VLAN confusion

Ronco

[H]ard|Gawd
Joined
Oct 6, 2005
Messages
1,306
I need to VPN into a work network. Problem: They have the exact same internal network as I do.

I figured "hey no problemo, I'll set up a VLAN with a totally different network on my switch / router so I can put a work laptop / desktop on it."

Thing is, while I'm aware of the concept of a VLAN, I've never set one up before and it's eluding me.

I have a couple of pretty decent switches in the basement by the patch panel - HP 2910al's, and a Sonicwall TZ 215. I tried to start with a wireless setup using a Vigor AP, but I wasted a lot of time troubleshooting wireless and even suspecting there was something wrong with it only to discover wired didn't work either.

I've set up the second VLAN on the TZ215 in the LAN zone and given it a DHCP server. I've set up a test Hyper-V VM with the same VLAN ID. And even if I manually set an IP address in the VM, I can't ping the router.

Where I am getting stuck is most likely the switch since I'm not understanding what setting to put in.

I've set up the second VLAN in the switch, in the VLAN Configuration tab. In the IP configuration tab, I've set the second VLAN to use DHCP/Bootp. There is no IP address currently assigned as it's clearly not seeing the TZ215's DHCP server.

All the ports are currently Untagged for the main LAN (i.e. the default VLAN). If I change that to Tagged for any port, then the port drops off the main LAN. And on the flipside, as default all ports are set to No on the second VLAN - and if I Tag the connection going to the router for the new VLAN nothing happens, and if I set it to Untagged then the main LAN drops off again.

Could someone help me on exactly what setting I need to make in the "VLAN Configuration" tab to get both the default and the newly created VLAN working? Or am I doing something else dumber?
 
Check your vswitch configuration to make sure trunking / tagging is enabled on there and the switch port is connected to. I assume you already configured both the switch uplink and the router LAN interface to be setup as trunks. Right?


The easier way around this mess would be to setup NAT between your network and the VPN network.
 
The easier way around this mess would be to setup NAT between your network and the VPN network.

Well, the easiest way since I have multiple external IP addresses would be for me just to jam on another router on the external switch (which I have) and patch a connection from the desktop / wireless AP to there.

But no, this has now become a Thing I Must Do To Confirm I'm Not A Total Dumbass.

I assume you already configured both the switch uplink and the router LAN interface to be setup as trunks

Well this is pretty much the question more than anything else, which is why I'm not asking for a generic answer - it's a specific question as to what setting I need on these switches (or should I say switch, since the VLAN-intended ports and the router port is on the same switch) to make this happen.
 
Well, the easiest way since I have multiple external IP addresses would be for me just to jam on another router on the external switch (which I have) and patch a connection from the desktop / wireless AP to there.

But no, this has now become a Thing I Must Do To Confirm I'm Not A Total Dumbass.



Well this is pretty much the question more than anything else, which is why I'm not asking for a generic answer - it's a specific question as to what setting I need on these switches (or should I say switch, since the VLAN-intended ports and the router port is on the same switch) to make this happen.
Gotcha. I have no idea how to use a sonicwall but you will need to setup:
1. A VLAN Trunk interface on the switch facing the router.
2. A VLAN trunk interface on the switch facing your ESXi box.
3.A VLAN trunk interface on the router facing the switch.
4.A VLAN trunk interface on the ESXi box facing the switch.

You have to have trunks configured to carry multiple VLANs. Otherwise your VLANs will not propagate.

Does that make sense?

PS - NAT was made for overlapping networks. No one is calling you a total dumbass.
 
You have to have trunks configured to carry multiple VLANs. Otherwise your VLANs will not propagate.

This I understand, but again - what is the setting for it on the 2910? I have No, Untagged, Tagged and Forbid as the only options for each port per VLAN (including the default VLAN, for which the default is Untagged for each port and subsequent VLANS being No for each port).
 
Tagged = trunk

So I'd set both default and added VLAN to Tagged for all the ports involved? But that killed all communication with the default VLAN (i.e. when I set the default VLAN on router port to Tagged and also the added VLAN to Tagged) the last time I tried.

EDIT: and as I wrote above, if I set the default VLAN to Untagged and the added VLAN to Tagged (which was my first go-to), the devices on the added VLAN can't see each other.
 
Last edited:
That's because both sides of the connection have to be tagged/ trunked or it won't work
 
That's because both sides of the connection have to be tagged/ trunked or it won't work

Yeah, but having the default VLAN (1) tagged on the switch for the router port means that I will need to explicitly tag every device on the network with it's own VLAN...? That's not practical. Am I going about this the completely wrong way?

As for the port configuration page, it's literally a drop-down list beside all the ports on the switch with the four options I mentioned, for each VLAN. There are no other options on the page.
 
