Dude, I watched so many videos, trying to ascertain how to do this using netgear switches. You were the only one who made this make sense. As a matter of fact, no one was really doing it right and I think were just making videos with bad information. No one created trunk ports going out to the next hop in any of the other videos. So frustrating and I really appreciate your video!
Ive started to recommend this video every time someone mentions about VLANs learning or about some cheap home switches for it. You deserve much more viewers.
These two videos provide a good "Layman's Guide to VLANS", and they have about the level of info that most home users want. I really like that you created a "Rosetta stone" for the same configuration on three common "consumer" smart switches that home users are more likely to have than full featured managed switches. Having a plan before you start, like the sheet of paper with the vlan membership of all ports, and whether the device connected to the port will be using vlan tags on a specific vlan or not, is an important key to a successful vlan configuration on the switch. Great job! 👍
This and part 1 allowed me to finally get my VLAN setup working! Thank you so much! The way you explained things and showed how to configure the various ports was extremely helpful!
I’m so glad I found your site. I know Its not rocket science but some of the other sites made me feel like I was an idiot. Thanks for the concise explanation it’s made what I’m doing so much easier!
This is probably the best VLAN video I have found on UA-cam. Thanks for this. What I'm confused about is inter-vlan routing. While a lot of my systems are split out on their own vlan I do have systems that need to talk to each other across vlans. Such as my Synergy software for keyboard and mouse sharing. It's the darn PVID that's confusing me :) Thanks again.
Thank you for These two Videos! The explanation was great and I got it now. That you showed my Switch (TpLink) was perfect and now my Network ist Running Like I planned it. thank you so much!!
Thanks a lot for explaining the Tagged and Untagged settings. I have the TP-Link switch so you showing the settings on this was extra helpful. Now my network setup is working! Thanks a lot!
Very well done. Amazing how in this day and age, some places still are not able to make a simple and elegant. Then they change the interface in the next update or newer line of same switches. Very frustrating. Used some Netgear but mostly Cisco SMB like SG2xx/SG3xx and now CBS250/350. Now have a TP-Link SG3210X-M2 and learning to configure it.
OMG this video saved me a ton of grey hairs! I'm very inexperienced with VLANs and the VID concept was totally unknown to me. Was trying to pass my WAN connection through a VLAN but it wasn't workig till I assigned the VID to that untagged port. Now everything work!
Thank you very much for the video explaining vlan's on switches. I don't have vlan's setup on my home network yet, but after your video I do want to use that capability. I currently have a TP Link LS-1008G switch connected to my At&t BGW320-500 modem/router combo provided from my ISP. I also have two AT&T 4971 extenders connected via ethernet cable for a wired backhaul for a mesh network to cover some deadspots that the main gateway/router could not cover well in my house. I have connected most devices via ethernet cables to my TP link switch. The 4971 extenders also feed into the TP link switch. Then, port 8 on the TP link switch switch feeds to the connection on the back of the AT&T modem/wifi router. I work from home and I would like to setup vlan's to separate my work computer from my personal computers as well as all my IoT devices. I don't really trust the security of IoT devices. My thoughts after watching your video would be: vlan 1 = work computer vlan 2 = personal computer and devices vlan 3 = IoT devices (google hub, samsung smartthings hub, smart bulbs, etc) All three of the vlan's would need internet connection. If I replace my TP-Link LS1008g with the TP Link SG108E smart switch, would I be able to achieve the above vlan setup? I have read that the router and switches all need to support vlan capability for vlans to work. But my AT&T modem/combo does not support vlan capability. Would just TP Link SG108E smart switch be able to accomplish this? I am hoping to not have to buy a whole new wifi router that supports vlan to put in line between AT&T modem and smart switch due to my budget. I am hoping to continue using the AT&T mesh system provided (if possible).
Because each VLAN is a separate network, any one of them that needs Internet access also needs a way to get out to the internet, which means having a router on that network. Consumer routers do not (as far as I have been able to determine) provide Internet access for multiple networks. But that doesn't mean that hope is lost. There are two paths you can take: If your AT&T modem actually has a NAT router in it, you can use it to provide Internet for three additional routers for your 3 VLANs. Each router would be plugged into the AT&T modem on its WAN port, then a LAN port would then connect to a VLAN to provide Internet for that VLAN. That involves double NATting, but that isn't much of a problem these days. And in this configuration it might make sense to disable WiFi on the routers where you don't need wireless access for that network. Alternately you could switch to a router which does support multiple networks (or VLANs). I use the Ubiquiti Edge Router X, but it's far from the only one that does. The trouble with it, and generally anything else that has this capability, is that they aren't very easy to setup to support this. The device is very capable of doing what you need, but it's not going to happen through the GUI -- it involves dropping down into the command line to setup the multiple networks, NAT, and a DHCP and DNS server for each. If you want it to natively support VLANs it can, but that, again means more command-line commands. The GL.iNET routers I've talked about on this channel are technically capable of supporting VLANs as well, but it, again, involves dropping into a command-line interface to set it up. And most of the guides I've found online stop short of providing step-by-step instructions for doing so.
its super easy if you know pfsense. its an open source firewall and router that you can install on any pc hardware. ua-cam.com/video/rHE6MCL4Gz8/v-deo.html
Thanks a lot for explaning how to configure VLAN on the switches an what the PVIDs are actually for. There are suprisingly few videos about that, compared to the whole bunch of the videos about the VLAN basics which imho are definitely much less confusing. I almost dare to migrate my plain network now. The only thing I still don't know is, what should be best practise to do a migration. So, what are the most terrible things to do (e.g. actions to lock out the computer from the network, that I am using to do the migration)? And where to start the reconfiguration and so on? What are my fallbacks? I can't find those questions sufficiently answered anywhere on YT. But if you feel able to give some advices for a reasonable migration path, why not considering to make a YT video about it? I would really appreciate that.
