VLANs. Use an assigned interface as parent?
-
@awebster said in VLANs. Use an assigned interface as parent?:
In the Cisco world a trunk is considered to be an interface that will pass all the vlans (unless explicitly listed), but in the HP/Aruba world, trunk means an aggregate interface that might run LACP.
I first came across VLANs on Adtran gear, which used trunk and access ports, just like Cisco. Adtran's AOS is pretty much a clone of Cisco's IOS.
I agree there's a lot of misinformation and superstition around VLANs, as many people don't understand them. Also, different names for the same thing from different companies is nothing new. I have many years experience in the telecom field and just working with someone from a different carrier often involves determining what they mean by a certain term.
-
My tiny brain is still having a hard time wrapping my head around everything VLAN-related. The last time I mentioned how I was weak on VLANs, someone recommended I read this 600+ page book...
@awebster I think I may have understood 4 or 5 of the words you used...
-
@KOM said in VLANs. Use an assigned interface as parent?:
My tiny brain is still having a hard time wrapping my head around everything VLAN-related. The last time I mentioned how I was weak on VLANs, someone recommended I read this 600+ page book...
A VLAN is supposed to look like a physically separate network, even though it's sharing the network. As mentioned, a VLAN simply has a 4 byte tag inserted, which the hardware recognizes as a separate "network". The tag uses a different Ethertype value, to differentiate it from other Ethernet traffic. Other frame types, such as IPv4, IPv6, IPX and many more, have a different Ethertype value. The only way traffic is supposed to pass between different VLANs (and native LAN) is via a router or layer 3 switch. Some people will try to claim some hardware will not pass VLAN frames. This is nonsense, as any Ethernet switch, etc., is supposed to be able to pass EVERY frame type. The only possible issue would be ancient gear that can't handle the extra 4 bytes, when the full 1500 byte MTU is used. In that case, just configure the network for 1496 MTU and problem solved. However, given that i's been 20 years since the frame size was expanded to handle VLAN tags and more, that would have to be really ancient gear.
So, if you're working with VLANs, just consider them to be separate networks, connected via a router, and you'll be fine.
-
yeah, like you say @awebster , i'm experimenting vlan with my cisco and using the wizard it set the port to trunk but i can manually select access mode if i want a single vlan to pass. also i've made some test with other switch, i was unable to find an unmanaged switch that was unable to pass vlan tag, i think we was discussing about it with @JKnott in another 3d? well even chinese 5 port shit was able to handle it. not that i'm suggesting to use it for that but it was a curiosity that I had to satisfy
-
I understand at an abstract level. I think my main problem with them is knowing the proper flow of things, and a zillion What if? and What about? questions that you don't typically find answers to in a book. For example, I don't understand the circumstances under which tags are added or removed, or why you would want untagged traffic for scenario X but tagged for Y, etc. Fortunately for me, I don't really need to care about them at the moment -- just like IPv6.
-
Incidentally, several years ago, I worked on a network with 3 VLANs on top of the native LAN. It was in a retirement home. The native LAN was the office network, with VLANs for the VoIP phone system, residents Internet access and management separate from the native LAN, so that users couldn't interfere with device configuration, even if they had the password. The WiFi access points also used the VLANs for separate staff and resident SSIDs.
-
I have a Ubiquiti LR-AP and I've wanted to segment the trusted house wifi traffic versus untrusted, but I run a Mikrotik hEX at home and I have no idea how to do VLANs on it (I have no desire to learn either since I hate their interface.) Maybe one day if I can ever afford a Netgate device, I'll reconfigure everything.
-
As I said, start with thinking in terms of separate networks. Then apply VLANs as necessary. The VLAN tags are used only on trunk ports, where you want to have more than one "network". This is often used with VoIP phones and multiple SSID access points. Access ports do not ever carry tags, other in the unique exception of some switches that can recognize VoIP phones and put them on the VLAN. The phones (or other equipment) are recognized by the MAC address prefix, which is configured into the switch. The tags are added or removed by switches and other equipment configured to use them. For example, pfSense can be configured to use VLANs. So, it would add the appropriate tag when sending a frame and remove it from received frames. In a managed switch, you could have several VLANs on the trunk port and the switch sorts them out to the various access ports, where the tag is removed.
One very useful way to learn about this is with packet capture. Managed switches generally have a port mirror function, where a computer running Wireshark can monitor traffic for a different switch port. With Wireshark, you can examine the frames, see the VLAN value and more. In fact, a few years ago, I bought a cheap 5 port managed switch, just for that purpose.
-
I have no experience with either Ubiquiti or Mikrotik, so I can't help you with them, but the principles should still apply.
-
Access ports do not ever carry tags
Ubiquiti apparently allows you to define multiple SSIDs on different VLANs, so it must have some notion of them. Or is this me not understanding again?
