Background
In the enterprise network, different departments (personnel) have different network permissions, often need to carry out two layer network division in the local area network, in order to achieve the isolation between different departments, L2 Managed Switch is very popular in SMB industry.
This article introduces the configuration sample of 802.1Q VLAN.
Application Topology
Requirement:
- PCs of Sales department can access to the server of Sales.
- PCs of Technical department can access to the server of Technical.
- PCs between different department are isolated and can not access to other department PC or the servers of other department.
- NVR can access IPC only
- All the PCs and Sales server and NVR can access to the internet.
- Technical server and IPC can not access to internet
The VLAN parameters are as below.
Create 3 VLANs, VLAN10 is Sales VLAN; VLAN20 is Technical VLAN; VLAN30 is CCTV VLAN; VLAN 50 is Internet VLAN.
Switch | VLAN ID | Port |
Switch A | 10(Sales) | 1~3(Sales), 7(Up-link), 8(Internet) |
20(Technical) | 4-5(Technical), 7(Up-link), 8(Internet) | |
30(CCTV) | 6(NVR), 7(Up-link),8(Internet) | |
50(Internet) | 1~3(Sales), 4-5(Technical), 6(NVR),7(Up-link), 8(Internet) | |
Switch B | 10(Sales) | 1 (Sales server), 7(Up-link) |
20(Technical) | 2(Technical server), 7(Up-link) | |
30(CCTV) | 3-6(IPC), 7(Up-link) | |
50(Internet) | 1 (Sales server), 7(Up-link) |
Switch | Switch A | Switch B | |||||||||
Port | 1-3 | 4-5 | 6 | 7 | 8 |
| 1 | 2 | 3-6 | 7 | |
Device | Sales | Technical | NVR | Up-link | Internet |
| Sales server | Technical server | IPC | Up-link | |
Link Type | Hybrid | Hybrid | Hybrid | Hybrid | Hybrid |
| Hybrid | ACCESS | ACCESS | TRUNK | |
Egress Rule | UNTAG | UNTAG | UNTAG | TAG | UNTAG |
| UNTAG | UNTAG | UNTAG | TAG | |
PVID | 10 | 20 | 30 | 1 | 50 |
| 10 | 20 | 30 | 1 | |
Belong VLAN | 10,50 | 20,50 | 30,50 | 10,20,30,50 | 10,20,30,50 |
| 10,50 | 20 | 30 | 10,20,30,50 | |
Notes:
Access: The port can only be partitioned into one VLAN, and the port exit rule is mandatory without tags.
Trunk: This port can be divided into multiple VLANs and can receive and send messages from multiple VLANs. The port's exit rule is mandatory to Tag.
Hybrid: This port can be partitioned into multiple VLANs and can receive and send messages of multiple VLANs. The exit rules of the port can be flexibly configured as Tagged or Untagged according to the actual situation of the port connecting devices.
PVID(Port VLAN ID) is the default VID of the port. When the switch receives an un-VLAN-tagged frames, it will add a VLAN tag to the frame according to the PVID if its received port and forwarding the frames.
Link Type | When Port Receiving Frame | When Port Sending Frame | ||
Tagged Frame | Untagged Frame | |||
Access | Usually use to connect to terminal devices | When a frame is received, it tag the frame with its own PVID if the frame is not tagged | If VID= PVID , pass through; If VID≠PVID, discard. | remove the Tag, sending frame |
Hybrid | This is a mixed mode of Access and Trunk | The frame is received when the VID belongs to the VLAN ID that the port is allowed to pass through. When the VID does not belong to the VLAN ID that the port allows through, the frame is discarded | When the port is configured as tag, keep the original TAG sending frame. When the port is configured as UNTAG, remove the Tag and send the frame | |
Trunk | It is a relay link that allows various VLAN to pass through, use to connect 2 switchs | Keep the original TAG , sending frame | ||
We should configure the VLAN parameters as following.
Step 1. Please connect RJ 45 port of PC to the 8- port of switch A(There’s no VLAN configuration on 8-port, so 8-port can be administrator’s connection port )Step 2. On PC, please launch a browser, such as Google Chrome, Firefox, type 192.168.0.1 into address bar, press enter, Wi-Tek management page will pop up.
The default username/password is admin/admin, after type in login account, press [OK], you will get in Wi-Tek management page.
Step 3. On the left column of the management page, please go to [VLAN Configuration]-[VLAN Configuration] to create VLAN(VID 1 is default VLAN ID, when you create VLAN please select a number except 1).
Create VLAN 10 for Sales:
Type 10 into VID bar, and type the department name into VLAN Name bar, such as Finance, then click on [Apply].
Create VLAN 20 for Technical:
Type 20 into VID bar, and type the department name into VLAN Name bar, such as Technical, then click on [Apply].
Create VLAN 30 for CCTV, and VLAN 50 for Internet:
Step 4. Please go yo [VLAN Configuration]-[VLAN Port Configuration], configure VLAN parameters for all ports, please refer to the chart above.
Switch A:
Set port 1-3 of switch A PVID(default VLAN ID) is 10. Mode Hybrid
Set port 4-5 of switch A PVID(default VLAN ID) is 20 Mode Hybrid
Set port 6 of switch A PVID(default VLAN ID) is 30. Mode Hybrid
Set port 7 of switch Mode Trunk, select VLAN 10,20,30,50 then TAG
Set port 8 of switch A PVID(default VLAN ID) is 50 Mode Hybrid
Add port1-3 of switch A below VLAN 10 ,50 for Sales server access and Internet access.
Add port 4-5 of switch A below VLAN 20 ,50 for Technical server access and Internet access.
Add port 6 of switch A below VLAN 30 ,50 for CCTV access and Internet access.
Add port 8 of switch A below VLAN 10,20,30,50 for all Device Internet access
Switch B:
Please also create VLAN and configure the VLAN port of switch B refer to the above step and chart.
Create VLAN 10,20,30,50 on Switch B first
Set port 1 of switch B PVID(default VLAN ID) is 10. Mode Hybrid
Add port 1 of switch B below VLAN 10,50
Set port 2 of switch B PVID(default VLAN ID) is 20. Mode Access
Set port 3-6 of switch B PVID(default VLAN ID) is 30. Mode Access
Add 1,2,3,4-port of switch B to VLAN 30 for internet access
Set port 7 of switch Mode Trunk, select VLAN 10,20,30,50 then TAG
Note: After finish the configuration, please save current configuration file in case the configuration file lose after the switch is rebooted
