Lost access to Switch after configuring VLANS

[Bruno_A]

Hello all,

 

I have acquired a Netgear GS108Ev3 Managed Switch, and after researching about VLANS, I was able to configure the Switch to use two VLANS that I use on my network, which, in my OpenWRT Router, are VLAN ID 1 and VLAN ID 3.

Here's how they are configured in the OpennWRT Router:

Ports 1, 2 and 3 are Untagged for VLAN ID 1, which is for the main LAN, which uses 10.230.0.x, and Port 4 is Tagged for VLAN ID 1, 3 and 4. Port 4 is the one connected to the Switch, so, I tagged it in all VLANS. VLAN 1 and VLAN 3 are the only ones used, but I still added a VLAN ID 4, in case I wanted to configure another one.

 

Now, in the Switch, here's how I configured the ports:

Port 1, in the Switch, is the one conected to the router, so, I tagged it in all VLANS, also. I used the same VLAN IDs in the switch, because as far as my understanding goes, it's how the Router knows which traffic is from which VLAN?

 

Please correct me if I'm saying something wrong. My problem is, the way the Switch and Router are currently configured, it all works as intended. For example, if I plug a computer to port 2 to 4, on the Switch, I'm connected to VLAN ID 1, and get a 10.230.0.x address, and if I'm connected to port 5 to 7, I'm connected to VLAN ID 3, and therefore, I get a 10.230.2.x address, however, I cannot access the Switch web interface anymore. OpenWRT DHCP always gives the same IP to all the devices, and the IP of the switch has never changed even after resetting it multiple times when I was learning how to set it up, so I know it wouldn't change, but why can't I access it?

[tech.guru]

Management traffic typically is not tagged by default.  Management would be accessible only on the untagged vlan by most vendors typically 1 by default.

 

It would make sense it would not be accessible on VLAN ID 3. some vendors allow you to tagall traffic on ports.  If you want to allow management traffic you may have to use tagall so the untagged management traffic gets tagged before leaving switch.

 

its good security pratice to seperate management and data traffic. You should have a dedicated port for management you could leave that untagged.

[Bruno_A]

2 minutes ago, tech.guru said:

Management traffic typically is not tagged by default.  Management would be accessible only on the untagged vlan typically 1 by default.

 

It would make sense it would not be accessible on VLAN ID 3.

I did it all over again, replaced the VLANS 1 and 3 with 10 and 11, and got rid of 4, as it wasn't used. I then, reset the Switch and configured the VLANS again. I left VLAN ID 1 as default (all 8 ports untagged), and created the VLANS 10 and 11. All ports working as expected, however, I still can't access the switch after configuring it. The only way I can access it, is by plugging it to the LAN 2 port of the Router, which is an untagged port member of now VLAN ID 10.

[tech.guru]

Like i said management traffic typically is untagged on the native vlan. 

 

You could tag the mangement traffic to a specific vlan and allow that vlan on the ports you want management access on

 

EDIT: You will have to check if thats possible

https://kb.netgear.com/29997/How-to-create-Layer-2-VLANs-on-NETGEAR-ProSAFE-Switches

 

 

[Bruno_A]

6 minutes ago, tech.guru said:

Like i said management traffic typically is untagged on the native vlan. 

 

I recommend you tag all traffic except the management 

I'm sorry, but I'm pretty much new to the subject, so, I'm sorry if I seem useless. This is what I have now, after updating the VLANS:

As you can see, the tagged port is 1, the one connected to the Router, then, each VLAN has its own untaged ports. All ports in VLAN ID 1 are untagged. Would I need to mark every untagged port as tagged, except for VLAN ID 1?

[tech.guru]

You should use the tagged ports for data only. .

 

Have port 1 (untagged) for management

Have port 2 tagged to vlan 10

Have port 3 tagged to vlan 11

 

Or keep port 2 for vlan 10 and 11

You will not be able to access management on port 2 (or 3 if configured above)

 

Heres an article for netscalers keep in mind netgear may have something more relevant 

https://support.citrix.com/article/CTX214033

 

[Bruno_A]

6 minutes ago, tech.guru said:

You should use the tagged ports for data only. .

 

Interface ports should not be a member of multiple vlans!

 

Start here, its written by citrix its a good guide

https://support.citrix.com/article/CTX214033

 

Have port 1 untagged for management

Have port 2 tagged to vlan 10

Have port 3 tagged to vlan 11

Does port 1 not have to be marked as Tagged, as it's the one connected to the Router?

[beersykins]

58 minutes ago, tech.guru said:

You should use the tagged ports for data only. .

That's kind of semantics though, as long as your untag/tag scheme lines up then it's all the same. 

 

Sometimes devices have a default ACL that only accepts traffic from a certain subnet or inter-vlan routing isn't enabled by default.  You'd also need DHCP scopes in each of the VLANs on the router for each individual subnet.  Otherwise it should be pretty straightforward as OP has described.

 

Are you able to get out of each VLAN to the internet and to each subnet's gateway address on the Router?  You'd need a .1 address or similar as a gateway on each VLAN, commonly known as a SVI that clients on those segments would use as a default gateway.

[Bruno_A]

10 minutes ago, beersykins said:

That's kind of semantics though, as long as your untag/tag scheme lines up then it's all the same. 

 

Sometimes devices have a default ACL that only accepts traffic from a certain subnet or inter-vlan routing isn't enabled by default.  You'd also need DHCP scopes in each of the VLANs on the router for each individual subnet.  Otherwise it should be pretty straightforward as OP has described.

 

Are you able to get out of each VLAN to the internet and to each subnet's gateway address on the Router?  You'd need a .1 address or similar as a gateway on each VLAN, commonly known as a SVI that clients on those segments would use as a default gateway.

Thanks a lot, I think I fixed it. I'm not sure if this is the right way of doing it, but it does work. Here's what I did: in the Router, I marked LAN 4 as untagged in VLAN ID 10, and left the same port as Tagged in VLAN ID 11. Then, in the Switch, I removed all ports from VLAN ID 1, which can't be deleted, and where as both VLAN ID 10 and 11 had Port 1 Tagged (as it is the one connected to the switch), I marked it Untagged in VLAN ID 10. Is this the correct way of doing it?

 

Router:

Switch:

 

Port 4, in the Router, is connected to Port 1, in the Switch.

 

[beersykins]

You can do it that way, sure.  You're just telling the router and switch on that shared interface that 'packets without a VLAN ID header, place into VLAN 10, whereas the other VLAN traffic will just have 11 in its header for that segment.

 

The common term for that is 'native VLAN' on a trunk, where you specify the VLAN for untagged traffic but otherwise tag all other traffic in a trunk.

 

[tech.guru]

yes as he mentions you are changing the native vlan on the port.

your native vlan traffic gets tagged as VLAN 10 on your routers trunk port.

 

as mentioned i suggest using a separate interface for management and data.