Community discussions

MikroTik App
 
Josephny
Member
Member
Topic Author
Posts: 454
Joined: Tue Sep 20, 2022 12:11 am

Vlans and export config

Tue Oct 18, 2022 12:44 pm

Just got a CSS326 and Hex (waiting for RB5009 to be available).

Got a lot to work successfully, but I'm stuck on 2 things:

1) Is their a CLI on the CSS326? Is there a way to export the config in 'cli' format, like on the Hex?

2) I'm totally stuck on setting up my VLANs.

I would like 3 VLANS: TRUSTED, MEDIA, G3100

I've attached a screenshot of the VLANs tab (I would have attached the config -- see my question #1).

Here's an example of where I'm failing:

On the VLAN tab, I've tried setting the Default VLAN ID for port 17 to 40. When I do that, I lose connected to it from port 3 (which is in VLAN 40, but with Default VLAN 1). Connectivity from 3 to 17 is lost regardless of the VLAN MODE. If I change port 3 to have a Default VLAN of 40, connectivity is restored (but I lose connectivity to all the other ports).

What am I doing wrong?

Thank you!
You do not have the required permissions to view the files attached to this post.
 
Josephny
Member
Member
Topic Author
Posts: 454
Joined: Tue Sep 20, 2022 12:11 am

Re: Vlans and export config

Wed Oct 19, 2022 12:10 am

I’ve spent dozens of hours on this.

Can anyone help please?
 
User avatar
k6ccc
Forum Guru
Forum Guru
Posts: 1490
Joined: Fri May 13, 2016 12:01 am
Location: Glendora, CA, USA (near Los Angeles)
Contact:

Re: Vlans and export config

Wed Oct 19, 2022 10:25 pm

First of all, avoid VLAN 1 like the plague. Here are a couple of screen captures from my CSS326 that is using VLANs.

Image

Image

See if these help. On the VLAN tab, the 9xx Default VLAN IDs are dummy numbers to make sure untagged traffic does not go anywhere.

And no, there is no CLI interface in SwitchOS. You can export the config and it is sort of human readable (i,e. it's not binary data). It is not plain text like an export from RouterOS.

BTW, I am using VLAN 1 for one device because that is the way it is configured and can not be changed.
 
Josephny
Member
Member
Topic Author
Posts: 454
Joined: Tue Sep 20, 2022 12:11 am

Re: Vlans and export config

Thu Oct 20, 2022 12:58 pm

Hey K6CCC,

Thank you for your help.

I've been trying to use your config to understand how this works and make it work for me, but have been unable.

I've read so many articles and posts and I just can't get it work under SwOS. I know it's me -- not trying to imply it's the software.

I've limited my goal at this time to having one VLAN that allows the devices on port 17 and port 4 to communicate; and another VLAN to allow port 4 to communicate with all other ports. So, port 4 (I believe) is a trunk.

(FYI, I'm an extra class ham also and have been in tech for 30 years and VLANs are kicking my butt!)
 
User avatar
k6ccc
Forum Guru
Forum Guru
Posts: 1490
Joined: Fri May 13, 2016 12:01 am
Location: Glendora, CA, USA (near Los Angeles)
Contact:

Re: Vlans and export config

Thu Oct 20, 2022 5:58 pm

Starting simple is good. What device is connected to the trunk port 4?
 
Josephny
Member
Member
Topic Author
Posts: 454
Joined: Tue Sep 20, 2022 12:11 am

Re: Vlans and export config

Thu Oct 20, 2022 6:43 pm

Port 4 goes to a Hex router which is connected to FIOS Inet.

Port 17 goes to a Verizon G3100 router that is just bridging my TV's coax to the Internet.

The G3100 needs Inet access, but no devices on any other switch ports need access to the G3100 and the G3100 does not need access to any devices on any other switch ports.

So that would be one VLAN. I might add a management PC also.

If I could just understand how to make this work, I could expand the concepts and techniques to more VLANs.

Thank you
 
User avatar
k6ccc
Forum Guru
Forum Guru
Posts: 1490
Joined: Fri May 13, 2016 12:01 am
Location: Glendora, CA, USA (near Los Angeles)
Contact:

Re: Vlans and export config

Thu Oct 20, 2022 7:33 pm

Uncheck "Port Isolation" on all ports on the VLANs tab - for this discussion, it will increase complexity. And post a screen capture of your VLAN tab. Also post the VLANs tab (I know it's already in your first post) - so both screen captures are together.
 
