VLAN Trunk Link and Performance
-
John was nice enough to help me get my network up and running with VLANS, that pic above was for me. I was pretty confused with setting everything up, especially native vlan and tagging.. here is a picture of my Vlan management page on one of my Cisco switches. You can see that port 6 and 7 are trunk ports that carry my native Wireless Lan (untagged) and VLANS 30 and 60 (actual VLANS) to my 2 wireless access points. Port 10 is my trunk that carries all networks coming in from my main Cisco switch.
-
John was nice enough to help me get my network up and running with VLANS, that pic above was for me. I was pretty confused with setting everything up, especially native vlan and tagging.. here is a picture of my Vlan management page on one of my Cisco switches.
Can you elaborate more to your setup? What's plugged in where and what VLANs and such? Hard to understand what I'm looking at without more context.
Thanks!
-
this might help.. sorry, i am at work. Vlan 10 is my LAN (physical), 20 is WLAN (physical), 30 is Guest Network (Virtual), 40 is VPN (Physical), 50 is Cameras (Physical), 60 is Wireless VPN (Virtual). Believe me, it's been a work in progress.. :) The only ACTUAL VLANS I have are 30 and 60, everything else is a physical interface. If you need any more screenshots, i can provide when i get home. The screenshots John provided me was how I eventually got it working. A picture goes a long way.
Here is another shot of my VLAN page of one Cisco and a couple of pfsense…
.jpg)
.jpg_thumb)
.jpg)
.jpg_thumb)
.jpg)
.jpg_thumb) -
Thanks Xman,
A couple questions:
1. Do you have trunk set for the links to the pfSense NIC that are not on VLANs or is it access for that link? Can't tell from the diag.
2. Are your APs powered directly from the SG300 switch without the injectors?Thanks,
C
-
here is a screenshot of the Cisco page, should answer your questions. Also, my APs are powered right off the Cisco, with no injectors. The 10 is the P model with POE . I have the pro versions of the AP, because they use standard POE, the cheaper models need the injectors. Also, keep in mind on the Sg300-28 screenshot, i haven't set up most of the ports as I am waiting for our new house to be built and am not using most of the ports at the moment. The SG300-10 is setup properly.
.jpg)
.jpg_thumb)
.jpg_thumb)
.jpg) -
ok cool. I have the 50P and a bunch of UAP-AC-PROs that I'm hoping to put on the switch as well. Will test tonight.
Also interesting you're TRUNK everywhere. I am still having trouble understanding why everyone says access. My stuff works but links to the pfSense box are on TRUNK untagged where all internal ports are access untagged. So your diag tells me this is correct in that it has to be TRUNK to work uplink. I don't have VLANS on pfSense if I can avoid it. Can I see your Interface Port to VLAN assignments?
-
I fixed the SG300-28 picture with the trunk and access ports fixed. also, to switch networks, i just have to go into the port settings and change the port membership and whatever is connected to that port will switch networks. ie. a computer plugged into port 10 can switch from regular network over to my vpn by changing the VLAN port membership of that port.
Is this the screen you are after or are you talking about PFsense screenshot?
 -
yup! That's the one. Mind sharing for the other VLANs?
-
this is the SG300-28
 -
while your device might default to all trunk.. I am at a loss to why, this is bad choice on their part if you ask me. There is no reason for those ports to be in trunk unless they are going to care more than 1 vlan.
Understanding Access and Trunk Interfaces
Ethernet interfaces can be configured either as access ports or a trunk ports, as follows:
An access port can have only one VLAN configured on the interface; it can carry traffic for only one VLAN.
A trunk port can have two or more VLANs configured on the interface; it can carry traffic for several VLANs simultaneously.From cisco page
http://www.cisco.com/c/en/us/td/docs/switches/datacenter/nexus5000/sw/configuration/guide/cli/CLIConfigurationGuide/AccessTrunk.htmlwhat I would do with your default setup is change all the ports to ACCESS.. Unless your going to have other switches connected to it, AP with vlans or to a router with vlans on a physical interface ports should be in access mode. Trunk ports are for 1 going to take longer to come up. There is zero point to leaving your ports in trunk unless they need to carry tagged traffic.
Its possible the ports default to auto mode and try to determine what they should be, if they have issue figuring that out they might default to trunk mode. I would have to dig deeper into why your ports are all trunk after a factory reset.
https://supportforums.cisco.com/discussion/12476171/switch-port-modes
Lets be clear your ports should ALL be access, Unless your going to link to another switch or AP or to a port on a router that will have multiple vlans on it.
We could also debate the use of the default vlan 1. In an enterprise/security setup this is normally a big no no. You would set different vlan other than 1 to use for management and all ports would be moved to a holding vlan other than 1 until they need to be placed in the vlan they will be used for. This is to keep mistakes from happening since switches all come up with default vlan 1, so if you do not turn off all your ports they would all be in the default vlan - so in this scenario it would be possible that someone might connect and be on a network you don't wan them in and be able to access resources your management of your infrastructure, etc..
In a HOME setup to me this just adds complexity for no reason. I don't see a problem with just leaving your main lan and even management of your devices all in your default lan, which would be vlan 1. But just be warned that from a pure security standpoint its bad practice to do that. You might get suggestions to change your management vlan, and don't use vlan 1. This way if you forget to configure a port or something worse case someone connects they are connected to nothing else, etc.
Good security practice is also to disable all ports that are not in use.. Ie admin down them until such time they are need. But we are talking a HOME network.. Which just adds more work when you want to plug something in ;) Which is prob not something you want to do. I would suggest you put all your ports into the vlan your going to use most often when you plug in a new device. The will most likely be your lan and its ok to leave that as just default vlan 1. Unless your worried about people coming into your home and plugging stuff in and being on your lan? ;)
