How To Set Up VLANs When You Don’t Understand VLANs

By | March 3, 2016

Several years ago, I needed to partition a network into separate VLANs.  The switches I had were capable, but I wasn’t.  I was having trouble understanding what the terms meant (Tagged, Untagged, Excluded) and how to configure each port to achieve my desired result.  I had trouble finding a good I-don’t-really-care-that-much-about-VLANS-or-Cisco-documentation-I-just-want-this-to-work-so-I-can-get-on-with-what-I-am-really-trying-to-do kind of explanation, so I thought I would write one.  Remember I said that was years ago?  My TODO list is very long.

The switches I was using in this project were Cisco/Linksys SGE2000P which is a “small business” switch.

VLAN concepts:

  1. VLANs are a way to group ports, potentially across multiple switches, into networks (Virtual Local Area Networks). In this way, a switch can be partitioned to, among other things, serve multiple networks all isolated from each other.
  2. Each VLAN is identified by an ID which is a number.
  3. Each port on the switch is designated as Tagged, Untagged or Excluded in each VLAN.
  4. If a port is Tagged, the switch will add the VLAN ID to the header of any packets sent on that interface.  Tagged packets are only understood by network equipment that is VLAN aware.
  5. If a port is Untagged the switch will not add the VLAN ID to the header of packets sent on that interface and will remove and VLAN IDs in packets that came in on a Tagged interface.
  6. If a port is Excluded from a VLAN packets with that VLAN ID will never be sent out on that port.
  7. If a port is marked Untagged on one VLAN, it will be excluded from all other VLANs.  In other words, an Untagged interface can only be a part of one VLAN at a time.
  8. A port can be marked as Tagged on any number of VLANs

What does all of that mean?

Any port that is going to carry traffic between 2 switches must be able to carry packets from all of the VLANs so therefore must be included in every VLAN that must transit that link.  The switch on the other end must be able to determine which VLAN to forward the packet to so the packets sent out that port must be tagged. It is also important that both switches understand VLANs.

Any port that is going to connect to a non-switch device must be marked untagged in the VLAN the device is supposed to be a part of.

Example

Say you want to create 3 different networks with 2 VLAN capable 16 port switches.  We’ll use VLAN IDs 7, 8, and 9.

We want to configure the networks thusly:

  • Connect port 16 on switch #1 to port 16 switch #2.  This cable will carry traffic from all 3 VLANs between the switches.  These ports must be tagged in all 3 VLANs
  • VLAN 7 will include ports 1, 2, and 3 on switch #1 and ports 1 and 2 on switch #2. These ports must be untagged on VLAN 7  and excluded from VLANs 8 and 9.
  • VLAN 8 will include ports 4 and 5 on switch #1 and ports 3, 4, and 5 on switch #2. These ports must be untagged on VLAN 8 and excluded from VLANs 7 and 9.
  • All other ports will be on VLAN 9. These ports must be untagged on VLAN 9 and excluded from VLANs 7 and 8.

So configure the ports like this:

Switch #1
Port VLAN 7 VLAN 8 VLAN 9
1 Untagged Excluded Excluded
2 Untagged Excluded Excluded
3 Untagged Excluded Excluded
4 Excluded Untagged Excluded
5 Excluded Untagged Excluded
6 Excluded Excluded Untagged
7 Excluded Excluded Untagged
8 Excluded Excluded Untagged
9 Excluded Excluded Untagged
10 Excluded Excluded Untagged
11 Excluded Excluded Untagged
12 Excluded Excluded Untagged
13 Excluded Excluded Untagged
14 Excluded Excluded Untagged
15 Excluded Excluded Untagged
16 Tagged Tagged Tagged
Switch #2
Port VLAN 7 VLAN 8 VLAN 9
1 Untagged Excluded Excluded
2 Untagged Excluded Excluded
3 Excluded Untagged Excluded
4 Excluded Untagged Excluded
5 Excluded Untagged Excluded
6 Excluded Excluded Untagged
7 Excluded Excluded Untagged
8 Excluded Excluded Untagged
9 Excluded Excluded Untagged
10 Excluded Excluded Untagged
11 Excluded Excluded Untagged
12 Excluded Excluded Untagged
13 Excluded Excluded Untagged
14 Excluded Excluded Untagged
15 Excluded Excluded Untagged
16 Tagged Tagged Tagged



If you find this site helpful, please consider supporting my efforts by clicking My Amazon Affiliate Link and buying whatever you would normally buy or maybe Try Amazon Prime 30-Day Free Trial.