User avatar
Buckeye
Forum Veteran
Forum Veteran
Posts: 887
Joined: Tue Sep 11, 2018 2:03 am
Location: Ohio, USA

Re: Vlans and export config

Thu Oct 20, 2022 8:30 pm

I've limited my goal at this time to having one VLAN that allows the devices on port 17 and port 4 to communicate; and another VLAN to allow port 4 to communicate with all other ports. So, port 4 (I believe) is a trunk.
I am not sure I understand what exactly you are trying to do. Maybe you don't want vlans after all. What do you mean by "communicate"? because if that means bi-directional, then what is special about port 17? it seems that your second requirement would already allow port 17 and port 4 to communicate (because port 4 is supposed to be allowed to communicate with all other ports, and that includes 17).

Can you explain what problem you are trying to solve? Maybe what you want is port isolation (and using the Port Isolation tab to limit what each port is allowed to send to). This is independent of vlans, it is more like a matrix of what ports a specific port is allowed to forward to. It is used in a case where you want leaf nodes to not be able to talk to each other, but still be able to talk to the "gateway" toward the internet. Sometimes called multi-tenant unit isolation.

vlans are like having independent switches, and the only way that things on different vlans can communicate is via a router.

I assume you have found this example section of the manual.

Also, there are two recent MicroTIps youtube videos about SwOS worth watching

SwOS basics: hardware types and choices
SwOS basics: VLAN tagging

And if vlans are a new concept, I recommend Ed Harmoush's vlan-index
Last edited by Buckeye on Thu Oct 20, 2022 10:38 pm, edited 1 time in total.
 
User avatar
Buckeye
Forum Veteran
Forum Veteran
Posts: 887
Joined: Tue Sep 11, 2018 2:03 am
Location: Ohio, USA

Re: Vlans and export config

Thu Oct 20, 2022 9:13 pm

Port 4 goes to a Hex router which is connected to FIOS Inet.

Port 17 goes to a Verizon G3100 router that is just bridging my TV's coax to the Internet.

The G3100 needs Inet access, but no devices on any other switch ports need access to the G3100 and the G3100 does not need access to any devices on any other switch ports.
Do you have a diagram of how things are connected? How is the Hex router connected to the Verizon G3100 router?

What is the purpose of the hex? Is is to allow you to keep your Trusted and Media networks separated? What does the Verizon G3100 do? Is it converting from Fiber to Ethernet and to Coax for backward compatibility with old TV's? Or are you going to replace it with the hex and deal with your tv in a different way?

If you want to isolate different subnets but share wires and your switch, then vlans are what you want. How familiar are you with how ethernet works? IEEE 802.1Q vlans "insert 4 bytes" into the ethernet frame immediately following the source mac address, effectively replacing the "protocol" field in the ethernet frame (the ethtype field immediately following the source mac address in the ethernet header) with an new value x8100 and then insert a 2 byte vlan info field and then the original ethtype and the reset of the original frame follow. A new FCS (frame check sequence, a CRC32) has to be recomputed, because the contents of the frame have been modified by the insertion of the tag. As with any technical field, networking builds on previous knowledge, so understanding vlans will require understanding ethernet. Ed Harmoush has other free material covering networking fundamentals, and his explanations are the clearest I am aware of.
 
Josephny
Member
Member
Topic Author
Posts: 454
Joined: Tue Sep 20, 2022 12:11 am

Re: Vlans and export config

Thu Oct 20, 2022 10:01 pm

Below is a rudimentary network drawing.

FIOS comes into the Hex (which is the main router).

Port 4 of the CSS326 is connected (wired) to the Hex

The old FIOS router (G3100) is connected to port 17 of the CSS326

Various other devices are connected to other ports on the CSS326.

The system seems to be working fine without port isolation or VLANS, but, as the tinkerer I am (and suspect most people on this forum are), I would like to be able to make it better and learn cool stuff along the way.

My thinking is that the G3100 needs Inet access to provide the cable set top boxes with channel data, so let's isolate the G3100 from everything else on my LAN. That's how I come to VLANS. I understand that this might be better achieved through port isolation, but then I wouldn't have successfully set up a VLAN.

