VLANs. Use an assigned interface as parent?
-
As I said, start with thinking in terms of separate networks. Then apply VLANs as necessary. The VLAN tags are used only on trunk ports, where you want to have more than one "network". This is often used with VoIP phones and multiple SSID access points. Access ports do not ever carry tags, other in the unique exception of some switches that can recognize VoIP phones and put them on the VLAN. The phones (or other equipment) are recognized by the MAC address prefix, which is configured into the switch. The tags are added or removed by switches and other equipment configured to use them. For example, pfSense can be configured to use VLANs. So, it would add the appropriate tag when sending a frame and remove it from received frames. In a managed switch, you could have several VLANs on the trunk port and the switch sorts them out to the various access ports, where the tag is removed.
One very useful way to learn about this is with packet capture. Managed switches generally have a port mirror function, where a computer running Wireshark can monitor traffic for a different switch port. With Wireshark, you can examine the frames, see the VLAN value and more. In fact, a few years ago, I bought a cheap 5 port managed switch, just for that purpose.
-
I have no experience with either Ubiquiti or Mikrotik, so I can't help you with them, but the principles should still apply.
-
Access ports do not ever carry tags
Ubiquiti apparently allows you to define multiple SSIDs on different VLANs, so it must have some notion of them. Or is this me not understanding again?
Mikrotik is a nice little affordable unit but it's based on iptables and their interface is powerful but difficult. I would much prefer a Netgate box but I don't have $350 for a home router. The Mikrotik was $130 for a PoE unit with 5 switch ports.
-
@KOM said in VLANs. Use an assigned interface as parent?:
Ubiquiti apparently allows you to define multiple SSIDs on different VLANs, so it must have some notion of them. Or is this me not understanding again?
Yes. If a port carries VLANs it's a trunk port and if not it's an access port, according to Cisco. Ubiquiti may have different terms for the same thing. That access port will connect to a trunk port on the switch, so that the VLANs will be available. It then strips off the VLAN tags, when sending the frames to the appropriate SSID.
-
@KOM said in VLANs. Use an assigned interface as parent?:
@awebster I think I may have understood 4 or 5 of the words you used...
While I am not an educator by any strech of the imagination, I do, in my role as network architect, spend a lot of my day explaining networking concepts to my clients, so any feedback you can bring on how I can make it clearer / better would be much appreciated.
-
@JKnott said in VLANs. Use an assigned interface as parent?:
So, if you're working with VLANs,
... you must absolutely, unequivocally, unconditionally, with out a doubt, be using a managed switch. I had to add this in because VLAN questions come up pretty frequently on the forums only to discover after a bunch of back-and-forth, that the OP isn't using a managed switch!
-
A managed switch is needed if you want to configure VLANs, separate access ports from trunks, etc. An unmanaged switch will pass VLANs just fine, but that's all it can do, management has to be done elsewhere. Regardless, I am in favour of managed switches in general. These days, I would only put a dumb switch in a situation where a managed switch would bring no advantage. On my home network, I have a mananged switch, but also an unmanaged one in my living room, connecting my TV, A/V receiver, Blu-ray player and PVR to the single Ethernet port there.
-
@JKnott I have seen both managed and unmanaged switches do strange things:
- An HP 8 port managed (1800-8G) switch, which while it appears to work properly on the surface, with IPv6 DHCPv6 it is completely broken, the connected device gets an IPv6 address on every VLAN, despite it not being configured to allow those VLANs!
- Netgear GS110TP managed switch allows you to configure more than one untagged VLAN on a single port.
- Unmanaged switches, typically the cheap Chinese variety not passing anything frames with VLAN tags.
–A.
-
@awebster said in VLANs. Use an assigned interface as parent?:
- Unmanaged switches, typically the cheap Chinese variety not passing anything frames with VLAN tags.
If you know, does this confuse the ethernet controller, then everything gets dropped?
Jeff
-
Then those switches are defective. That HP sounds like the TP-Link switches.
Also, what is an unmanaged switch doing checking for a VLAN tag? The contents of the Ethertype field in the tag is all that makes the difference between a VLAN and any other Ethernet frame type. The Ethertype field is just data in the frame. That same field, in addition to the Ethertype on DIX II, is used for length with 802.3 Ethernet, which means any value, up to 1500, is valid. Do unmanaged switches check for the contents of that field, when they're not supposed to?
-
I used to have a cheap Chinese switch on my network and it had no problem passing VLAN tagged frames. When someone makes this sort of claim, it would be nice if they did some testing to verify it's actually happening. Again, any unmanaged switch that can't pass VLANs is defective.
-
@JKnott said in VLANs. Use an assigned interface as parent?:
Again, any unmanaged switch that can't pass VLANs is defective.
