vlan terminology and configurations

[cubby1223]

I'm learning routers a bit here, and trying to make sure I'm doing things the proper way. A couple offices will have their phone systems connected to each by a vpn connection. I like minimizing the number of hardware devices in use. The computers do not interact with the phone system.

My idea is to create three vlans, one for the computer network, one for the phone network, and one for guest wireless access.

Through some trial and error this configuration appears to achieve what I want done. Ports 1, 2, & 3 on the router communicate amongst themselves and the internet. Port 4 is isolated from the rest and is the only port that can connect to the other side of the vpn. The ssid tied to the guest vlan can only access the internet connection.


But I still do not understand tagged versus untagged, or inter vlan routing, to know if I am heading in the best direction. I have read pages from google searches on these subjects, and it appears to be for potential flexibility in configuring a network that I do not need. Is tagged used when the switch connected to the router is the one determining which vlan a device belongs to?

And inter vlan routing is this for when you need to connect a device to a port designated to a particular vlan but the device actually belongs within a different vlan? In other words, if I have a device configured through dhcp it will get an address on the subnet of the port's defined vlan. But if I assign the device a static ip address matching a different vlan, with inter vlan routing enabled the device will connect with the devices of the other vlan, with it disabled it will not?

Thanks

 

[theevilsharpie]

Here's a quick rundown. Note that this is industry-standard terminology and doesn't necessarily reflect the Cisco way of doing things.

Tagged VLAN
Setting whereby connected devices (servers, phones, other switches, etc.) are responsible for setting the VLAN ID. A single port can contain multiple tagged VLANs.

Untagged VLAN
Setting whereby the switch itself tags traffic with the VLAN, even if the connected device has no VLAN support. A single port can only contain a single untagged VLAN. This is also known as a PVID.

Note that it's possible for a port to contain an untagged VLAN and multiple tagged VLANs. This configuration is common when using IP phones, as the phone can tag the voice traffic and the traffic coming from a connected PC can by tagged by the switch in whatever default VLAN you're using.

Inter-VLAN routing
Devices on different VLANs are on different networks, and require a router to communicate with each other. Inter-VLAN routing functionality allows the switch to serve as a router.

 

[cubby1223]

Thank you.

If I may ask, is the VLAN ID the same as the subnet? In other words, when a communication comes into the router from a device, does the router look at the source ip address and determines the device's VLAN from that subnet?

I often find that I understand the base implementations, the abstract layers confuse me.

 

[imagoon]

VLAN ID can be anything between 1-4096 (with a couple of exceptions.) It is not related directly to the subnet. A VLANID is the numeric ID that the switches / routers use to build the Virtual LAN. Basically think of 3 switches with computers that are not interconnected. The VLAN ID is used to build "that" with one switch.

You can have VLAN ID 500 with 10.15.10.0/24 and VLAN ID 2000 with 192.168.1.0/24. It makes 2 separated subnets (the 10.x and the 192.x) while sharing the switch.

BTW what you have can be made to work, but in most cases the routers will trunk to a switch which will handle untagging to the proper ports. IE the router would export 2,3,4 as tagged and let the switch handle it. This allows computers hang off the network port on the phone since the switch will export (using your picture) tagged 4,untagged 2 on internal ports. The phones will use tagged 4 and the computers untagged 2.

The way you have it now would require separate ports and switches for everything effectively.

 

[cubby1223]

Thank you, your explanation helps out a lot.

The particular phone system being installed here uses phones connected by a standard old phone cable, requiring separate cables run out to the desk. I began doing work for this business after they hired their phone vendor, and I've been working to correct a lot of things done wrong by their previous IT support.

I'll continue testing some more configurations. This router has worked well for what it is and what it costs.

 

[kevnich2]

So your phone system is a digital pbx, not a VOIP pbx? Just curious then, why are you wanting to use a vlan for the phones if their not VOIP?

Also, for your wireless, what are you using WAP wise? Your firewall has built in wifi so I'm curious if that's your WAP or if you're using another external device?

Also - you never clearly mentioned what you're trying to accomplish? You only mentioned having a question of tagged vs untagged and inter vlan routing which was answered pretty much by the followup to your post. The jist is you use tagged vlan's on the trunk port that connects several switches together (btw all have to be vlan capable for this to work). If you only have one physical switch or several switches but not all vlan capable, the tagging won't work.

 

[cubby1223]

So your phone system is a digital pbx, not a VOIP pbx? Just curious then, why are you wanting to use a vlan for the phones if their not VOIP?

It's the Avaya IP400 phone system, the main unit is connected to the network, assigned an ip address, and able through vpn connections communicate with other Avaya IP400 phone systems in other offices for call transfers.

You only mentioned having a question of tagged vs untagged and inter vlan routing which was answered pretty much by the followup to your post. The jist is you use tagged vlan's on the trunk port that connects several switches together (btw all have to be vlan capable for this to work). If you only have one physical switch or several switches but not all vlan capable, the tagging won't work.

Yes, sorry, the members here thankfully explained things in a way that I understood what I was missing to move forward. I modified the configuration to exclude the vlan I marked as tagged on all ports.

Also - you never clearly mentioned what you're trying to accomplish?

It was:
(1) have only the phone systems, and none of the computer devices, accessible through the vpn connections
(2) provide a guest access with internet only access (an ssid is assigned to the "guest" vlan in this router)
(3) use qos to give priority to the phones over the internet connection

This is my new vlan setup:

From the testing I have done I believe I have the vlan setup finished in this router for this situation. I have for the VPN a site-to-site connection to another one of these same routers, and specified the local subnet in the vpn configuration to match the subnet of the "phones" vlan, and everything just automatically worked. With my laptop connected to port 4 I was able to access the other end of the vpn tunnel, and when connected to port 3 I was unable to access the other end.

For expanding my knowledge I will look at the vlan capable switches and other devices, as the interaction between devices seems to really be where one gets a firm understanding of how everything works. Though this is not an immediate priority.