One I have the VLAN capability, I could set up another VLAN for MEDIA-type devices (TVs, Roku boxes, receiver, etc.). Then another the Home Assistant server. Etc.

Does my thinking make sense?
Screenshot 2022-10-20 150015.jpg
You do not have the required permissions to view the files attached to this post.
 
User avatar
Buckeye
Forum Veteran
Forum Veteran
Posts: 887
Joined: Tue Sep 11, 2018 2:03 am
Location: Ohio, USA

Re: Vlans and export config

Thu Oct 20, 2022 11:22 pm

How close to current is the hex config you posted in this post? That's the only "complete" config I see in the thread. Perhaps you should put a link this this thread in your other thread, and post your current exported config in the other thread. Because it appears that @anav provided some advice about the firewall. Also while you are there, edit the original config to remove your serial number from the config in case you ever use mikrotik's dyndns service (which has a dns name based on the serial number, which would give people a way to discover your current ip address). See this for what I mean.

Do you know if Verizon is using vlans on the internet connection for iptv? Is the TV connected to the Verizon G3100 working with the current configuration?
 
Josephny
Member
Member
Topic Author
Posts: 454
Joined: Tue Sep 20, 2022 12:11 am

Re: Vlans and export config

Thu Oct 20, 2022 11:29 pm

I don’t believe the G3100 is configured to use VLANs.

The hex config does not have any VLAN set up.

I have been working exclusively on the switch.

The thought did cross my mind that maybe I should connect the G3100 directly to the hex and isolate it either by using a different subnet or port isolation or VLAN.

But I’d still like to get VLANs working on the switch.
 
Josephny
Member
Member
Topic Author
Posts: 454
Joined: Tue Sep 20, 2022 12:11 am

Re: Vlans and export config

Fri Oct 21, 2022 10:34 am

This is driving me mad.

I watched the new videos and tried to recreate what was done.

Simple: 2 devices -- ports 7 and 17 on the switch.

Port 7 is Windows PC. Set up as access port: Strict mode, Only Untagged, Default VLAN ID 1

Port 17 is the old VZ G3100 router. Set up as a trunk port: Strict mode, Only Tagged, Default VLAN ID 40

Windows PC cannot ping G3100.

Attached are screen shots.

What did I do wrong?
You do not have the required permissions to view the files attached to this post.
 
User avatar
k6ccc
Forum Guru
Forum Guru
Posts: 1490
Joined: Fri May 13, 2016 12:01 am
Location: Glendora, CA, USA (near Los Angeles)
Contact:

Re: Vlans and export config

Fri Oct 21, 2022 5:31 pm

You are all hosed up. Thank you for posting both screen captures.
You said that you believe the G3100 is NOT a VLAN aware device (makes sense), but you have the port set to only VLAN tagged.
Your non-VLAN aware Windows PC is set to Only untagged (as it should be) with a default VLAN ID of 1, but on the VLANs tab it is on VLANs 30 and 40.
If a port is untagged only, the Default VLAN ID on the VLAN tab and the assigned VLANs on the VLANs tab should match. And there should ONLY be one VLAN selected for that port on the VLANs tab. On the VLAN tab, you CAN leave untagged only ports to VLAN Mode = Optional, but once you have things working you might want to change them to Strict.
All of your other various devices (presumed to be non-VLAN aware) should have the Default VLAN set to either 20 or 30 on the VLAN tab - depending on which VLAN they are set to on the VLANs tab.
You have port 4 listed as Hex-WAN. I assume that really is a LAN port on the Hex, not the WAN port. The WAN presumably will connect to the ONT.
The Hex will need to become VLAN aware and the connection between the Hex and the CSS will be a trunk port. The other possibility is to set each port in the Hex as a different VLAN and run separate non-tagged cables for each VLAN from the Hex to the CSS - but that only works if the Hex and switch are close to each other, and limits you to just a few LANs.

For now, I would also uncheck Port Isolation and IGMP Snooping on all VLANs on the VLANs tab. Leave them off until you really understand what they do.
Assuming for the moment that you will have a single VLAN tagged connection between the Hex and the CSS, and likely the only other connection on the Hex being the WAN to the ONT, you will be operating VERY similar to the way I am. I can help you with the Hex VLAN setup as well. If you on the other hand have other devices on these same VLANs plugged directly into the Hex, you will need to configure a Bridge in the Hex and I can not help you with that. My mode is that the router exclusively operates as a router and ALL switch functions take place in the switch. From your drawing, that is also what you will be doing.

