VLANs on Managed Switch

M4x_P0w3r · October 20, 2019, 11:55am

Dear Forum, I'm struggling with configuring my home network using Virtual LANs.
Router is a TP-Link Archer C7 AC1750, where only LAN Port 1 is in use. Devices are connected to a 8-port Netgear managed switch, whereas Port 1 is supposed to be used as trunk port.
My idea is to create the following networks:

Home
VLAN ID 67
192.168.67.0/24
DHCP

DMZ (such as NAS)
VLAN ID 10
192.168.10.0/24
Static

Guest
VLAN ID 254
192.168.254.0/25
DHCP

Management (such as switch)
VLAN ID 1
192.168.255.0/28
Static

root@openwrt:~# cat /etc/config/network

config interface 'loopback'
        option ifname 'lo'
        option proto 'static'
        option ipaddr '127.0.0.1'
        option netmask '255.0.0.0'

config globals 'globals'
        option ula_prefix 'fd5c:dc7e:d327::/48'

config interface 'lan'
        option type 'bridge'
        option proto 'static'
        option ipaddr '192.168.1.1'
        option netmask '255.255.255.0'
        option ip6assign '60'
        option dns '192.168.254.253'
        option ifname 'eth1.1'

config interface 'wan'
        option proto 'static'
        option broadcast '192.168.178.255'
        option ipaddr '192.168.254.254'
        option netmask '255.255.255.252'
        option gateway '192.168.254.253'
        option ifname 'eth0.2'

config interface 'wan6'
        option ifname 'eth0.2'
        option proto 'dhcpv6'
        option auto '0'

config switch
        option name 'switch0'
        option reset '1'
        option enable_vlan '1'

config switch_vlan
        option device 'switch0'
        option vlan '1'
        option vid '1'
        option ports '0t 2'

config switch_vlan
        option device 'switch0'
        option vlan '2'
        option ports '1 6t'
        option vid '2'

config switch_vlan
        option device 'switch0'
        option vlan '3'
        option ports '0t 2t'
        option vid '10'

config switch_vlan
        option device 'switch0'
        option vlan '4'
        option ports '0t 2t'
        option vid '67'

config switch_vlan
        option device 'switch0'
        option vlan '5'
        option vid '254'
        option ports '0t 2t'

config interface 'Home'
        option proto 'static'
        option ifname 'eth1.67'
        option ipaddr '192.168.67.1'
        option netmask '255.255.255.0'
        option broadcast '192.168.67.255'

config interface 'DMZ'
        option proto 'static'
        option ifname 'eth1.10'
        option ipaddr '192.168.10.1'
        option netmask '255.255.255.0'
        option broadcast '192.168.10.255'

config interface 'Guest'
        option proto 'static'
        option ifname 'eth1.254'
        option ipaddr '192.168.254.1'
        option netmask '255.255.255.128'
        option broadcast '192.168.254.127'

config interface 'Mgmt'
        option proto 'static'
        option ipaddr '192.168.255.1'
        option netmask '255.255.255.240'
        option ifname 'eth1.1'

Switch port configuration:
Port 1:
PVID 1
All VLANs untagged

Ports 2-4:
PVID 67
1 Untagged
10 & 67 Tagged

Port 5:
PVID 10
1 Untagged
10 & 67 Tagged

Port 6:
PVID 1
1 Untagged

Ports 7 & 8:
PVID 254
1 Untagged
254 Tagged

Now, for instance, I want a PC to join VLAN 67 and get an address assigned from that network. Still it's assigned an address from the default LAN (.1.0), instead. What's wrong with my configuration?
I kindly ask for your understanding, since it's the first time I create such kind of networks from scratch by myself.

Thanks in advance for any precious answer.

jeff · October 20, 2019, 12:26pm

The you need to plug it into a port somewhere that is untagged VLAN 67 with a PVID of 67, or set up the PC to have a sub-interface on VLAN 67 and attach it to a tagged port.

M4x_P0w3r · October 20, 2019, 1:33pm

VLAN 67 @Port 2 set to untagged, network cable unplugged and then plugged again, same result.

jeff · October 20, 2019, 1:48pm

Do you have a DHCP server running on the interface? What about your firewall zones?

Untagged on one VLAN and PVID on a different one is a rather unusual choice.

Edit: As is more than one untagged VLAN on a given port.

psherman · October 20, 2019, 6:23pm

I would recommend that you start simple and build from there. Specifically, reset to the default configuration so that you have just one LAN defined (untagged on all ports of your C7). Then, add another network, remove the default LAN from a single port on the C7 internal switch (let's say you take physical* port 2 for the second network), and assign that port to carry the second network as untagged (technically the same as PVID, but OpenWrt just shows tagged/untagged/off). Now, ports 1, 3, and 4 have the default LAN, and port 2 has the second network. This should give you two networks that can be accessed by simply moving the ethernet cable from one port to the other. This configuration will allow you test each network to make sure that they working properly, without the extra complication of VLAN tagging and PVID/VID assignments.

*keep in mind that the physical port mapping may be different than the logical assignments in the switch config.

