VLAN1 (default):
- UNTAGGED Ports: 1-16, 21-23
- Note that I've removed ports 17-20 and port 24 from Untagged ports in this VLAN. These ports will now belong *exclusively* to VLAN4, which effectively partitions the network as I intended. This is why I had to create VLAN4 first -- Rule J2 says every port must belong to at least one VLAN, so these ports had to be added to VLAN4 before they could be removed from VLAN1.
- Note also that ports 21-23 are in both VLANs. This is key, because this link will carry frames for both VLANs, and they Unifi WAPs will send traffic for the different VLANs to different WLANs (different SSIDs).
- TAGGED Ports: (none)
Port Config:
- Ports 1-16 and Ports 21-23 keep default configuration: PVID=1; Ingress Checking = ENABLED; Acceptable Frame Types = "Admit All".
- The setting for ports 21-23 matters becuase the Unifi APs will send tagged frames for the WLAN that's associated with VLAN4, but for the other WLAN (that isn't associated with any VLAN), they will send untagged frames. So, PVID must still be 1 here in order to keep those untagged frames logically in VLAN1.
- Note that I could have done this a different way -- I could have set up the WLAN for the main network to require VLAN tags, and then all traffic on the switch<->WAP links would be tagged. I could then have set Acceptable Frame Types = "Tagged Only". Perhaps that would have been clearer, especially for explaining these rules and setup. But functionally, it would make zero difference in my case, since I only have two logically-separate networks that I care about. That I'm able to do it they way I did is perhaps a consequence of the default behaviors of the component I happen to be using-- if I had been using a different vendor's VLAN-aware WAPs, I might have had to do the tagged-only thing here...
- The setting for ports 21-23 matters becuase the Unifi APs will send tagged frames for the WLAN that's associated with VLAN4, but for the other WLAN (that isn't associated with any VLAN), they will send untagged frames. So, PVID must still be 1 here in order to keep those untagged frames logically in VLAN1.
- Ports 17-20, and port 24 change to: PVID=4; Ingress Checking = ENABLED; Acceptable Frame Types = "Admit All".
- For Ports 17-20, we must have "Admit All", since all incoming frames from the dump camera subnet will be untagged.
- For Port 24, the setting doesn't really matter, because all frames from the router will be tagged with VLAN4. So we could change to "Tagged Only", but it wouldn't change any behavior.
And that's it! It seems relatively simple now, but it sure took a lot of thought and research to figure this out. I wish TP-Link's Web Config portal and User Documentation did a better job of explaining the *basics* so you didn't have to try to find and study 6 examples (none of which seem to match your own scenario) and just infer the basic rules of behavior to guide you to the right settings.... Anyway -- I hope this helps others! Thanks again for your help!
- Copy Link
- Report Inappropriate Content
Read this VLAN configuration guide. https://www.tp-link.com/us/configuration-guides/configuring_802_1q_vlan/?configurationId=18026
- Copy Link
- Report Inappropriate Content
@Yannie, thanks for the links. I do have the user guide and have read the relevant sections (the content of first link you posted appears verbatim in the user manual for my switch); I do not find the guide to be clear enough. Frankly, it confused me--some statements are vague, and others seem to contradict what the interface implies. Even basic things like whether a port can be both tagged and untagged in a given VLAN are not clear from the documentation (I had to discover through trial and error that adding a port as tagged removes it from the untagged ports for that same VLAN and vice-versa). Perhaps I'm too literal, or just expect too much precision and clarity from user documentation. But regardless, the docs are just not enough to help me over the hump. That's why I was hoping for specific guidance from this community of experts. :)
Perhaps I should just ask some very specific questions. I've seen in other forum posts where folks have shared a table of behavior for different settings, but they haven't always agreed with documentation (as I read it) or are perhaps incomplete. So let me try to include a table summarizing my understand (or lack thereof) for ingress, and another for egress, and then ask a few questions.
FRAME INGRESS (on a given port):
Port Config |
|
Incoming Frame Tagged State |
|
|
Ingress Checking |
Acceptable Frame Types |
Untagged |
Tagged with PVID |
Tagged VLAN != PVID |
ENABLED |
Admit All |
Frame is admitted and becomes tagged with PVID of ingress port |
Frame is admitted and remains tagged with PVID of ingress port
|
?? (a) |
|
Tagged Only |
?? (b) |
Frame is admitted and remains tagged with PVID of ingress port
|
Frame is dropped (rejected). |
Disabled |
Admit All |
Frame is admitted and tagged with PVID of ingress port |
Frame is admitted and remains tagged with PVID of ingress port
|
Frame is admitted and remains tagged with non-matching PVID |
|
Tagged Only |
?? (c) |
Frame is admitted and remains tagged with PVID of ingress port
|
Frame is admitted and remains tagged with non-matching PVID |
FRAME EGRESS (on a given port)
Membership of Port in VLAN given by Port’s PVID |
Outgoing Frame Tagged State |
|
|
|
Untagged |
Tagged with PVID |
Tagged VLAN != PVID |
Port is in VLAN as TAGGED |
Frame will become tagged with PVID of egress port and will be forwarded |
Frame will be forwarded as-is on egress port (PVID VLAN tag will remain) |
Frame will not be forwarded on this egress port |
Port is in PVID as UNTAGGED |
Frame will be forwarded as-is on egress (still untagged frame) |
Tag will be stripped, and frame will be forwarded as untagged frame on this egress port |
Frame will not be forwarded on this egress port |
Given these tables, could someone answer the following questions:
- If everything in these tables were filled in, are these tables complete (correctly formed, with rows and columns covering all scenarios)? Or have got the columns and rows wrong, because of some incorrect assumptions or misunderstandings? If I got it wrong, please help me understand how to correct it.
