[ale] Off topic but we're already almost there: VLANS?

Phil Turmel philip at turmel.org
Sat Feb 27 18:55:34 EST 2021 

Hi Neal,

On 2/25/21 2:07 PM, Neal Rhodes via Ale wrote:
> 
> I have never worked with VLANS before.

A key behavior that your notes suggest you are missing is that VLANs are 
implemented with an extra ethernet header (that happens to do double 
duty with packet prioritization, but that's a side note).

Switches that support VLANs generally designating a physical port as 
either "access" mode--no VLAN header aka "untagged", or "trunk" 
mode--always a VLAN header aka "tagged".  Standard 802.1Q vlans can have 
VLAN tag numbers from 1 to 4095.

Untagged ports have all incoming packets assigned to a single configured 
VLAN (default == 1) before forwarding to the switch fabric, and filter 
out packets from the switch fabric that don't belong to that VLAN.

Tagged ports are assigned a list of allowed VLAN numbers.  They expect 
incoming packets to have an 802.1Q tag having one of the numbers, 
dropping any that don't belong before forwarding to the switch fabric. 
Similarly, only sending out from the switch fabric packets that have one 
of the allowed VLAN numbers, and always including the header.

There is no such thing as "No VLAN assigned".  A VLAN-capable switch 
will always place every packet in a VLAN.  Most such switches default to 
"access" mode on all ports with all ports using VLAN 1.  Which *looks* 
like no VLAN.

> My understanding is the simple (ha!) way of doing VLAN is to let the 
> wired switches (NetGear) assign it based on what port into which things 
> are plugged.

Pretty sure you are going to have to configure your VLANs deliberately.

> Imagine a church with offices and sanctuary upstairs, community schools 
> and distance Learning downstairs, printers for each, and Wifi hotspots 
> here and there. And now everything is getting a 192.168.1.x address 
> assigned by the DHCP on the Firewall Router.

DHCP is only going to cover the VLAN it is attached to.  You will need a 
DHCP server for each VLAN, and a separate subnet for each.

> And there are some obvious reasons you might not want students 
> downstairs having access to office computers, or the audio mixer in the 
> sanctuary, but they might need to print something on occasion.

Somewhere in this mix you will need a router to let users reach the 
printers.  If they can reach the printers, they can reach other 
computers in the same subnet as the printers, unless your router is also 
a firewall with strict rules.

Onwards to your diagram:

> Ergo the outline of Routers/VLANS I'm thinking of is below.  Indented 
> generally means "I'm plugged into this device above".
> 
> Main Firewall Router: (now Cisco, but likely Ubiquity soon)
>      - Comcast VoiceEdge Server (No VLAN)
>      - Office Switch (NetGear)
>          - VLAN1
>              - PolyCon Office phone-sets
>                  - Computers Connected to them
>              - Computers wired direct to switch
>              - Office Wifi Hotspot
>          - VLAN2
>              - Sanctuary Switch
>                  - Propresenter PC
>                  - Streaming encoder
>                      - Camera
>                  - X32 Wifi Hotspot
>                      - X32 Audio Mixer
>                      - Mixer Control Tablets
>          - No VLAN assigned
>              - Office HP Printer
>              - Office Toshiba Printer
>              - Hanberry Hall Wifi Hotspot
> 
>      - Downstairs Switch (NetGear)
>          - VLAN3
>              - Community Schools phone-sets
>                  - Computers Connected to them
> 
>              - Downstairs Hallway Wifi Hotspot
>                  - Students doing Distance Learning
>              - Shepherd's Hall Wifi Hotspot?? (do we have to move cable? 
> Or can that hotspot claim VLAN3?)
>                  - Students doing Distance Learning
>          - No VLAN assigned
>              - Community Schools Toshiba Printer

You will have to specify what ports on each switch are what kind.  Your 
main router will have to connect to your secondary routers via "trunk" 
ports if you want multiple VLANs to interconnect.

Linux can do trunk ports if needed (for your multiple DHCP support 
and/or routing, perhaps).


> My understanding is that each switch will add the VLAN tag, and that by 
> default the Firewall Router will not pass data from one VLAN to another 
> VLAN.  Thus:
> - Any device can obtain internet NAT service;

Nope.  Only the VLAN that is on the default VLAN for the router, unless 
you deliberately configure more route rules.

> - Any device can print to any printer NOT on a VLAN;

Nope.

> - Any device can access the VoiceEdge server;

Nope.

> - No devices outside the Sanctuary VLAN2 can access it;

Nope.

> - No devices outside the Office VLAN1 can access it;

Nope.

> - There is no need to enforce the Guest logins on the downstairs Wifi, 
> as there are no resources to compromise other than paper and toner.
> 
> How Comcast voice behaves is important to know.  Do phone-sets only talk 
> to the voice server?  or do they talk to each other?   I shall attempt 
> to beat an answer out of them on this.


> Am I thinking right on this?  what Firewall Router feature requirements 
> are needed to support this?

Any VLAN-capable switch will handle the packets.  You need router 
features in the switch or in a separate device on a trunk port to handle 
the traffic between VLANs.

> 
> regards,
> 
> Neal

Sorry to burst your bubble.

Phil

More information about the Ale mailing list