  • Garry Holmberg

    Thank you Jason! I am currently studying CCNA course material which addresses Cisco’s commands for more robust switches and routers. But, I have a project where I was tasked with installing Cisco’s RV325 routers with integrated 14 point switch. Desktop units, for the SOHO to small business. I went to set up VLANs and could not decipher what they meant by Tagged, Untagged, and Excluded. I searched for two days, read lots of posts, watched some YouTubes and still wasn’t quite sure. The one YouTube I found this morning was posted by CrossTalk Solutions, it demonstrated setting the ports just as you explain on Ubiquiti equipment, which got me on the right track mechanically, but my understanding of the why, still wasn’t satisfied. I just read your post and you nailed it down for me, soooooo thank you!!!!

    • Awesome Garry. I’m glad you found it helpful.

      • Jit singh

        Hi Jason,
        I have some confusion, If i am connecting a switch port to a Storage device which needs to talk to all VLANS , can this port be Tagged or Trunk

        • It depends on what exactly you are trying to do.

          VLANs are meant to create separate networks isolated from each other. A tagged or trunk port is meant to carry data between VLAN aware switches and not as a means to bridge networks (this is the job of a router).

          A device connected to a tagged port must understand VLANs. It would also need to have an IP address (I assume you are using IP at the network layer) on each VLAN and know how to sort everything out. While this is theoretically possible, it is highly unlikely any off-the-shelf storage device has this capability since it’s not really what VLANs are for.

          If you want be able to access a single device from multiple VLANs (networks) you have a couple of options:

          1. Use a device with routing capability (a router or a layer 3 switch). With the right configuration, you can allow different networks to access each other. This is the right way to do it but may require expensive hardware.

          2. Have multiple network interfaces in the device, one for each VLAN. You would then connect each interface to an untagged port on its corresponding VLAN. This is cumbersome for more than a couple of networks and most devices only come with one network interface anyway.

          It could be that I am completely misunderstanding what you are trying to do. If you could be more specific, I might be able to be more helpful.

          • Jit singh

            It is Emc Avamar boc , which stores the backup data and works only using i.p. so if it has to talk to multiple networks to store the data over i.p .it also supports Vlan Tags. i would think in that case it should be connected to Trunk port on the switch ?

          • In that case, yes, the Avamar system should be connected to a trunk port. You then have to make sure the storage device has an interface defined for each network.

          • Jit singh

            Thanks Jason.
            What i am confused about .If there are multiple VLANs and there is intervlan routing setup on Router .
            1>Do i still need VLAN taggings on my Avamar box so it can talk to different end user computers over TCP/IP. or
            2>VLAN Taggging is only required where there is no routing setup on Router i.e VLANS are non routables

          • VLAN tagging on the Avamar box is only required if you can’t set up inter-vlan routing.

            If you are able to set up inter-vlan routing then your storage device doesn’t need to be VLAN aware and can be connected to an untagged access port. You can instead create a new VLAN for the storage device and create routing rules that allow everything to talk to each other.

            To elaborate:

            Say you have 3 VLANs

            VLAN 1 has IP net 192.168.1.0/24

            VLAN 2 has IP net 192.168.2.0/24

            VLAN 3 has IP net 192.168.3.0/24

            These 3 VLANs are distinct separate networks that just happen to be sharing the same switches. How do you connect the storage device? Consider 2 scenarios:

            Scenario 1:

            You can set up intervlan routing. So you can set up routing rules such that, for example, the device with IP address 192.168.1.10 (in VLAN 1) can ping the device with address 192.168.3.12 (in VLAN 3) and receive a response.

            In this case your storage device doesn’t need to be VLAN aware. You can create a new VLAN (say VLAN 4 with IP net 192.168.4.0/24) and put the storage device there. The storage device would connect to a regular untagged access port and have 1 ip address in the 192.168.4.0/24 network. Then set up routing rules so that the other VLANs can reach VLAN 4. This is assuming that the applications you are running in VLANs 1-3 don’t require the storage device to be on the same Ethernet network.