Mikrotik is a nice little affordable unit but it's based on iptables and their interface is powerful but difficult. I would much prefer a Netgate box but I don't have $350 for a home router. The Mikrotik was $130 for a PoE unit with 5 switch ports.
-
@KOM said in VLANs. Use an assigned interface as parent?:
Ubiquiti apparently allows you to define multiple SSIDs on different VLANs, so it must have some notion of them. Or is this me not understanding again?
Yes. If a port carries VLANs it's a trunk port and if not it's an access port, according to Cisco. Ubiquiti may have different terms for the same thing. That access port will connect to a trunk port on the switch, so that the VLANs will be available. It then strips off the VLAN tags, when sending the frames to the appropriate SSID.
-
@KOM said in VLANs. Use an assigned interface as parent?:
@awebster I think I may have understood 4 or 5 of the words you used...
While I am not an educator by any strech of the imagination, I do, in my role as network architect, spend a lot of my day explaining networking concepts to my clients, so any feedback you can bring on how I can make it clearer / better would be much appreciated.
-
@JKnott said in VLANs. Use an assigned interface as parent?:
So, if you're working with VLANs,
... you must absolutely, unequivocally, unconditionally, with out a doubt, be using a managed switch. I had to add this in because VLAN questions come up pretty frequently on the forums only to discover after a bunch of back-and-forth, that the OP isn't using a managed switch!
-
A managed switch is needed if you want to configure VLANs, separate access ports from trunks, etc. An unmanaged switch will pass VLANs just fine, but that's all it can do, management has to be done elsewhere. Regardless, I am in favour of managed switches in general. These days, I would only put a dumb switch in a situation where a managed switch would bring no advantage. On my home network, I have a mananged switch, but also an unmanaged one in my living room, connecting my TV, A/V receiver, Blu-ray player and PVR to the single Ethernet port there.
-
@JKnott I have seen both managed and unmanaged switches do strange things:
- An HP 8 port managed (1800-8G) switch, which while it appears to work properly on the surface, with IPv6 DHCPv6 it is completely broken, the connected device gets an IPv6 address on every VLAN, despite it not being configured to allow those VLANs!
- Netgear GS110TP managed switch allows you to configure more than one untagged VLAN on a single port.
- Unmanaged switches, typically the cheap Chinese variety not passing anything frames with VLAN tags.
-
@awebster said in VLANs. Use an assigned interface as parent?:
- Unmanaged switches, typically the cheap Chinese variety not passing anything frames with VLAN tags.
If you know, does this confuse the ethernet controller, then everything gets dropped?
Jeff
-
Then those switches are defective. That HP sounds like the TP-Link switches.
Also, what is an unmanaged switch doing checking for a VLAN tag? The contents of the Ethertype field in the tag is all that makes the difference between a VLAN and any other Ethernet frame type. The Ethertype field is just data in the frame. That same field, in addition to the Ethertype on DIX II, is used for length with 802.3 Ethernet, which means any value, up to 1500, is valid. Do unmanaged switches check for the contents of that field, when they're not supposed to?
-
I used to have a cheap Chinese switch on my network and it had no problem passing VLAN tagged frames. When someone makes this sort of claim, it would be nice if they did some testing to verify it's actually happening. Again, any unmanaged switch that can't pass VLANs is defective.
-
@JKnott said in VLANs. Use an assigned interface as parent?:
Again, any unmanaged switch that can't pass VLANs is defective.
I think there is another dimension to this, namely QoS. When running in a multi-vlan network, if you have voice and/or video or other highly drop sensitive traffic to contend with, passing that through an unmanaged switch may not respect 802.1p and / or DSCP in the frames, unless it specifically says it is supported in the product docs.
While YMMV with unmanaged switches, I would not recommend passing any VLANs through them, ever. Saves the headaches of having to go back later and troubleshoot the network because you added some new VLAN or protocol and things aren't working the way you expect it to.
Managed switches have come down in price quite a bit lately, so there's really no excuse not to use them. -
@awebster said in VLANs. Use an assigned interface as parent?:
passing that through an unmanaged switch may not respect 802.1p and / or DSCP in the frames
I would never expect it to.
Think about the evolution of Ethernet. Originally, the NICs connected to a coax cable, without switches or even hubs. Then came hubs, which had to behave exactly as the original coax networks, collisions and all. Then came switches, which remained transparent, like hubs and coax, but also brought in full duplex operation and things went from there. This means that an unmanaged switch is supposed to appear to the computers exactly the same as a hub or coax network, in that it does absolutely nothing to interfere with the traffic. It was only with managed switches that the ability to do more came in.
Bottom line, there is no difference at all in the way unmanaged switches behave compared to hubs and coax, other than full duplex and higher speeds.