BTW, until you know what you are doing, don't limit yourself on access to the switch on the System tab. If you don't understand what you are doing, limiting access on the System tab can result in locking yourself out of the switch.
 
Josephny
Member
Member
Topic Author
Posts: 454
Joined: Tue Sep 20, 2022 12:11 am

Re: Vlans and export config

Fri Oct 21, 2022 8:03 pm

Holy smokes! I am all hosed up!

So the G3100 is not VLAN-aware and that means that it will by specifying the Default VLAN ID for port 17, the switch attaches the VLAN ID to all packets sent out on port 17 to the G3100. Does this mean the G3100 drops the packets because it doesn't know what to do with the VLAN info?

Or, by setting port 17 to TAGGED ONLY am I preventing any packets sent from the G3100 to the switch at port 17 from being accepted by the switch because those packets do not contain VLAN info (specifically VLAN 10 ID)?

So how would I set up VLANs with only non-vlan-aware devices (like 2 Windows PCs)?

I am still so lost.
 
User avatar
k6ccc
Forum Guru
Forum Guru
Posts: 1490
Joined: Fri May 13, 2016 12:01 am
Location: Glendora, CA, USA (near Los Angeles)
Contact:

Re: Vlans and export config

Fri Oct 21, 2022 8:24 pm

For non-VLAN aware devices, on the VLAN tab, for now set the VLAN mode to Optional (once you have things working and know what you're doing, this may want to move to Disabled), set the VLAN Receive to only untagged, and the Default VLAN ID to the VLAN number you want that port to be on. On the VLANs tab, in the Members section, set the port to the desired VLAN.
For non-VLAN devices, the VLAN tag will be added internal to the switch (when the packet enters from the non-VLAN device), and stripped off before the packet leaves the switch (headed to the non-VLAN device).
Look at my screen captures from a few days ago. The vast majority of the ports on that switch are non-tagged devices. The exceptions are:
01 Garage CU trunk - A trunk to the CSS326 in my garage data cabinet. It is tagged only.
21 Open Mesh #1 - A VLAN aware WiFi AP that uses VLAN 101 untagged for management and separate VLANs for each SSID.
22 AREDN MUX radio - A specialized ham data radio that uses VLAN 2
23 Open Mesh #2 - Same as 21 except this one uses VLAN 201 untagged for management.
24 MW to Johnstone - A point to point microwave link to a radio site 4 miles away that carries a bunch of LANS as a VLAN trunk. It is tagged only
SFP1 East attic trunk - A trunk to a CSS106 in my attic that is carrying several LANs as a VLAN trunk. It is tagged only.
SFP2 Garage FO trunk - A parallel trunk to the garage data cabinet like 01 except this one is fiber. It is tagged only.
 
Josephny
Member
Member
Topic Author
Posts: 454
Joined: Tue Sep 20, 2022 12:11 am

Re: Vlans and export config

Sat Oct 22, 2022 12:23 am

Thank you so much for the continued help and great explanations.

Quick question while I continue to try to understand.

If we had a LAN with 4 Windows PCs (i.e., not VLAN aware), and wanted to set up VLANs as below, how would we do this?

PC1 - switch port 1 - VLAN 100
PC2 - switch port 2 - VLANS 100 and 200
PC3 - switch port 3 - VLAN 200
PC4 - switch port 4 -- VLAN 200

To be clear, when I write that a PC is in a VLAN, I mean that it can communicate only with others in the same VLAN. That is, PC1 and PC2 can communicate. PC2 and PC3 and PC4 can communicate. PC1 cannot communicate with PC3 or PC4.

Thank you!
 
User avatar
Buckeye
Forum Veteran
Forum Veteran
Posts: 887
Joined: Tue Sep 11, 2018 2:03 am
Location: Ohio, USA

Re: Vlans and export config

Sat Oct 22, 2022 12:37 am

I am still so lost.
The concept of vlans hasn't clicked yet. I suggest looking at these vlan references
Virtual Local Area Networks (VLANs) read this first. Then watch video.
VLANs (above article, but in Video format)
Then watch
What is the Native VLAN? and finally Routing Between VLANs

And if while watching those, if there are things that don't make sense, see the networking fundamentals play list and make sure you understand how and why things work. The first link also has links to other material that goes into more detail, but my recommendation is that if things are not clear in the first link, go through the fundamentals playlist in order from the beginning as a "refresher". Knowing the fundamentals will make many networking things much easier to understand.