            Scenario 2:

            You can’t (or don’t want to) set up routing rules so devices in each VLAN can talk to each other. Putting the storage device in VLAN 4 would make it unreachable from VLANs 1-3.

            In this case you would need to connect your storage device to a tagged port that is a member of VLANs 1-3. You would then need to create 3 interfaces in the Avamar device, one for each VLAN with an IP address in the corresponding IP network.

  • Mysil

    I need some help, as I still can’t get this working. I have a Cisco RV320 Router, and Cisco SG200-26 Switch. I am trying to isolate two networks (Say Work & Customer), while still having a shared resource network for printers, mail servers etc.

    So I tried to set up VLAN 1 as the resource network, VLAN 25 as Work, and VLAN 100 as Customer. On the switch I configured port 1-8, 9-16 and 17-24 respectively to PVID 1, 25 and 100. Port 25 is used as a Trunk port to the router. 1-8 ports are untagged, while 9-24 is tagged and port 25 is untagged. All of these have their PVIDs enabled.

    When I try to enable VLAN on the router however, (Where VLAN 1 is untagged on all ports, 25 and 100 is tagged) I get disconnected from the router and have to reset all settings to factory default. even when connecting my computer directly to port 1 on the router. I can still connect to my Switch via the router. Please help me, thanks 🙂

    • I’ll give it a shot. Hopefully I understand what you are trying to do. I am not familiar with the specific devices you are using so I will have to be general.

      First, configure the switch.
      Ports 1-8 should be member of VLAN 1 and be untagged access ports.
      Ports 9-16 should be members of VLAN 25 and be untagged access ports.
      Ports 17-24 should be members of VLAN 100 and be untagged access ports.
      Port 25 should be tagged and trunk or general (shouldn’t matter which) and member of VLANs 1, 25, and 100
      You shouldn’t need PVID enabled on any port. It’s used for a different thing.

      It is important that ports 1-24 are untagged because the devices you are going to be connecting to them (I assume PCs, printers, etc) are probably not VLAN aware devices. They will not understand the tagged frames coming from the tagged switch ports. It is important that port 25 be tagged since it will be carrying traffic from multiple VLANs to the router. The switch will add the VLAN tags before sending anything out on port 25 so the router can distinguish among the VLANs.

      In order for any of this to work, each VLAN needs to have a different IP network. So, for example, devices on VLAN 1 could have IP addresses from the 192.168.1/24 network, devices on VLAN 25 could use the 192.168.2/24 network and devices on VLAN 100 could use the 192.168.3/24 network. You can use any networks you want, they just have to be different.

      To configure the router:
      I can point you to some page numbers in the manual for some of this. If you don’t have the manual for the router, it is here: http://www.cisco.com/c/dam/en/us/td/docs/routers/csbr/rv320/administration/guide/en/rv32x_ag_en.pdf

      The router will be receiving traffic from 3 different IP networks on 3 different VLANs. Each VLAN will have to know the router by a different IP address. So VLAN 1 might see the router at 192.168.1.1, VLAN 25 might see the router at 192.168.2.1 and VLAN 100 might see the router at 192.168.3.1.

      I’m not sure which order you need to do these things in this particular router, but you need to manage the following:
      Add the different IP networks to the router and assign the router an IP address in each network. This is on page 19 of the manual.
      Create the VLANs. (page 72)
      Make the IP networks members of their appropriate VLANs.
      Each network should be tagged in the appropriate VLAN and excluded from the others.

      Before you actually enable the VLANs, make sure the device you are using to configure the router is connected to a VLAN that has “Device Management” enabled in the VLAN membership settings otherwise you won’t be able to access the configuration interface.

      At this point you should be able to ping the router from each of your VLANs at the router IP address in that VLANs network. You should also be able to ping devices on the VLANs from the router. If you have left inter-vlan routing off you won’t be able to reach any devices on the other networks.

      You should try to get this far before trying to enable access from one VLAN to another.

