Like every other website on the planet, SmallNetBuilder uses cookies. Our cookies track login status, but we only allow admins to log in anyway, so those don't apply to you. Any other cookies you pick up during your visit come from advertisers, which we don't control.
If you continue to use the site, you agree to tolerate our use of cookies. Thank you!

Router Charts

Click for Router Charts

Router Ranker

Click for Router Ranker

NAS Charts

Click for NAS Charts

NAS Ranker

Click for NAS Ranker

More Tools

Click for More Tools

LAN & WAN How To

vlans

Introduction

VLANs, or Virtual LANs, are a useful technology for segmenting a network. I covered some VLAN basics awhile back in this article. Implementing VLANs in a small network can be simple or tricky, depending on the VLAN capabilities of your switch and router. For example, what should you do if you want to use VLANs with a VLAN-capable switch, but your router doesn't support VLANs?

A further challenge is determining what kind of VLANs to use. Some network devices support port-based VLANs, some support 802.1Q VLANs, others support both. What should you do if you want to deploy port-based VLANs, yet your switch supports only 802.1Q VLANs? In this article, I'll answer these questions and provide configuration examples using NETGEAR, ZyXEL and Cisco switches.

Example 1: Port-based VLAN switch

Let's say you have a VLAN-capable "smart" switch, but your router doesn't support VLANs. Your goal is to segment traffic on the switch in multiple VLANs to prevent devices on one VLAN from accessing devices in the other VLAN, but allow all devices to access the Internet. A simple solution is to set up port-based VLANs on the switch.

Start by enabling port-based VLANs and creating three VLANs on the switch. VLAN 1 will be for the internet, VLAN 2 will be for one set of devices and VLAN 3 will be for another set of devices. Below shows a NETGEAR GS108Tv1 enabled for port-based VLANs with VLANs 1-3 created.

Netgear GS108Tv1 Enable Port-Based VLAN

NETGEAR GS108Tv1 Enable Port-Based VLAN

Next, assign VLANs to the appropriate ports. Assign VLAN 1 to port 1 and connect your router to port 1 on the switch. Now assign VLAN 2 to ports 1 and 2. Finally, assign VLAN 3 to ports1 and 3.

In the screenshots below from a NETGEAR GS108Tv1, port 1 is a member of VLANs 1, 2, and 3. Port 2 is a member of only VLAN 2. Port 3 is a member of only VLAN 3. To add more devices to one of the VLANs, simply add their ports to either VLAN 2 or VLAN 3.

Netgear GS108Tv1 Port-Based VLAN Assignments

NETGEAR GS108Tv1 Port-Based VLAN Assignments

The end result of this example is devices in VLAN 2 can access the Internet and each other and devices in VLAN 3 can access the Internet and each other. But devices in VLAN 2 cannot access devices in VLAN 3 and vice versa.

Example 2: 802.1Q Switch

Let's say you have a switch supporting 802.1Q VLANs, but not port-based VLANs, the same no-VLAN router and want to segment traffic as you did in Example 1.

It's helpful to clarify some terms first. 802.1Q, sometimes referred to as VLAN tagging, is a standard technology that defines how data traffic is tagged with a VLAN ID. Tagging traffic with a VLAN ID allows the traffic to remain a member of a VLAN as it is passed from one port to another, or from one device to another. 802.1Q specifies that all traffic is tagged with a VLAN ID, except traffic on the port's native VLAN. A port's native VLAN is also known as the the PVID, or Port VLAN Identifier.

802.1Q VLANs can have different port types. An access port is an 802.1Q VLAN port that can be assigned to a single VLAN only. It is typically used to connect to end devices such as PCs. A trunk port is an 802.1Q VLAN port that can carry traffic for multiple VLANs and is typically used to interconnect 802.1Q VLAN capable switches and routers. Some switches use general ports, which are a hybrid between access and trunk ports and can carry traffic for multiple VLANs.

To implement the Example 1 solution using 802.1Q VLAN technology, enable 802.1Q on the switch and create the three VLANs as you did in the port-based VLAN example. In this example, I'm going to again use a NETGEAR GS108Tv1, which supports both port-based and 802.1Q VLANs. The below configurations will also work on many NETGEAR switches, including a NETGEAR GS108Tv2. As you can see below, I've enabled 802.1Q and created VLANs 1-3.

Netgear GS108Tv1 Enable 802.1q vlans

NETGEAR GS108Tv1 Enable 802.1Q VLANs

Then, if your switch allows for setting VLAN port type to access, trunk, or general, set the ports to general. Some switches, such as the NETGEAR GS108Tv1 and NETGEAR GS108Tv2 (and most NETGEAR switches I've reviewed,) allow all ports to be members of multiple 802.1Q VLANs so you don't have to set VLAN port type. Other switches, such as the Cisco SG200-26, which I'll cover in the last example, require you to change the VLAN port type to general for this kind of configuration.

Next, assign VLANs to the appropriate ports with the untagged designation, which is a "U" on the NETGEAR GS108Tv1, and make all ports untagged members of VLAN 1. Then make ports for one set of devices untagged members of VLAN 2 and set ports for the other set of devices untagged members of VLAN 3.

As you can see in the composite image below from a NETGEAR GS108Tv1, all ports are untagged members of VLAN 1, ports 1 and 2 are untagged members of VLAN 2, and ports 1 and 3 are untagged members of VLAN 3.

Netgear GS108Tv1 802.1q VLAN Assignments

NETGEAR GS108Tv1 802.1Q VLAN Assignments

The last step is to set the PVIDs. Set the PVID on the port connected to the router as VLAN 1. Set the PVID on the ports for one set of devices to VLAN 2. Set the PVID for the ports for the other set of devices to VLAN 3. Below is a screen shot of the NETGEAR GS108Tv1 PVID settings.

Netgear GS108Tv1 802.1q PVID Assignments

NETGEAR GS108Tv1 802.1Q PVID Assignments

With this configuration, the device connected to port 2 can't access the device connected to port 3 and vice-versa. But both devices have internet access. To add more devices, configure their ports as untagged members of VLAN 2 or VLAN 3 and make their PVID either VLAN 2 or VLAN 3.

More LAN & WAN

Wi-Fi System Tools
Check out our Wi-Fi System Charts, Ranker and Finder!

Featured Sponsors



Support Us!

If you like what we do and want to thank us, just buy something on Amazon. We'll get a small commission on anything you buy. Thanks!

Over In The Forums

I'm in a bad wired connection area and are using 4G. But due to a change in vendor, I need to find my own router this time. I have two antennas on the...
I'm not a tech person. I know how to do what I need to do and that's about ti. I have a work computer, that is connected directly to my comcast gatewa...
Hello everyone,View attachment 14063View attachment 14064I'm new here.I'm currently on Merlin Firmware 380.70 on my router RT-AC66U.I know that the su...
View attachment 14065 ​ ARRIS last week announced what it says is the first product to receive Wi-Fi EasyMesh™ certification from the Wi-Fi Alliance....
Hello all, I have a problem that's:I have a new Asus rtac88u router with merlin firmware, connected to a fibre connection. All devices in my house are...

Don't Miss These

  • 1
  • 2
  • 3