SmallNetBuilder

Follow SmallNetBuilder
Follow SmallNetBuilder on TwitterConnect On Facebook Google+Get the SmallNetBuilder RSS Feed
You are here: LAN & WAN LAN & WAN How To VLAN How To: Segmenting a small LAN - How To: Set PVID, Testing

VLAN How To: Segmenting a small LAN - How To: Set PVID, Testing

Print E-mail
<< Prev - Page 5 of 6 - Next >>

Set PVID

The next step is to change the PVID (Port Default VLAN ID) setting on each port. The PVID is the VLAN ID the switch will assign to all UnTagged frames received on each port. As mentioned, I'm not using VLAN-aware devices, so all frames will arrive at the switch UnTagged. The frames will then receive the PVID associated with their port.

PVIDs are the key to breaking up a broadcast domain in this example! The simple rule to remember is that you set each port's PVID equal to the number of the VLAN that you want it to logically belong to. This is where naming the VLANs is important.

So, my VoIP server and ATA are connected to switch ports 6 and 7, so I set both their PVIDs to 4, which I named the VoIP VLAN. Similarly, my data devices are plugged into switch ports 2 through 5, so they get a PVID of 3, which is the Data VLAN. Ports 1 and 8 are left over and get a PVID of 2, which is the Network VLAN.

Changing PVIDs on the SRW is accomplished via the Port Setting menu, and you simply put in the number of the VLAN that applies to all UnTagged frames arriving on that port, as in Figure 12.

PVID port mapping
Click to enlarge image

Figure 12: Mapping PVIDs to ports

Click Save, and you've completed the configurations. I did this on a live network; you would be wise to do this during little or no activity on a production network. If you have a defined maintenance window, this type of work definitely belongs in that time frame.

One issue I ran into while configuring VLANs on this managed switch was locking myself out of the switch's management interface, which by default is on VLAN1. The end result I'm going for will leave nothing on VLAN1, so I'm going to have to change the switch's default setting from VLAN1 while in VLAN1, and then go to a port in VLAN2 to complete the configurations.

The easiest way I found to do this is to change the PVID on port 1, which is connected to the RV042, to a PVID of 2, and then change the network setting of the SRW to VLAN2, as in Figure 13. I then moved the Ethernet cable connected to my Laptop from port 8 of the SRW to a port on the RV042 to finish the configurations.

Tip TIP: Some inexpensive managed / "smart" switches don't have the ability to change the VLAN of the Management interface. In that case, you would use the default VLAN (usually either 0 or 1) as the "Network" VLAN in this example.

If you lock yourself out of the switch management interface, there is also a console connection option. On switches without console connections, you'd need to reset the switch to its default configuration and start over.

Management config

Figure 13: Putting the switch on a different VLAN

Testing

With the switch VLAN configurations complete, it is time to test. The goal of this exercise was to separate the Data components from the VoIP components, so pings from the Data to the VoIP VLAN and back are a good way to see if you've succeeded.

Indeed, pings from components in the Data VLAN did not reach components in the VoIP VLAN, and vice versa, which is what I want. However, all components need Internet access, so checking a browser on servers in both VLANs or pinging a reliable Internet host such as Google or Yahoo are good tests.

Since VoIP elements are part of this exercise, placing test calls is a good idea, both to and from stations, as well as to and from outside POTS numbers. Make sure to transmit and receive audio in both directions to ensure no one-way audio problems. One-way audio would indicate a routing or firewall problem blocking the voice path of the communication stream.

Another benefit of VLANs is that my network is now more secure than it was as a single LAN. Any device can flood the network with broadcast traffic, forming a denial of service attack against other devices on the same VLAN. However, since broadcasts can't cross VLANs, a device on my Data VLAN now can't flood my VoIP VLAN.

With these steps completed, my network is now divided into two separate VLANs and a third that overlaps the two. Figure 14 is a simple picture of my network with VLANs implemented. The four devices on the left have access to each other and the Internet. The two VoIP devices have access to each other and the Internet. Broadcasts in either VLAN will not affect the other.

After VLANs

Figure 14: The network divided into VLANs



Related Items:

How To Segment A Small LAN Using Tagged VLANs
How To Use A Layer 3 Switch In A Small Network
Smart Switch How to - Part 2: Security
Slideshow: NETGEAR GS105E 5 Port ProSafe Plus Switch
How To Set Up Switch Link Aggregation