- Assuming table organization is complete, for the cells where I've described expected behavior, is my description correct?
- Now for the missing bits: In the INGRESS table, what is the expected behavior for cell (a)?
- Same question for cell (b)?
- Same question for cell (c)?
- Copy Link
- Report Inappropriate Content
- Copy Link
- Report Inappropriate Content
@Yannie I don't think those example are100% complete. I followed them and couldn't get my Vlans working.
The examples / guidance note you pointed to focuses on vlan configurations for the switches and WAPs and is totally silent on the fact that Vlans need to be on different subnets to achieve the required network isolation as such I believe you need a Vlan aware ROUTER to issue out the right IP addresses for the various devices connecting through your WAP to the Vlans.
I have ordered the new TP-Link TL-R605 router, once it arrives I shall test me theory and if it works I shall provide an updated guide on Vlan setup
- Copy Link
- Report Inappropriate Content
@tauchris I have done considerable research on this and basically what is consistent here is that you have to TAG:
- All ports connecting your Switch to the WAPs
- All ports connecting switches together
- All Ports connecting your Router to Switches
Your Router, Switches & WAPS must be Vlan aware.
All other ports connecting other network devices (TVs, Computers etc) to your switch should be untagged.
- Copy Link
- Report Inappropriate Content
@RonNaija , thanks for these comments. Really helped me crystalize some key points in my understanding. More importantly, your comments correctly shifted my attention to settings on the ROUTER, where the port was in the wrong mode for communicating with the VLAN-aware switch. I've fixed my problem now, and everything works as I'd hoped!
I think I have a correct matrix of rules and behaviors now that seems consistent with the behavior I've seen (explains both the incorrect behavior and the correct behavior I now have). I'll post it here in case it helps others. And of course, if I got something wrong here, I'd be very grateful to have someone point out the error in my thinking! And others will likely find it helpful to. So please, shoot at this!
First some general rules for designing a network with VLAN-aware components:
VLAN Network Design Rules:
Rule ID | Rule |
---|---|
ND1 | When considering what parts of the network are VLAN-aware, it's best to think of each link (i.e., a single piece of wire between two devices), rather than each device. Either the link is VLAN-aware, or it is a dumb link. |
ND2 | For a link to be VLAN-aware, both devices must be VLAN-aware, and must be configured to send VLAN-tagged frames on that link. |
ND3 | If either endpoint of the link is not VLAN-aware, the link can only be a dumb link. No frames should be VLAN-tagged on a dumb link, ever. So, if either device is VLAN-aware, it must be configured to send only untagged frames on that link. |
In my case, this last rule was the key. My router had the port for VLAN4 set in "Access" mode, which (in my router's terminology) meant that it assumed the device on the other end was not VLAN-aware, and it was sending only untagged frames. Changing the port to "Trunk" mode made everything work with the settings I have on the switch (which I'll show later).
Now, some general rules and behavior matrices for understanding what happens in the TP-Link switch:
TP-Link JetStream Switch: Rules for VLANs and Tags
Number |
Rule |
Comments |
J1 |
There is always at least one VLAN defined |
Initially there is one “default” VLAN defined, as VLAN 1. It is set up so that every incoming frame is forwarded to every other port. It’s possible to change that VLAN definition, of course, or even to remove it— so long as at least one other VLAN definition exists and other rules are satisfied. |
J2 |
Every port belongs to at least one VLAN, and has a Primary VLAN (PVID) |
Initially, all ports belong to the default VLAN. You can remove ports from the default VLAN, but only if they are first added to some other VLAN. |
J3 |
All frames are tagged inside the switch |
Inbound frames may be untagged when they reach the switch, but once they are admitted into the switch, they are tagged. The frames may end up being untagged again when they are forwarded, depending on the settings of the target port. But it’s important to understand that inside the switch, ALL frames are tagged with a VLAN id. |
TP-Link JetStream Switch: FRAME INGRESS (Frames coming into a given source port)
Port Config Ingress Checking |
Port Config Acceptable Frame Types |
If Inbound Frame is Untagged… |
If Inbound Frame is Tagged with VLAN, where port is a Member… |
If Inbound Frame is Tagged with VLAN where port is NOT a Member… |
ENABLED |
Admit All |
Frame is admitted and is tagged with PVID of ingress port |
Frame is admitted as-is (existing tag is preserved) |
Frame is dropped (rejected). |
ENABLED |
Tagged Only |
Frame is dropped (rejected). |
Frame is admitted as-is (existing tag is preserved) |
Frame is dropped (rejected). |
Disabled |
Admit All |
Frame is admitted and is tagged with PVID of ingress port |
Frame is admitted as-is (existing tag is preserved) |
Frame is admitted as-is (existing tag is preserved) |
Disabled |
Tagged Only |
Frame is dropped (rejected). |
Frame is admitted as-is (existing tag is preserved) |
Frame is admitted as-is (existing tag is preserved) |
TP-Link JetStream Switch: FRAME EGRESS (Frames being forwarded to a given target port)
(and remember, by rule J3 above, ALL frames are tagged inside the switch, so for egress, there are only these three cases to consider...)
