D-Link Enterprise > DGS-1210-Series
DGS-1210-10 Newbie - How to set up 2 VLANs both connected to internet?
josephwit:
I am trying to set up 2 VLANs to isolate my wired internet-connected "Internet of Things (IOT) " devices (wi-fi thermostat, solar energy system, DVD players, etc) from my network of home computers, for improved security, while giving internet access to all of them. I essentially need the wired a equivalent of my Router's wi-fi Guest Network but for wired devices.
I have a connection from one of my Asus RT-AC68U Router's ports (internet) to the DGS1210-10 switch. I have 4 devices for the IOT VLAN, and one for the Computers VLAN, to run though the switch. I can set up 2 VLANs and assign ports for the devices, but I don't see how to configure it so that BOTH VLANs get internet access.
I will learn more about VLANs gradually - but I am hoping someone can give me discreet configuration instructions so I can get my networks up without having to become an advanced expert first. THANK YOU!
PacketTracer:
Hi,
I think the best solution fitting your needs is to use the "asymmetric VLAN" feature, that is fortunately supported by your switch. A good description can be found here.
You can adapt that description to your Switch as follows:
Default VLAN 1 is used as "shared VLAN" and the group of shared ports only contains a single port, namely the port, your router is connected to - say port 8. Add VLAN 2 (IOT-VLAN) and configure ports 1-4 and 8 to be untagged members of VLAN 2. Connect your IOT-Devices to ports 1-4.
Add VLAN 3 (Computers VLAN) and configure ports 5-8 to be untagged members of VLAN 2. Connect your computer to port 5. Ports 6 and 7 can be used for additional computers in the future.
Set PVID for ports 1-8 as follows: 2-2-2-2-3-3-3-1
Note: "Asymmetric VLAN" is a proprietary D-Link feature. It resembles what other vendors call "private VLAN" (standardized via RFC5517) where D-Link's shared VLAN (1 in your case) corresponds to PVLAN's primary VLAN and the other access VLANs (2, 3 in your case) correspond to PVLAN's secondary community VLANs (there is no analogon to PVLAN's isolated VLANs). If you want to learn about VLANs, asymmetric VLAN is definitely not a beginner's scenario ...
PT
<EDIT>
One important remark I forgot to mention: Per default the switch is managed via VLAN 1 - hence you have to connect your management PC to a switchport that doesn't change its VLAN 1 membership during configuration, that is port 8 (before being connected to the router) or ports 9 and 10 (which belong to VLAN 1 but are no shared ports, because in contrast to port 8 they don't become simultaneously members of VLANs 2 and 3).
In additon you may want to use ports 9 and 10 for your "Computers VLAN" 3 because of their higher bandwith. If so, I'd suggest you change the roles of ports 6,7 (leaving their configuration unchanged, using one of them to connect to the management PC) with ports 9,10 (assigning them to VLAN 3). In this case the PVID for ports 1-10 should look as follows: 2-2-2-2-3-1-1-1-3-3. Connect your "Computer" to port 9 (or 10), where ports 5 and 10 (or 9) can be used for additional computers in the future.
</EDIT>
FurryNutz:
Link>Welcome!
* What region are you located?
--- Quote from: josephwit on May 23, 2017, 01:47:24 PM ---I am trying to set up 2 VLANs to isolate my wired internet-connected "Internet of Things (IOT) " devices (wi-fi thermostat, solar energy system, DVD players, etc) from my network of home computers, for improved security, while giving internet access to all of them. I essentially need the wired a equivalent of my Router's wi-fi Guest Network but for wired devices.
I have a connection from one of my Asus RT-AC68U Router's ports (internet) to the DGS1210-10 switch. I have 4 devices for the IOT VLAN, and one for the Computers VLAN, to run though the switch. I can set up 2 VLANs and assign ports for the devices, but I don't see how to configure it so that BOTH VLANs get internet access.
I will learn more about VLANs gradually - but I am hoping someone can give me discreet configuration instructions so I can get my networks up without having to become an advanced expert first. THANK YOU!
--- End quote ---
josephwit:
Thanks for detailed help, PacketTracer. I pretty much slaved through it and I think I came up with what you are saying, though of course my port numbers are different. To clarify - for the default VLAN 1, I have all of my connected devices as untagged members, giving all devices internet access, with only the physical port connected to my router being assigned that VLAN. My admin computer is on VLAN 2, but I did not lose admin access when assigning the computer's port to VLAN 2. VLAN 2 contains the computer, another computer, an NAS drive, and the router port as untagged members. The IOT VLAN has the IOT device ports and the router port as members. It seems to be working as intended - does this sound correct?