Last edited:
Default VLAN means it'll default to that VLAN when it receives a packet without a VLAN tag or tagged with a nonexistent VLAN. In theory all your other ports should already have your default VLAN setup so you shouldn't worry about those ports.
 
Default VLAN means it'll default to that VLAN when it receives a packet without a VLAN tag or tagged with a nonexistent VLAN. In theory all your other ports should already have your default VLAN setup so you shouldn't worry about those ports.

That's what I thought, which is presumably why I shouldn't Tag the defaut VLAN. The problem is, when I Tag the added VLAN 10, nuthin'. The switch isn't picking up an IP on the added VLAN from the router, and the VM PC can't ping the router when I have the VLAN settings in Hyper-V set to the appropriate VLAN.

To set up the VLAN on the router, I did this - found this video after I'd done it and was double checking i hadn't been an idiot, but it is pretty much the only way to add a VLAN onto an existing physical LAN interface.
 
For the new VLAN that you added, did you pick a new network on the router? I.e. VLAN 1 is 192.168.0.1 and VLAN 2 is 192.168.1.1?
 
Why not just change your home IP address scheme? You are jumping through hoops you shouldn't have to jump through to achieve this.
 
Yeah, but having the default VLAN (1) tagged on the switch for the router port means that I will need to explicitly tag every device on the network with it's own VLAN...? That's not practical. Am I going about this the completely wrong way?

As for the port configuration page, it's literally a drop-down list beside all the ports on the switch with the four options I mentioned, for each VLAN. There are no other options on the page.

Yes, you are doing this wrong. You need to configure the ports on your switch to belong to a different VLAN. This way when traffic ingreses on a specific interface, it will tag the frame for that VLAN.

The setting you are looking for should be called PVID (per-VLAN ID). By default every interface on your switch should be PVID 1, which means that any device connected to that switch is on VLAN 1. If you change an interface to be PVID 10, that frame will get tagged as VLAN 10 as it egresses a tagged (trunk) interface. If PVID didn't exist, yes, you would have to configure each end device you want to belong to VLAN10 to tag their frames before sending it.

On your Sonicwall, you create a subinterface on X0 with VLAN Tag 10, and give that interface a L3 address that you want on that subnet. Then on your switch, you configure the interface that connects to the Sonicwall as a tagged interface for VLAN10, but VLAN 1 will still be untagged. When a host connected to an interface with PVID 10 sends traffic upstream, the switch will slap on a 802.1q tag on the frame when it leaves the interface to the Sonicwall.

Now since you have a new VLAN (broadcast domain), you'll need to have DHCP services, DNS, and rules that allow you to still be able to connect to your LAN (if they are on different zones).
 
The setting you are looking for should be called PVID (per-VLAN ID). By default every interface on your switch should be PVID 1, which means that any device connected to that switch is on VLAN 1. If you change an interface to be PVID 10, that frame will get tagged as VLAN 10 as it egresses a tagged (trunk) interface. If PVID didn't exist, yes, you would have to configure each end device you want to belong to VLAN10 to tag their frames before sending it.

The default VLAN is 1. All the 'normal' devices are on VLAN 1 in effect, and the switch settings were as default Untagged for each port on VLAN 1. I added the second VLAN 10 and Tagged the appropriate ports for the devices, including the router port.

The Sonicwall router is, as pointed out above, running VLAN 10 on the same physical port as the LAN port. In doing so, I am *assuming* that the 'normal' network packets are treated as VLAN 1 by the switch and I don't have to Tag anything for VLAN 1 - and therefore have not made any other changes to X0 on the Sonicwall.

On your Sonicwall, you create a subinterface on X0 with VLAN Tag 10, and give that interface a L3 address that you want on that subnet. Then on your switch, you configure the interface that connects to the Sonicwall as a tagged interface for VLAN10, but VLAN 1 will still be untagged.

As you can hopefully see by now, that's exactly what I've done. I also - as pointed out above - Tagged the ports on the switch that the wifi AP and VM with a dedicated physical LAN interface are attached to for VLAN 10.

Now since you have a new VLAN (broadcast domain), you'll need to have DHCP services, DNS, and rules that allow you to still be able to connect to your LAN (if they are on different zones).

Again, as I said in the first post the Sonicwall is running DHCP on X0:V10 - though what I didn't put in is that the primary LAN DHCP is being handled by a separate Windows SBS 2011 Server (with no VLAN config and running in a VM - so it should effectively be on V1). I set the IP Configuration in the switch for V10 to be DHCP, and the switch is not getting an IP - which means that my VLAN implementation is already broken at the router-switch (i.e. a single cable from the Sonicwall X0 to one of the switch ports) level.

I'm not entirely unfamiliar with VLAN theory. I'm just not sure how the 2910al is either not behaving as expected or I am doing something wrong in it's configuration and I'm looking for specific guidance for those who are familiar with Procurve switches and ideally a Sonicwall router combo.