Considering the frame’s VLAN tag, if… |
…then: |
Port is in VLAN as TAGGED Port |
Frame will be forwarded on this port (existing VLAN tag will be preserved) |
Port is in VLAN as UNTAGGED Port |
VLAN tag will be stripped, and frame will be forwarded as untagged on this port |
Port is NOT a Member of VLAN |
Frame will not be forwarded on this egress port |
So applying these rules to my scenario, my settings needed to be:
VLAN4 (have to define this first):
- UNTAGGED Ports: 17-20
- These are the ports that connect to the camera subnets, which are not VLAN-aware. Rule ND3 says this has to be a dumb link, and therefore should not have tagged frames, so these ports must be UNTAGGED in this VLAN.
- TAGGED Ports: 21-24
- Ports 21-23 connect to the Unifi WAPs, which are VLAN-aware, and port 24 connects to the router, which is also VLAN-aware. Rule ND2 says VLAN-aware links need to use tagged frames on both ends, so these ports must be set as TAGGED in this VLAN.
VLAN1 (default):
- UNTAGGED Ports: 1-16, 21-23
- Note that I've removed ports 17-20 and port 24 from Untagged ports in this VLAN. These ports will now belong *exclusively* to VLAN4, which effectively partitions the network as I intended. This is why I had to create VLAN4 first -- Rule J2 says every port must belong to at least one VLAN, so these ports had to be added to VLAN4 before they could be removed from VLAN1.
- Note also that ports 21-23 are in both VLANs. This is key, because this link will carry frames for both VLANs, and they Unifi WAPs will send traffic for the different VLANs to different WLANs (different SSIDs).
- TAGGED Ports: (none)
Port Config:
- Ports 1-16 and Ports 21-23 keep default configuration: PVID=1; Ingress Checking = ENABLED; Acceptable Frame Types = "Admit All".
- The setting for ports 21-23 matters becuase the Unifi APs will send tagged frames for the WLAN that's associated with VLAN4, but for the other WLAN (that isn't associated with any VLAN), they will send untagged frames. So, PVID must still be 1 here in order to keep those untagged frames logically in VLAN1.
- Note that I could have done this a different way -- I could have set up the WLAN for the main network to require VLAN tags, and then all traffic on the switch<->WAP links would be tagged. I could then have set Acceptable Frame Types = "Tagged Only". Perhaps that would have been clearer, especially for explaining these rules and setup. But functionally, it would make zero difference in my case, since I only have two logically-separate networks that I care about. That I'm able to do it they way I did is perhaps a consequence of the default behaviors of the component I happen to be using-- if I had been using a different vendor's VLAN-aware WAPs, I might have had to do the tagged-only thing here...
- The setting for ports 21-23 matters becuase the Unifi APs will send tagged frames for the WLAN that's associated with VLAN4, but for the other WLAN (that isn't associated with any VLAN), they will send untagged frames. So, PVID must still be 1 here in order to keep those untagged frames logically in VLAN1.
- Ports 17-20, and port 24 change to: PVID=4; Ingress Checking = ENABLED; Acceptable Frame Types = "Admit All".
- For Ports 17-20, we must have "Admit All", since all incoming frames from the dump camera subnet will be untagged.
- For Port 24, the setting doesn't really matter, because all frames from the router will be tagged with VLAN4. So we could change to "Tagged Only", but it wouldn't change any behavior.
And that's it! It seems relatively simple now, but it sure took a lot of thought and research to figure this out. I wish TP-Link's Web Config portal and User Documentation did a better job of explaining the *basics* so you didn't have to try to find and study 6 examples (none of which seem to match your own scenario) and just infer the basic rules of behavior to guide you to the right settings.... Anyway -- I hope this helps others! Thanks again for your help!
- Copy Link
- Report Inappropriate Content
Information
Helpful: 0
Views: 2209
Replies: 6
Voters 0
No one has voted for it yet.