I think there is another dimension to this, namely QoS. When running in a multi-vlan network, if you have voice and/or video or other highly drop sensitive traffic to contend with, passing that through an unmanaged switch may not respect 802.1p and / or DSCP in the frames, unless it specifically says it is supported in the product docs.
While YMMV with unmanaged switches, I would not recommend passing any VLANs through them, ever. Saves the headaches of having to go back later and troubleshoot the network because you added some new VLAN or protocol and things aren't working the way you expect it to.
Managed switches have come down in price quite a bit lately, so there's really no excuse not to use them. -
@awebster said in VLANs. Use an assigned interface as parent?:
passing that through an unmanaged switch may not respect 802.1p and / or DSCP in the frames
I would never expect it to.
Think about the evolution of Ethernet. Originally, the NICs connected to a coax cable, without switches or even hubs. Then came hubs, which had to behave exactly as the original coax networks, collisions and all. Then came switches, which remained transparent, like hubs and coax, but also brought in full duplex operation and things went from there. This means that an unmanaged switch is supposed to appear to the computers exactly the same as a hub or coax network, in that it does absolutely nothing to interfere with the traffic. It was only with managed switches that the ability to do more came in.
Bottom line, there is no difference at all in the way unmanaged switches behave compared to hubs and coax, other than full duplex and higher speeds.
-
@JKnott said in VLANs. Use an assigned interface as parent?:
I would never expect it to.
Sadly some claim to. Some vendor's unmanaged switches mention QoS support in their literature, so at first glance your initial reaction is "hey, it must be a managed switch", only to realise that nope, you were fooled, they call it a "smart switch". This is confusing since yet other vendors call their less than a full CLI of management a "smart" managed switch.
Bottom line, there is no difference at all in the way unmanaged switches behave compared to hubs and coax, other than full duplex and higher speeds.
Well said! I might have added "are supposed to" before behave, because... broken.
-
@akuma1x said in VLANs. Use an assigned interface as parent?:
If you know, does this confuse the ethernet controller, then everything gets dropped?
Confuse, probably... The switch I was using (unmanaged Netgear PoE) would correctly pass the untagged frames but drop the tagged frames. I tried it in a home VoIP setup with PC plugged into the back of the phone. Phone kept coming up on the the untagged data VLAN, it couldn't see voice VLAN. Moved it onto a managed switch (the port that was feeding the unmanaged switch, so config was identical), and it worked first shot.
-
Moving back to the OP's question,
The easiest way I've come up with to explain vlans is to first think of dividing the switch into separate switches. You have different networks on those switches, and could put them in a segregated opt interface on the firewall. Ports 1-12 belong to lan and ports 13-23 are the guest lan. Now imagine the separate switches, or virtual lans, being represented by numerical tags the switch attaches to the traffic. EQ- your lan is 10 and your guest is 20. You configure port 24 on your switch to carry traffic for both networks. Traffic from you lan gets marked 10 and guest traffic gets marked 20. You connect 24 to the firewall, where instead of setting up lan and guest on separate ports, you tell the firewall that traffic marked 10 is your lan, and if it's marked 20, it's guest traffic.
Vlans in Unifi are easy- in this example, you would set the switchport the ap is in to untagged 10, tagged 20.
You would then create a wireless ssid for guest and specify vlan 20.
I'm using 10 and 20 here, but using the parent interface is basically using the default vlan 1
If you stick to the default vlan for you lan, it makes things a bit easier, but by Cisco standards, this is sloppy and poor practice. Traffic somehow not getting tagged comes out on vlan 1, you would ideally not want this on your lan. -
The biggest confusion I see is people using the term VLAN1 to mean untagged traffic and encoutering something configured to actually use VLAN1 tagged. Never use VLAN1!
The reason I recommend not using tagged and untagged traffic on the same interface if you can avoid it is that the most common problem I see with (usually cheap ass) switches is tags getting stripped when they shouldn't. Those can end up on the parent interface which is harmless if it's unassigned. Of course that should never happen but....
Steve
-
I use VLANs to segregate my WiFi traffic and VPN; I have a VLAN for my private WiFi, a VLAN for my guest WiFi, a VLAN for my VPN, and my wired LAN is untagged. All of it plugs into a cheapo unmanaged D-Link gigabit switch, which passes it just fine. All of this goes out over my LAN port (assigned as such).
The APs are VLAN-aware (and tag and filter the appropriate packets) and of course pfSense is VLAN-aware on the other end. Sure I might be able to do some magic configuration on one of my wired ethernet systems to be able to touch VLAN-tagged traffic, but given that there are only ethernet ports in the office and bedrooms, if a bad actor has access to my wired LAN, I have bigger problems than them picking up stuff off the VLANs.
In the meantime, any communication between those three segments (Guest WiFi, Private WiFi, LAN) is at the pleasure of my firewall rules -- which is to say guest WiFi can't see
while the others are, by and large, unfettered (though there are some restrictions on VPN).
