The next step is to change the PVID (Port Default VLAN ID) setting on each port. The PVID is the VLAN ID the switch will assign to all UnTagged frames received on each port. As mentioned, I'm not using VLAN-aware devices, so all frames will arrive at the switch UnTagged. The frames will then receive the PVID associated with their port.
PVIDs are the key to breaking up a broadcast domain in this example! The simple rule to remember is that you set each port's PVID equal to the number of the VLAN that you want it to logically belong to. This is where naming the VLANs is important.
So, my VoIP server and ATA are connected to switch ports 6 and 7, so I set both their PVIDs to 4, which I named the VoIP VLAN. Similarly, my data devices are plugged into switch ports 2 through 5, so they get a PVID of 3, which is the Data VLAN. Ports 1 and 8 are left over and get a PVID of 2, which is the Network VLAN.
Changing PVIDs on the SRW is accomplished via the Port Setting menu, and you simply put in the number of the VLAN that applies to all UnTagged frames arriving on that port, as in Figure 12.
Figure 12: Mapping PVIDs to ports
Click Save, and you've completed the configurations. I did this on a live network; you would be wise to do this during little or no activity on a production network. If you have a defined maintenance window, this type of work definitely belongs in that time frame.
One issue I ran into while configuring VLANs on this managed switch was locking myself out of the switch's management interface, which by default is on VLAN1. The end result I'm going for will leave nothing on VLAN1, so I'm going to have to change the switch's default setting from VLAN1 while in VLAN1, and then go to a port in VLAN2 to complete the configurations.
The easiest way I found to do this is to change the PVID on port 1, which is connected to the RV042, to a PVID of 2, and then change the network setting of the SRW to VLAN2, as in Figure 13. I then moved the Ethernet cable connected to my Laptop from port 8 of the SRW to a port on the RV042 to finish the configurations.
TIP: Some inexpensive managed / "smart" switches don't have the ability to change the VLAN of the Management interface. In that case, you would use the default VLAN (usually either 0 or 1) as the "Network" VLAN in this example.
If you lock yourself out of the switch management interface, there is also a console connection option. On switches without console connections, you'd need to reset the switch to its default configuration and start over.
Figure 13: Putting the switch on a different VLAN
With the switch VLAN configurations complete, it is time to test. The goal of this exercise was to separate the Data components from the VoIP components, so pings from the Data to the VoIP VLAN and back are a good way to see if you've succeeded.
Indeed, pings from components in the Data VLAN did not reach components in the VoIP VLAN, and vice versa, which is what I want. However, all components need Internet access, so checking a browser on servers in both VLANs or pinging a reliable Internet host such as Google or Yahoo are good tests.
Since VoIP elements are part of this exercise, placing test calls is a good idea, both to and from stations, as well as to and from outside POTS numbers. Make sure to transmit and receive audio in both directions to ensure no one-way audio problems. One-way audio would indicate a routing or firewall problem blocking the voice path of the communication stream.
Another benefit of VLANs is that my network is now more secure than it was as a single LAN. Any device can flood the network with broadcast traffic, forming a denial of service attack against other devices on the same VLAN. However, since broadcasts can't cross VLANs, a device on my Data VLAN now can't flood my VoIP VLAN.
With these steps completed, my network is now divided into two separate VLANs and a third that overlaps the two. Figure 14 is a simple picture of my network with VLANs implemented. The four devices on the left have access to each other and the Internet. The two VoIP devices have access to each other and the Internet. Broadcasts in either VLAN will not affect the other.
Figure 14: The network divided into VLANs
Related Items:How To Segment A Small LAN Using Tagged VLANs - Part 2
How To Segment A Small LAN Using Tagged VLANs
How To Use A Layer 3 Switch In A Small Network
Smart Switch How to - Part 2: Security
Slideshow: NETGEAR GS105E 5 Port ProSafe Plus Switch