Then we can get to the question
So how would I set up VLANs with only non-vlan-aware devices (like 2 Windows PCs)?
Because the answer to the question depends whether the two PCs are on the same vlan or on separate vlans.

Understanding how to use and configure vlans without understanding how they work is like trying to make modifications to a circuit without understanding how it works.
Understanding how vlans work without understanding how ethernet works is like trying to understand how a circuit works without understanding what each component does. e.g. understanding how a voltage divider works without understandind ohms law and what a resistor is. Put another way, it is the difference between duplicating a project you find online vs what bigclive does on his youtube videos.

If all you want is a "heathkit" with all the parts and explicit instructions to make a working device, then you may be able to find example configurations online and make small tweaks to them and get something to work. Maybe that's your goal, to get something to work, not to learn how to do it yourself. But that doesn't seem to be the normal personality type for someone with your self assesment "an extra class ham also and have been in tech for 30 years".

So my advice is to start simple and make sure you understand how and why things work. Only then will things make sense, at least that is true in my experience.

So you need to understand some terminology - i.e. what untagged and tagged mean, and what a vlan-aware means. And how a vlan-aware switch works. The IEEE 802.1Q specs treat a bridge as a black box, i.e. the spec only describes what outputs the bridge must have when presented with a specific set of inputs; it does not specify how the implementation works inside. (an ethernet switch normally means a hardware implementation of a bridge device in an ASIC). Personally, I don't use @k6ccc description of what happens when an untagged frame is received on an access port, although there may be implementations that do exactly what he says. I prefer to use the word "classify" instead of "tag" when referring to what the switch does when it receives an ethernet frame, and how it determines which vlan a received frame will be placed in while it is internal to the switch. To me, the only place that IEEE802.1Q tags apply is when external to the switch, e.g. on a wire. Internally, the bridge must have a way to keep the vlans distinct, that is all the spec says. If it helps you to think of switches/bridges as using IEEE802.1Q tags internally, and that all traffic internal to the switch is tagged, and tags are only removed when sending traffic out untagged ports, then that is one way to think about it.

Untagged just means a "standard" ethernet frame, where the ethertype field isn't one of the TPID values (0x8100 is the standard IEEE 802.1Q, but some more advanced switches understand service tags 0x88A2 as well)

A loose analogy (and analogies can't be perfect) is that vlans are like different frequencies, and that an untagged port has a modem (modulator/demodulator) attached that is for a specific frequency that will be used inside the switch to keep the "conversation" distinct. Then any port that is tuned to that frequency (a member of the vlan) will be able to communicate with others on the same frequency.

I assume you have found this example section of the manual. The problem with those examples is that they are stand alone devices. And to work with each other, both ends of a link must agree on which one (if any) vlan is untagged, and what vlans are supposed to be allowed on the link. In other words, if you have a device with a trunk port with tagged vlans 20 and 30 and an untagged vlan 10 on one end, and a device configured with tagged vlans 50 and 60 and untagged vlan 1 on the other end, then the only thing that will flow between is the untagged traffic, but it will be considered to be in different vlans at each end. The left will consider the traffic to be on vlan 10, where the right will consider the traffic to be on vlan 1.

And vlans by design are virtually separated from each other. The only way for different vlans to communicate with each other is by a router (and each vlan will be a different subnet) or by intentionally mismatching untagged vlans (and then its all still in the same broadcast domain, just using different vlans in the two switches. See the challenge quiz for an example.
Last edited by Buckeye on Sat Oct 22, 2022 8:56 pm, edited 3 times in total.
 
User avatar
Buckeye
Forum Veteran
Forum Veteran
Posts: 887
Joined: Tue Sep 11, 2018 2:03 am
Location: Ohio, USA

Re: Vlans and export config

Sat Oct 22, 2022 12:42 am

If we had a LAN with 4 Windows PCs (i.e., not VLAN aware), and wanted to set up VLANs as below, how would we do this?

PC2 - switch port 2 - VLANS 100 and 200
You still have a misconception of what vlans are, and how they work. If the devices are not vlan aware (your first assumption), then that is incompatible with your second assumption about PC 2 (it is a member of two vlans but connected to a single port).
 