As for why not change my entire IP, I've a lot of devices and a lot of a mix of reservations on the Windows server and static IP's. It would be a giant hassle to change my own IP, moreso than the office I'm dialling into I think... but their IT won't do that, he's very protective of his stuff. And it's now become a challenge more than anything else.
 
Last edited:
The default VLAN is 1. All the 'normal' devices are on VLAN 1 in effect, and the switch settings were as default Untagged for each port on VLAN 1. I added the second VLAN 10 and Tagged the appropriate ports for the devices, including the router port.

The Sonicwall router is, as pointed out above, running VLAN 10 on the same physical port as the LAN port. In doing so, I am *assuming* that the 'normal' network packets are treated as VLAN 1 by the switch and I don't have to Tag anything for VLAN 1 - and therefore have not made any other changes to X0 on the Sonicwall..

This is correct. The default VLANs don't get tagged, even on trunk links. However, only traffic that belongs to VLAN 10 will get tagged for VLAN10 as they egress the trunk link upstream to the Sonicwall

As you can hopefully see by now, that's exactly what I've done. I also - as pointed out above - Tagged the ports on the switch that the wifi AP and VM with a dedicated physical LAN interface are attached to for VLAN 10..

I'd like to see the config of this, if you can provide it please.

Again, as I said in the first post the Sonicwall is running DHCP on X0:V10 - though what I didn't put in is that the primary LAN DHCP is being handled by a separate Windows SBS 2011 Server (with no VLAN config and running in a VM - so it should effectively be on V1). I set the IP Configuration in the switch for V10 to be DHCP, and the switch is not getting an IP - which means that my VLAN implementation is already broken at the router-switch (i.e. a single cable from the Sonicwall X0 to one of the switch ports) level.

Your SBS 2011 server running DHCP and on VLAN 1 is correct; VLAN 1 has DHCP services thanks to this server. Can you post a screenshot of your DHCP config on the Sonicwall? It is possible to have a scope configured, but the DHCP server turned off on Sonicwall. They are all in the same menu, but a different section.

I'm not entirely unfamiliar with VLAN theory. I'm just not sure how the 2910al is either not behaving as expected or I am doing something wrong in it's configuration and I'm looking for specific guidance for those who are familiar with Procurve switches and ideally a Sonicwall router combo.

I have a lot of experience in Sonicwall, but it's hard to figure out your exact issue without seeing the switch running config.

As for why not change my entire IP, I've a lot of devices and a lot of a mix of reservations on the Windows server and static IP's. It would be a giant hassle to change my own IP, moreso than the office I'm dialling into I think... but their IT won't do that, he's very protective of his stuff. And it's now become a challenge more than anything else.

Fair enough. I did not intend to sound flippant with this recommendation.
 
Sonicwall PortShield is only needed if you are using their switch interfaces. OP is trying to use L3 interfaces, so PortShield doesn't apply here.
I'm not talking about port shield, I'm talking about VLAN trunks. Disregard the rest.
 
No - again, because I wanted the VLAN on the same physical port as X0. I linked to what I actually did in the video above.

You are correct.

Your Sonicwall configuration looks correct, but I'm curious to see your DHCP configuration screen, and also a (sanitized, if necessary) running config of your switch. I think the answer should be pretty quick and simple, but without knowing what's configured, we are grasping at straws.
 
There really isn't much to it either -

In the DHCP Server page, I've Enabled DHCP Server, Enable Conflict Detection, and added a single DHCP Server Lease Scope - my IP range, bound to interface X0:V10. I've left off "Allow BOOTP Clients to use Range".
 
We still don't have any verification of your switch configuration.

It sounds like your Sonicwall is configured properly, but all we have is a video that you linked saying you followed the steps - but that doesn't tell me if it's configured properly.
  • You have a VLAN interface on X0 as X0:V10 (Parent-Interface:Logical Interface w/ tag, respectively)
    • You set an IP address on this interface to be a different IP network than your home network which resides on VLAN1
    • You assigned it to a zone
  • You configured a DHCP scope on the DHCP server screen and turned on DHCP services
Ultimately, there is something is wrong with your setup, and we are chasing our tails in the middle of the problem and I have no way to verify your steps on either the firewall or the switch. This is a stopping point and needs to be addressed.
 
Update:

I dunno what I did but the switch has an IP address on VLAN 10!!!! Woohoo!

Will be re-powering up the VM and Wifi AP tomorrow to see if it works.

Maybe just stepping through all the settings while working through this thread made me turn on something that I'd turned off by mistake or something.... either way, I'm over the initial hurdle now so thanks for the help!
 
upload_2017-4-3_18-54-10.png


Awesome! Glad you got it working, and I hope the rest of it works out for you.
 
Back
Top