VLANs are a common source of discussion in our forums. How to configure and deploy VLANs in a small network can be challenging. I recently put together an article on how to deploy VLANs on a small network using a smart switch supporting port-based and 802.1Q VLANs. In this article, I'm going to focus on how to use 802.1Q (tagged) VLANs with both a router and switch, as well as how to use 802.1Q VLANs to segment a wireless network.
802.1Q is a VLAN standard, supported by many different device manufacturers. The 802.1Q standard says a VLAN trunk can carry traffic for multiple VLANs. To differentiate traffic, each frame on a VLAN trunk is tagged with a VLAN ID, except frames associated with the trunk's PVID (native VLAN). Frames associated with the trunk's PVID are not tagged with a VLAN ID.
VLAN trunks can be connected to 802.1Q capable routers, switches, access points, servers and any other device compliant with the 802.1Q standard. Here are two configuration examples demonstrating VLAN trunking.
Let's say I want to deploy five VLANs in my network. VLAN 1 will be a common wired VLAN, VLAN 2 will be for secure wired devices, VLAN 3 will be for VoIP devices, VLAN 4 will be for general Wi-Fi devices, and VLAN 5 will be for guest Wi-Fi devices.
I'm going to use a Linksys LRT224 router, ZyXEL GS1900-8HP switch, and Cisco WAP321 access point for this example. The first step is to configure the router. In the below screenshot, I've added VLANs 2-5 to the LRT224.
Create VLANs on Linksys Router
I highlighted two options in the above screen. The LRT224 has a couple of useful options for controlling inter-VLAN traffic. I can enable or disable inter-VLAN routing, as well as enable or disable device management from each VLAN. Other routers may not have these specific options, but you can likely implement similar functionality with firewall rules.
A common practice with multiple VLANs is that devices in each VLAN should be given unique IP address ranges, or subnets. The LRT224 automatically creates a DHCP server for each VLAN. VLAN 1 uses the 192.168.1.0/24 subnet, VLAN 2 uses the 192.168.2.0/24 subnet, VLAN 3 uses the 192.168.3.0/24 subnet, shown below, and so on. Using different IP ranges per VLAN allows you to write firewall rules to filter traffic between subnets, as well as create QoS rules to prioritize traffic from a specific subnet. Below is a screenshot of the DHCP server on the LRT224 automatically created when I added VLAN 3.
Once I've configured the router, the next step is to configure the ZyXEL GS1900-8HP switch. VLANs 1-5 need to be created, as shown below.
Create VLANs on ZyXEL Switch
Next, I need to configure VLAN membership on the switch. I've configured port 1 on the ZyXEL GS1900-8HP as an untagged member of VLAN 1 and as a tagged member of VLANs 2-5. On the GS1900-8HP, this involves clicking the tagged option on VLANs 2-5 for port 1. Below, I've set port 1 as a tagged member of VLAN 2, which I repeated for VLANs 3-5.
To connect PCs or other end devices to any of the VLANs, configure a port on the GS1900-8HP as an untagged member of the desired VLAN. Note, VLAN 1 is the default port setting on the GS1900-8HP, so I don't have to change port settings if I want my devices on VLAN 1.
If I plan to connect a VoIP device to VLAN 3, for example, I need to assign that port a PVID of 3 and make that port an untagged member of VLAN 3. As shown below, I've given port 4 a PVID of 3.
In the next image, I've made port 4 an untagged member of VLAN 3. My VoIP device connected to port 4 is now on VLAN 3 and gets an IP address in the 192.168.3.0/24 subnet.
To connect another device that will carry multiple VLANs, I need to create another trunk on the switch. In this case, I'm going to create a trunk on port 8 of the GS1900-8HP that will connect to the Cisco WAP321 access point. Note, the Cisco WAP321 is an 802.1Q aware access point. Many Wi-Fi access points support 802.1Q, but not all.
I'm going to configure port 8 on the GS1900-8HP switch to be an untagged member of VLAN 1 and a tagged member of VLAN 4 and 5. I followed the same steps with port 8 that I used at the beginning with port 1.
Now I'm going to configure the WAP321 access point. The management interface on the WAP321 is already on VLAN 1, so I just need to configure the Wi-Fi networks. I'll configure two SSIDs and assign them to my desired VLANs. In the below screenshot, I've created an SSID called GeneralWi-Fi and assigned it to VLAN 4, and I've created an SSID called GuestWi-Fi and assigned it to VLAN 5.
With these configurations in place, Wi-Fi devices that connect to the SSID called GeneralWi-Fi will be on VLAN 4 and get an IP address in the 192.168.4.0/24 subnet. Wi-Fi devices that connect to the SSID called GuestWi-Fi will be on VLAN 5 and get an IP address in the 192.168.5.0/24 subnet.
With these configurations implemented, my LRT224 router, ZyXEL GS1900-8HP switch,and Cisco WAP321 access point are passing VLAN tags. The router is the central device, providing a DHCP server to each VLAN and routing between VLANs.
The LRT224 router is trunked to the GS1900-8HP switch. Configurations applied to the GS1900-8HP switch ports define which ports are in which VLANs.
The WAP321 access point is also trunked to the switch. By mapping SSIDs to VLANs, wireless devices end up in the desired VLAN based on the SSID they connect to.
Configuration options vary by manufacturer, but the concepts remain the same. To use multiple VLANs between multiple devices, they all need to support 802.1Q. Further, a VLAN trunk needs to be configured between devices. The trunk needs to be an untagged member of one VLAN, and tagged member of the remaining VLANs. VLAN tagging configurations should match on each end of the trunk.