      Now to enable enable access among VLANs:
      I assume you want the following:
      1. Devices in VLAN 25 can access devices in VLAN 1 but not devices in VLAN 100
      2. Devices in VLAN 100 can access devices in VLAN 1 but not devices in VLAN 25
      3. Devices in VLAN 1 can’t access devices in VLAN 25 or VLAN 100.

      First you need to enable inter-vlan routing in the router. With this enabled, you will probably have full access from every device on any VLAN to every device on any other VLAN. To satisfy your desired access restrictions you will have to set up firewall rules in the router. It is difficult for me to tell you how to do this at this point.

      Try all that and let me how far it gets you.

  • Joe

    Hi Jason,

    I hope you can help me with my VLAN setup. The goal is to
    share access points (cisco VLAN aware and multi SSID capable) between 2
    networks by having each SSID connected to the corresponding network.

    Ie: SSID “external” corresponding to (NET1) and SSID “Internal”
    corresponding to (NET2) these devices are POEs and I have one switch where they
    are connected to. The switch (10 port VALAN
    capable and set) is divided in half (A and B) so that each half is connected to
    the proper network.

    Also from a security point, users connected to the external
    network should not be able to access the internal network, unless they first go
    through the firewall in front of the internal network.

    Currently I have 2 AP one for each network, but as I mentioned
    before I would like to have one device broadcast both networks.

    Network description:

    Network 1 (external)

    4 port router connected to internet with one port connected
    to a 24 port switch (SW1) (VLAN capable, but no VLAN set)

    One port from SW1 is connected to the POE switch (POESW1_B)
    that will carry to the access point.

    Network 2 (internal)

    The network 2 has all the servers, desktop devices,
    printers, etc. connect to it.

    The internal network is connected to external the network
    via a firewall.

    From a 48 port switch (SW2) (VLAN capable, but no VLAN set)
    one port is connect to the POE switch (POESW1_A) that will carry to the access
    point.

    Now, given this configuration, is it possible to achieve the
    intent (share one AP with multiple networks)?

    If so, can you provide some advice how to set it up?

    Thanks in advance for your efforts!

    Joe

    • I am very tired right now, so I hope this is coherent (I will look at it again later when I am more rested).

      In the access point:
      Set up your 2 SSIDs and assign them to the appropriate VLANs.
      Make sure the AP has a proper IP address for each network and that management is only enabled for the internal network.
      I assume your multi-SSID access point has a single ethernet interface. In this case the frames coming across that cable will be tagged .

      In your 10 port POE switch:
      The port to which you connect your access point will need to tagged (trunk or general) and a member of both VLANs since it will be carrying frames for both VLANs. The switch will then sort out the frames to the proper VLANs.
      The ports to be used for the external network should be untagged and a member of the external VLAN.
      The ports to be used for the internal network should be untagged and a member of the internal VLAN.

      Each of your networks should be using a different IP network.

      From the VLAN perspective, that should allow your access point to work as intended while keeping the 2 networks separate.

      As for communication between your 2 networks, can you be more specific about “The internal network is connected to the external network via a firewall.” Are you using a router between the 2 networks or doing this inside one of the switches or something else?

      • Joe

        Thanks for your time Jason.
        Below is the diagram. For the most part it looks like it works.

        For the 48 port switch I have all ports as untagged with the exception of the port that connects to the POE switch which is tagged. all ports belong to the internal VLAN.

        https://uploads.disquscdn.com/images/323ea91fad41a8b2c0fb386e493f516de90e6a874a757f5172e680ca4ae5c4fc.jpg

        • Thanks for the diagram. That’s about how I imagined it. It looks like it should work.

          I have a couple of observations if you’re interested:

          1. The connection from the 48 port switch to the POE switch doesn’t need to be tagged since everything on the 48 port switch is on the same VLAN. It shouldn’t hurt, but it is unnecessary for now.

          2. It looks like you have an 8 port router. The diagram shows that traffic from the access point has to travel through the router to get to the external network switch. It seems like it would be cleaner to connect the POE switch directly to SW1 like you did with SW2 and let the router be just a router between your 2 networks and the internet. I hope that makes sense.

          Anyway, I’m glad if I was helpful.