User avatar
mkx
Forum Guru
Forum Guru
Posts: 11439
Joined: Thu Mar 03, 2016 10:23 pm

Re: Vlans and export config

Sat Oct 22, 2022 1:55 pm

A simple explanation of VLANs is in the V: virtual. It's similar to having multiple physical LANs. Any VLAN-aware devices (with trunk ports) can be then seen as if they had multiple network interfaces, each connected to one of LANs ... and they also need related IP setup for each of LANs. Any VLAN-aware switch can then be thought of as if there were multiple switches, one per VLAN.

Traffic can then pass between VLANs only via device connected to multipke VLANs - a router (a simple VLAN switch won't do it).

A PC, not VLAN aware, connected to switch port with multiple default VIDs, can be thought of as if its single network device was connected to two LAN switches using a Y-cable ... or something equally wild. Even if this would physically work, it's IP address would be wrong in one of LANs.
 
User avatar
Buckeye
Forum Veteran
Forum Veteran
Posts: 887
Joined: Tue Sep 11, 2018 2:03 am
Location: Ohio, USA

Re: Vlans and export config

Sat Oct 22, 2022 8:19 pm

To be clear, when I write that a PC is in a VLAN, I mean that it can communicate only with others in the same VLAN. That is, PC1 and PC2 can communicate. PC2 and PC3 and PC4 can communicate. PC1 cannot communicate with PC3 or PC4.
What you are describing is not vlans; it is port isolation.
 
User avatar
Buckeye
Forum Veteran
Forum Veteran
Posts: 887
Joined: Tue Sep 11, 2018 2:03 am
Location: Ohio, USA

Re: Vlans and export config

Sat Oct 22, 2022 10:00 pm

When to use vlans: (separate virtual broadcast domains)
  • You want to share physical hardware (switches, ports, links) with multiple logically separate LANs.
  • A device that has direct access to more than one LAN will need a layer 3 interface with an ip address in each vlan it is directly connected to.
  • Devices in one vlan can only communicate with another subnet (usually in a separate LAN whether vlan or dedicated LAN) with the assistance of a router and a route (usually will be default route).
When to use port isolation: (port filtered forwarding - possibly asymmetric)
  • All ports (and devices) are in the same subnet.
  • You want to limit what other ports some of the ports in the subnet are allowed to send data to.
  • All ports you want to limit are on the same switch.
Last edited by Buckeye on Tue Oct 25, 2022 9:33 am, edited 1 time in total.
 
User avatar
Buckeye
Forum Veteran
Forum Veteran
Posts: 887
Joined: Tue Sep 11, 2018 2:03 am
Location: Ohio, USA

Re: Vlans and export config

Sat Oct 22, 2022 10:35 pm

If we had a LAN with 4 Windows PCs (i.e., not VLAN aware), and wanted to set up VLANs as below, how would we do this?

PC1 - switch port 1 - VLAN 100
PC2 - switch port 2 - VLANS 100 and 200
PC3 - switch port 3 - VLAN 200
PC4 - switch port 4 -- VLAN 200

To be clear, when I write that a PC is in a VLAN, I mean that it can communicate only with others in the same VLAN. That is, PC1 and PC2 can communicate. PC2 and PC3 and PC4 can communicate. PC1 cannot communicate with PC3 or PC4.
Again, what I am posting below is not vlans, but it is the answer to the specific question you pose.

First read port isolation

Then make a backup of your switch config, because you will probably want to restore to the previous state after the experiment. If you don't know how, see this.

Disconnect all wires from the switch except for power and the console port or the port you are configuring the switch from. Reset to factory config so we know what the config is.

Connect the PCs to the first 4 ports.

In this state, all ports should be in a single broadcast domain. You will need to manually configure your PCs with static addresses, because they won't have a dhcp server to give them any address.

Verify that you have communications between all four devices. From each PC ping the others, all this should work. If it does not, you have a firewall on the PCs.

Then open the Port Isolation tab. Take screen shot and save for your reference. Clean all check boxes (see note in documenation: "It is possible to check/uncheck multiple checkboxes by checking one of them and then dragging horizontally (Click & Drag)." For this experiment, clearing only the top 4 rows should be sufficient.