One additional complication is that I also have my router (Asus RT-AC68U) managing quite a few wi-fi devices, both computers and IOTs. I have an IOT guest network that is isolated from the main computer network - so the wireless IOTs don't see the other devices - but the router sees them, and the router is connected to the switch, so the computers plugged into the switch are not isolated from them. I am thinking I would need a separate gateway router, with no connected devices, plugging into the switch, and a second router, acting as an access point, plugged into another port on the switch in order to complete isolate both wired and wireless IOTs from computers - true? No way to do with just the single router and single switch?
This is basically a home network, and I am doing this as a hobby to learn and for fun, as well as for security. I don't think I am first on the list to be hacked through my thermostat... :-X Thanks!
PacketTracer:
Hi again,
--- Quote ---My admin computer is on VLAN 2, but I did not lose admin access when assigning the computer's port to VLAN 2.
--- End quote ---
That's probably because with asymmetric VLAN all VLANs involved still belong to the same IP network, and given the switch management IP address lies within this network either, it should be reachable from any device, no matter which VLAN it belongs to, as long as the "Management LAN" feature is disabled. Maybe you should enable the Management VLAN and restrict management access to a specific VLAN.
--- Quote ---It seems to be working as intended - does this sound correct?
--- End quote ---
Yes, the relevant things are, that the asymmetric VLAN feature is enabled, and that any shared port (in your case the router's port only) becomes an untagged member of any VLAN in use, while any "unshared" port must be an untagged member of a single "access VLAN" and the "shared VLAN". In addition the PVID of any "unshared" port must be set to its "Access VLAN", while the PVID of "shared Ports" must be set to the "shared VLAN". It looks like you did all these things in this way (see also this short and concise Introduction to Asymmetric VLANs). There is only one ambiguity when considering ports, that are untagged members of the shared VLAN only: Are they also shared ports or are they unshared ports where the "access VLAN" happens to be equal to the "shared VLAN"? I guess, the second choice is true - please check this for your devices that are connected to VLAN 1 ports - they should only be allowed to talk to each other and to the router, if my assumption is true.
--- Quote ---One additional complication is that I also have my router (Asus RT-AC68U) managing quite a few wi-fi devices, both computers and IOTs. I have an IOT guest network that is isolated from the main computer network - so the wireless IOTs don't see the other devices - but the router sees them, and the router is connected to the switch, so the computers plugged into the switch are not isolated from them. I am thinking I would need a separate gateway router, with no connected devices, plugging into the switch, and a second router, acting as an access point, plugged into another port on the switch in order to complete isolate both wired and wireless IOTs from computers - true? No way to do with just the single router and single switch?
--- End quote ---
Sorry, from your description I do not understand, what your router scenario really looks like - e.g. is your "guest network" wired or wireless or both?
In general, from the perspective of the router, a guest network should be an IP network different from the LAN IP network (with WIFI via using a different SSID that maps to the guest network, or in the wired case by providing a second Ethernet port (extensible via an unmanaged switch to connect several devices), that is physically or logically (e.g. via internal VLANs) separated from standard LAN ports); and the router should ensure, that no traffic is routed between guest an LAN network.
On the other hand, if you have wireless devices connected to your router's WIFI, and your router does not isolate those devices within a "guest network" as described above (that is, they get IP addresses from your LAN network), then those wireless devices are members of the "shared network" via the router, where the router forms a layer 2 bridge between the wifi devices under consideration and the wired link to your switch. Hence like the router, those wifi devices can talk to any device connected to your switch.
If this is unwanted, you could use a separate WIFI access point (AP) connected to an unshared switch port (e.g. member of the IOT-VLAN), and connect the wifi devices under consideration to this AP, using a new and unique SSID for it. This AP could be another router with WIFI support, where its WAN port (and its routing function) isn't used, but that is connected to the switch via a LAN port instead. Hence you would only use the additional router's layer 2 bridging function between wired and wireless (give that router a management address from your LAN network and switch off any DHCP server function - for management temporarily plug the AP or router to a VLAN 2 access port, hence it can be accessed from your management PC).
PT
Navigation
[0] Message Index
[#] Next page
Go to full version