VLANs. Use an assigned interface as parent?
-
@awebster said in VLANs. Use an assigned interface as parent?:
- Unmanaged switches, typically the cheap Chinese variety not passing anything frames with VLAN tags.
If you know, does this confuse the ethernet controller, then everything gets dropped?
Jeff
-
Then those switches are defective. That HP sounds like the TP-Link switches.
Also, what is an unmanaged switch doing checking for a VLAN tag? The contents of the Ethertype field in the tag is all that makes the difference between a VLAN and any other Ethernet frame type. The Ethertype field is just data in the frame. That same field, in addition to the Ethertype on DIX II, is used for length with 802.3 Ethernet, which means any value, up to 1500, is valid. Do unmanaged switches check for the contents of that field, when they're not supposed to?
-
I used to have a cheap Chinese switch on my network and it had no problem passing VLAN tagged frames. When someone makes this sort of claim, it would be nice if they did some testing to verify it's actually happening. Again, any unmanaged switch that can't pass VLANs is defective.
-
@JKnott said in VLANs. Use an assigned interface as parent?:
Again, any unmanaged switch that can't pass VLANs is defective.
I think there is another dimension to this, namely QoS. When running in a multi-vlan network, if you have voice and/or video or other highly drop sensitive traffic to contend with, passing that through an unmanaged switch may not respect 802.1p and / or DSCP in the frames, unless it specifically says it is supported in the product docs.
While YMMV with unmanaged switches, I would not recommend passing any VLANs through them, ever. Saves the headaches of having to go back later and troubleshoot the network because you added some new VLAN or protocol and things aren't working the way you expect it to.
Managed switches have come down in price quite a bit lately, so there's really no excuse not to use them. -
@awebster said in VLANs. Use an assigned interface as parent?:
passing that through an unmanaged switch may not respect 802.1p and / or DSCP in the frames
I would never expect it to.
Think about the evolution of Ethernet. Originally, the NICs connected to a coax cable, without switches or even hubs. Then came hubs, which had to behave exactly as the original coax networks, collisions and all. Then came switches, which remained transparent, like hubs and coax, but also brought in full duplex operation and things went from there. This means that an unmanaged switch is supposed to appear to the computers exactly the same as a hub or coax network, in that it does absolutely nothing to interfere with the traffic. It was only with managed switches that the ability to do more came in.
Bottom line, there is no difference at all in the way unmanaged switches behave compared to hubs and coax, other than full duplex and higher speeds.
-
@JKnott said in VLANs. Use an assigned interface as parent?:
I would never expect it to.
Sadly some claim to. Some vendor's unmanaged switches mention QoS support in their literature, so at first glance your initial reaction is "hey, it must be a managed switch", only to realise that nope, you were fooled, they call it a "smart switch". This is confusing since yet other vendors call their less than a full CLI of management a "smart" managed switch.
Bottom line, there is no difference at all in the way unmanaged switches behave compared to hubs and coax, other than full duplex and higher speeds.
Well said! I might have added "are supposed to" before behave, because... broken.
-
@akuma1x said in VLANs. Use an assigned interface as parent?:
If you know, does this confuse the ethernet controller, then everything gets dropped?
Confuse, probably... The switch I was using (unmanaged Netgear PoE) would correctly pass the untagged frames but drop the tagged frames. I tried it in a home VoIP setup with PC plugged into the back of the phone. Phone kept coming up on the the untagged data VLAN, it couldn't see voice VLAN. Moved it onto a managed switch (the port that was feeding the unmanaged switch, so config was identical), and it worked first shot.
-
Moving back to the OP's question,
The easiest way I've come up with to explain vlans is to first think of dividing the switch into separate switches. You have different networks on those switches, and could put them in a segregated opt interface on the firewall. Ports 1-12 belong to lan and ports 13-23 are the guest lan. Now imagine the separate switches, or virtual lans, being represented by numerical tags the switch attaches to the traffic. EQ- your lan is 10 and your guest is 20. You configure port 24 on your switch to carry traffic for both networks. Traffic from you lan gets marked 10 and guest traffic gets marked 20. You connect 24 to the firewall, where instead of setting up lan and guest on separate ports, you tell the firewall that traffic marked 10 is your lan, and if it's marked 20, it's guest traffic.
Vlans in Unifi are easy- in this example, you would set the switchport the ap is in to untagged 10, tagged 20.
You would then create a wireless ssid for guest and specify vlan 20.
I'm using 10 and 20 here, but using the parent interface is basically using the default vlan 1
If you stick to the default vlan for you lan, it makes things a bit easier, but by Cisco standards, this is sloppy and poor practice. Traffic somehow not getting tagged comes out on vlan 1, you would ideally not want this on your lan. -
The biggest confusion I see is people using the term VLAN1 to mean untagged traffic and encoutering something configured to actually use VLAN1 tagged. Never use VLAN1!
The reason I recommend not using tagged and untagged traffic on the same interface if you can avoid it is that the most common problem I see with (usually cheap ass) switches is tags getting stripped when they shouldn't. Those can end up on the parent interface which is harmless if it's unassigned. Of course that should never happen but....
Steve
-
I use VLANs to segregate my WiFi traffic and VPN; I have a VLAN for my private WiFi, a VLAN for my guest WiFi, a VLAN for my VPN, and my wired LAN is untagged. All of it plugs into a cheapo unmanaged D-Link gigabit switch, which passes it just fine. All of this goes out over my LAN port (assigned as such).
The APs are VLAN-aware (and tag and filter the appropriate packets) and of course pfSense is VLAN-aware on the other end. Sure I might be able to do some magic configuration on one of my wired ethernet systems to be able to touch VLAN-tagged traffic, but given that there are only ethernet ports in the office and bedrooms, if a bad actor has access to my wired LAN, I have bigger problems than them picking up stuff off the VLANs.
In the meantime, any communication between those three segments (Guest WiFi, Private WiFi, LAN) is at the pleasure of my firewall rules -- which is to say guest WiFi can't see
while the others are, by and large, unfettered (though there are some restrictions on VPN).