Make the check boxes look like the following:
Port Isolation example.png
Then port 2 is the only port that can send and receive from the other 3 ports.
Port 1 can only send and recieve from port 2.
Ports 3 & 4 can only communicate to each other and port 2

Test and verify. The only pings that should work: PC on port 2 should be able to ping the other 3. PC on port1 should only be able to ping PC on port2. PCs on ports 2 and 3 should be able to ping each other and port2 PC but not port1 PC.

After you are satisfied that this "works", you can restore your config.

Using vlans is probably what you really want to do, especially since you also have another vlan capable switch (the TP-Link SG108E), although is is possible to use a combination of port isolation and vlans. If your G3100 is on the same subnet as your hEX LAN, port isolation is the only way I am aware of to limit what the G3100 would be able to communicate with on the subnet. Vlans allow you to have multiple LANs (each with its own ip subnet) sharing the same switch and wires, but traffic between the vlans will need to be routed by the hEX. You can then use the firewall on the hEX to limit what traffic goes between the distinct subnets.

Have you looked at any of Ed Harmoush's material?
You do not have the required permissions to view the files attached to this post.
Last edited by Buckeye on Tue Oct 25, 2022 9:34 am, edited 2 times in total.
 
User avatar
Buckeye
Forum Veteran
Forum Veteran
Posts: 887
Joined: Tue Sep 11, 2018 2:03 am
Location: Ohio, USA

Re: Vlans and export config

Sun Oct 23, 2022 12:02 am

A PC, not VLAN aware, connected to switch port with multiple default VIDs, can be thought of as if its single network device was connected to two LAN switches using a Y-cable ... or something equally wild. Even if this would physically work, it's IP address would be wrong in one of LANs.
I realize that this is just a thought experiment, but I don't know how it is possible to configure more than a single "default VID" on a port.

In SwOS the Default VLAN ID is what most vendors call the pvid, and it is the single vlan that the port will classify/assign to an untagged frame the switch receives on the port. The pvid will also make the switch remove the tag when sending a frame for that vlan as well. SwOS has the ability to strip tags regardless of VID, using the "best avoided" feature in the VLAN tab with the column "Force VLAN ID", which essentially tells the switch to strip any tag and to classify the frame into the Default VLAN, something that I can think of no good use for.
 
Josephny
Member
Member
Topic Author
Posts: 454
Joined: Tue Sep 20, 2022 12:11 am

Re: Vlans and export config

Sun Oct 23, 2022 2:35 pm

Thank you all again so much for your generous help.

This is a lot to take in. I clearly did not (possibly still don't) have a correct understand of VLANS.

I understand VLANs segment (or create) networks on layer 2 (Data Link), thereby making each VLAN function as if it were a different physical LAN (whereby a router would be needed to pass traffic between the VLANs).

VLANs use tags (bits added to an ethernet frame (or packet)) that specify the VLAN ID (e.g., 0, 10, 20, 100, etc.) of the frame.

When a device such as a PC sends out a frame that does not have a VLAN tag the frame is an UNTAGGED frames.

When a device such as a switch or router (or other VLAN-aware devices) sends out a frame with a VLAN tag the frame is a TAGGED frame.

All frames with the same ID comprise a single VLAN.

An ACCESS port is used for devices that send and receive UNTAGGED frames. That same port will have a default ID -- that is, that port will have a single VLAN ID.

Trunk ports have multiple IDs assigned to them. One ID is the NATIVE VLAN which passes traffic of frames that do not have a tag (and therefore do not have an ID). Frames with IDs matching the other IDs assigned to the trunk port are passed.

Different IP subnets (layer 3 --Network) are commonly used to facilitate routing between VLANs.

Therefore, when configuring VLANs on a switch, we set the following for each port:

VLAN MODE [Optional, Enabled, Disabled, Strict]: <beyond my comprehension at the moment>

RX VLAN MODE [Any, Only Untagged, Only Tagged]: This determines whether the switch will accept (allow in) frames that either have and/or don't have VLAN tags.

DEFAULT VLAN ID [VLAN number]: Assigns ID to any untagged frames that arrive at the switch.

Therefore, any VLAN-UNAWARE devices (devices that do not attach or recognize VLAN tags) must be connected to ACCESS ports, and frames arriving at and sent from these switch ports will effectively be assigned the DEFAULT VLAN ID. That means that if port 1 is an access port with a DEFAULT VLAN ID of 10, and port 2 has a DEFAULT VLAN of 20, the VLAN-UNAWARE devices each plugged into ports 1 and 2 will not be able to communicate.