Once the two networks on different ports has been proven to work as expected, you can start playing with tagging and trunking.

Now, regarding trunking and untagged/tagged networks: On a given wire, you may have:

zero or one untagged network (this is the 'default' network to which data belongs if it doesn't have a tag when it enters or exits a port). This is largely equivalent to the PVID, but there is a nuance here, too.
zero, one, or many tagged networks. Ethernet frames will have the tags to identify the corresponding network as it travels on the wire and in and out of ports.

A port/wire can have tagged networks only, if desired, including just a single tagged network (which does not constitute a trunk). A trunk is defined as a port/wire that carries multiple networks. A trunk carrying two networks may be:

1 untagged, 1 tagged
0 untagged, 2 tagged.
NOTE that 2 untagged is not a valid option, as there would be no way to identify/separate the traffic from the two different networks.

Now, I said that you can only have a single untagged network on a wire, and I also mentioned that there is a important nuance with respect to 'untagged' and 'PVID'.

A smart/managed switch will often have PVID (Port VLAN ID) on the switch port setup, and designators for tagged and tagged networks in the VLAN setup. In the VLAN setup, you can usually assign multiple networks to a given port as untagged. The best way to think about this is that these networks are "available" to the physical port, but only one may be assigned as untagged at any given time -- this is why there is the PVID section in the switch port setup. The PVID selects the single network (from the available untagged networks of which the port is a member) that will be used untagged on that port.

Tagged networks at the port level, may also be called VIDs. In the smart switch's VLAN setup, you can assign tagged VLANs to the physical ports. Usually, any network that is assigned to a switch port as tagged will actually appear, tagged (as VIDs), on that physical port (this is unlike the untagged setup where ultimately only one network is selected via the PVID).

With this info, hopefully you should be ready to try trunking. So let's say you take port 3 of the C7 and make it untagged for the default LAN and tagged for the second network. Configure your smart switch the same way -- setting up the VLAN configuration that includes the first/default network VLAN ID as untagged and the second network as tagged. Then go to the port configuration and set the first network as the PVID. If you then select two other ports, one each, to have the first and second networks untagged and those networks set as PVID for the corresponding ports), you should be able to access each network by simply moving the ethernet cable between those two ports.

Once you have 2 VLANs working over a trunk, you can build out the rest of your network.

psherman · October 20, 2019, 6:55pm

Adding some screen grabs from my TL-SG105E smart switch.

In the image below, the bottom table shows the VLAN IDs and the associated ports.
-All 5 ports are members of VLAN ID 1 as untagged.

VLAN 172 is tagged on port 1, untagged on port 3.
VLAN 192 is tagged on port 1, untagged on port 4.

This makes port 1 a trunk port, while all others are carrying just a single network.

The PIVD page shows ports 1, 2, and 5 have a PVID of 1. So untagged traffic on those ports will belong to VLAN 1.
Similarly the PVIDs are set such that port 3 has untagged traffic associated with VLAN 172, and VLAN 192 is associated with untagged traffic on port 4.

The router or upstream smart switch on the other end of the wire connected to port 1 of this switch is configured with the same VLAN setup -- untagged traffic is VLAN 1 and VLANs 172 and 192 are tagged. This makes all of the VLAN traffic flow, keeping everything consistent from the router, through the switches.

mk24 · October 20, 2019, 9:48pm

I think the switch in the C7 requires special consideration for VLAN numbers higher than 128. So in a network such as this where you get to choose the VLAN numbers, keep them small.

On your C7 you should have all the vlan's defined with switch_vlan blocks, with a CPU port and the external port tagged in all of them, and untagged in none of them.

The pvid setting exists to resolve when tagged and untagged traffic arrives on the same cable, it is best not to do that in the first place.

psherman · October 20, 2019, 10:06pm

@mk24 - why do you say that it is best not to do this? Is your recommendation to have all VLANs tagged if over a trunk (and to never have an untagged network on the trunk)? This is certainly a valid approach and can be good in some circumstances (it offers some level of security over the untagged situation), but I've never known trunking with both an untagged and 1 or more tagged network(s) to be a bad practice in a general sense.

jeff · October 20, 2019, 11:49pm

I intentionally tag everything on my trunks, set the PVID to 4095 (blackhole) and, with switches that support it, drop untagged traffic, as well as traffic that comes in tagged with a “wrong” tag.

That way there’s never a surprise as to where traffic goes.

The “degenerate” use cases to use untagged traffic to change VLAN tags or the like should never arise in a SOHO situation.

M4x_P0w3r · November 19, 2019, 7:39pm

Just to summarize and make thus some other people understand:

Trunk ports with all VLAN IDs tagged
Access ports with assigned Native ID (or PVID) and consequently ID untagged. Tagged are VLANs the own VLAN wants to communicate to. For instance:
- Port 2, PVID 20, 20 U, 30 T
- Port 3, PVID 30, 20 T, 30 U

After correcting configuration it's all right.

system · November 29, 2019, 7:39pm

This topic was automatically closed 10 days after the last reply. New replies are no longer allowed.