D-Link Forums
D-Link Enterprise => DGS-1210-Series => Topic started by: Second Dragon on January 16, 2018, 01:44:06 PM
-
Good Evening. I need some help with a simple network configuration:
I actually have one physical LAN including a shared printer, a shared gateway/firewall (Cisco) for internet access, two Access Points all connected via a D-LINK DGS 1210 24 ports.
I'd like to create two VLANs, as two different companies are using the same LAN and pcs of each company can see the other company ones, but they need to both have access to the printer, the gateway/dhcp (192.168.2.1) and one access point each.
I was thinking about this setup:
VLAN 1: ports of Company 1 + printer port + router port + access point 1 port untagged - ports of company 2 not member
VLAN 2: ports of Company 2 + printer port + router port + access point 2 port untagged - ports of company 1 not member
Is it a correct configuration?
Step 2: PVID: how do I configure PVID of the shared ports (printer and Router)?
I mean, e.g., if port 3 belongs to company 1 it will be PVID=1, but what about PVID for shared ports, e.g. number 16 (the router port)? If i set PVID= 2 company 2 (VLAN 2) will be able to access the internet via the router but not company 1...
Thanks in advance for the support.
-
Hi,
to solve this problem you have to activate the "asymmetric VLAN" feature and configure the following:
.--------+----+----+----+----+----+----+----+----+----+----+-------------.
| Port | 01 | 02 | .. | 16 | 17 | 18 | 19 | 20 | .. | 24 | VLAN Name |
+--------+----+----+----+----+----+----+----+----+----+----+-------------+
| VID 3 | | | | X | X | X | X | X | X | X | company2 |
+--------+----+----+----+----+----+----+----+----+----+----+-------------+
| VID 2 | X | X | X | X | X | | | | | | company1 |
+--------+----+----+----+----+----+----+----+----+----+----+-------------+
| VID 1 | X | X | X | X | X | X | X | X | X | X | default |
+--------+----+----+----+----+----+----+----+----+----+----+-------------+
| PVID | 2 | 2 | 2 | 1 | 1 | 3 | 3 | 3 | 3 | 3 | |
`--------+----+----+----+----+----+----+----+----+----+----+-------------´
| | | | | | | | | |
A P P R P P P P P A
P C C O R C C C C P
1 1 x U I 1 2 3 x 2
- - - T N - - - - -
C C C E T C C C C C
1 1 1 R E 2 2 2 2 2
R
(For a general discussion of the basics of "asymmetric VLANs" see e.g. here (http://forums.dlink.com/index.php?topic=66792) and the links embedded there. If you know Cisco's private VLAN (PVLAN) implementation, then D-Link's "asymmetric VLANs" can be seen as a proprietary implementation of the PVLAN idea as described and standardized via RFC5517 (https://tools.ietf.org/html/rfc5517), where the "shared VLAN" corresponds to the "primary VLAN" and any "access VLAN" corresponds to a secondary "community VLAN". The drawback of D-Link's implementation is that it lacks "isolated PVLANs")
Here an 'X' means: The switch port denominated by the column's title is an untagged member of the VLAN denominated by the row's title.
This perfectly reflects the asymmetric VLAN descriptions and examples given elsewhere, where
- VLAN 1 (default) is the shared VLAN and ports 16 (router) and 17 (printer assumed) span the shared port group.
- VLAN 2 (company1) is the first access VLAN with ports 1-15 spanning the corresponding access port group (AP1-C1, PC1-C1, PCx-C1, ...)
- VLAN 3 (company2) is the second access VLAN with ports 18-24 spanning the corresponding access port group (AP2-C2, PC1-C2, PCx-C2, ...)
Of course you have to adapt the port assignments to devices to your real conditions (you only told your router being plugged to port 16)
<EDIT>
One important remark: Leave the port where you connect your Admin PC for switch management unchanged (default: PVID=1, untagged member of VLAN 1 ), otherwise you might lose the connection to the switch management interface. Leave this port reserved/free for temporal management access. You can't access the switch management interface from any of the access VLANs 2 or 3.
</EDIT>
PT