I am still confused about how VLAN membership comes into play.
 
User avatar
mkx
Forum Guru
Forum Guru
Posts: 11439
Joined: Thu Mar 03, 2016 10:23 pm

Re: Vlans and export config

Sun Oct 23, 2022 3:00 pm

... I don't know how it is possible to configure more than a single "default VID" on a port.

Probably you can't set multiple PVIDs exactly for the absurd example I was explaining. Not sure about SwOS, but in ROS it is possible to add a port as untagged member of multiple VLANs (that's only egress behaviour though).
 
User avatar
Buckeye
Forum Veteran
Forum Veteran
Posts: 887
Joined: Tue Sep 11, 2018 2:03 am
Location: Ohio, USA

Re: Vlans and export config

Sun Oct 23, 2022 11:00 pm

VLAN MODE [Optional, Enabled, Disabled, Strict]: <beyond my comprehension at the moment>
Don't feel bad, without setting up a lab and capturing packets generated with scapy with wireshark, some of the terse descriptions just make me have more questions. For example, I think is is possible to have the CSS106 be "vlan transparent", i.e. just pass the ethernet frames as is without regard to what is in the ethertype field, and base its forwarding decisions only on destination mac address, but I don't see any option that would allow that. It would not surprise me if the descriptions in the manual are not 100% correct, especially in edge cases. But it probably is not possible to describe it accurately in the space they have used.

For the common cases you are likely to encounter (access port, fully tagged trunk port, Hybrid (trunk port with active native vlan), just mimic the settings in the examples and it will work.
I am still confused about how VLAN membership comes into play.
Once a frame has been received, accepted and classified into a single vlan, then the frame can only be forwarded to other ports that are members of that vlan. By member, I mean what is displayed in the right hand part of the VLANS tab display (which essentially is telling the switch what ports a frame belonging to a specific vlan are allowed to be sent to). The VLAN tab is primarily telling the switch what to do with received frames, and whether the frame is tagged or not when it is received on the port). When sending a frame out of a port, the switch uses the following simple rule to decide whether it should put a tag on the frame or not. If the vlan being sent from on the switch matches the pvid on the port (port vlan id or in SwOS terminonlogy the Default VLAN), then the frame will be sent without a tag. Otherwise it will be sent with a tag for the vlan it was a member of while in the switch.

When using vlans, every host device that is connected to link with more than one vlan (a trunk link) will need to have an interface for every vlan it needs to communicate with. You can't have one logical interface receive and send on two different vlans. (At least that is the case under normal circumstances that you are likely to encounter, there are things like asymmetric vlans where that isn't true, but going into that at this stage won't help your understanding at this point, just like talking about matrix multiplication when you are just learning your times tables would not be helpful).

Here's a more concrete example. You have a Raspberry Pi with a single wired interface, and you also have an SG108E vlan aware switch. You want to create a router, but the Raspberry Pi has only a single physical interface. Here's one thing that can be done without any additional hardware.

On the Raspberry Pi load the vlan package. This will allow you to create vlan subinterfaces like eth0.20 which will be the interface for vlan 20 and all packet sent from eth0.20 will leave through the eth0 physical interface, but will be tagged with vlan 20. To the rest of linux on the Raspberry Pi, the eth0.20 interface behaves like a standard ethernet connection. You assign an ip address to eth0.20 that is in a different subnet than eth0. For this example, let eth0 use 192.168.1.1/24 and eth0.20 use 192.168.20.1/24. Note that traffic from the eth0 interface will be untagged, while the traffic from eth0.20 will be tagged.

Then you can create a trunk port on the SG108E with PVID 1 and tagged 20. Then create two access ports on the SG108E, one in vlan 1 with PVID 1, and one in VLAN 20 with PVID 20.

At this point, you now have a Raspberry Pi with two ethernet ports (though the SG108E) and you could add more, since the SG108E has 8 ports, and 5 would still be free.

The hEX operates very much in the same way as the Raspberry Pi with the external switch. But on the hEX you create the vlan subinterface with the /interface vlan command, and the "switch" is the bridge device.

Who is online

Users browsing this forum: No registered users and 11 guests