I guess the best advice I would give would be to configure the ports on your switches that connect to your crucial devices (computer being used to do the configuration and router, for example) last, leaving them set to their default settings until you know you've configured and tested all of the other ports to make sure they're working as intended first. You can setup new ports for the required functionality and move the critical devices to the new ports temporarily to test them. Once you know everything is working as desired you can complete the configuration by copying settings from the working ports to the last ports. But I'd advise that you always leave at least one switch port with its original configuration left alone so you can always use it to configure the switch.
@@CarbonRacer some switches have a feature were they dont fully save changes until you hit save all changes. so you can config and check if everything work if its not you can simply reboot the switch and revert the changes otherwise can press the reset button and start over
Love these videos!! They have helped a lot. When you are going over the tagging in this video do you have to worry about tagging vlan 1(default) from switch to switch or do you leave vlan1 (default) with all its ports Untagged? Hope that question makes sense.
I'll summarize what is happening so this makes sense. Here are the scenarios that can happen with VLANs... Incoming (ingress) packets: - Untagged packet enters a switch port with PVID set to 3 -> packet is tagged as belonging to vlan 3 and is forwarded to applicable ports assigned to VLAN 3 - A packet is already tagged with VLAN ID 5 when it enters a switch port set to accept traffic for VLAN 5, the tag is preserved and packet treated like any other packets tagged as VLAN 5 and forwarded to any ports assigned to 5. Outgoing (egress) packets: (All packets inside of a managed switch are tagged, even if you haven't configured the VLAN feature, usually defaulting to VLAN 1) * The packet is tagged internallly as VLAN 5 -> packet is routed to all applicable ports assigned to VLAN 5, where... - If the egress port is set to Untagged for VLAN 5, the tag is removed and the packet leaves the switch with the VLAN tag removed - If the egress port is set to Tagged for VLAN 5, the tag is preserved and the packet leaves the switch with the tag in place There is a difference between tagged and untagged packets. Tagging a packet with a VLAN ID of 1 is not the same as not being tagged; they actually have additional data and are structured slightly differently. In fact, most devices don't even recognize tagged packets at all and will just ignore them, even if that ID is 1. So when you connect a computer or printer or whatever, you have to make sure that the port it is connecting to is set to Untagged or it won't see any incoming data. Now to your question... if both the sending switch and receiving switch are managed switches, you can either leave the tag in place (set to Tagged on egress and ingress), or set it as Untagged on one switch and set the PVID on the other and it will have the same net effect. In one case the tag is removed at one end (Untag assigment) and re-added at the other (PVID), in the other (Tagged on both ends) the tag is left in place so it neither has to be removed nor added. These days, in most cases when connecting managed switches I will set the primary VLAN ID for that port as Untagged, and all other VLAN IDs on that port as Tagged. That gives two advantages: (1) that port could be used for a computer or other device if needed since it includes Untagged packets that the computer can recognize, ignoring all Tagged packets, and (2) If I need to re-assign to a different VLAN ID in another switch I can do so just by setting the receiving port's PVID value to whatever I'd like. Most switches come with all ports defaulting to Untagged for VLAN 1, and PVID of 1. So to make configuration easier, it's not at all uncommon to have VLAN 1 be the default for the majority of connected devices since those ports probably won't have to be configured manually. Does that clear it up?
Wow yes that clears it up for me! thank you so much for your time in responding to my question. your channel has helped me greatly in a lot of areas in A/V. @@djp_video
Thank you so much this information is very helpful, my only question is why have a dedicated internet port and a separate LAN port for your home network? Wouldn't you have internet already integrated into your home LAN?
A lot of reasons… some for purposes of organization (e.g. personal devices on one, business on another), but many are focused on security. Both networks have internet access, but are isolated from talking to one another. For example, keeping devices you can’t trust off of your primary network made up of your computers and other devices which potentially contain/process personal or sensitive data (passwords, financial/health information, etc.) Some of those I want to keep off of my LAN might include computers/phones of visiting guests, or devices designed or manufactured in countries or by companies with potentially malicious intent or are apathetic to security. I can’t trust a WiFi lightbulb made by a no-name company in China to take security seriously, or trust that the computers or phones owned by guests haven’t been compromised by malware, and would prefer that the opportunities for those to scan or infect devices on my network be kept as low as possible.
I agree with others that this video does a better job of explaining VLANs than anything else I've found on UA-cam or elsewhere. Turns out I have the same Netgear and TP-Link smart switches as the author, but my third switch is a HPE ProCurve 1810G-24 managed switch (J9450A). Does anyone know where to find an explanation of setting up the HPE switch with the clarity and thoroughness of this video?
A couple questions please: 1. When you configured the VLANs in your router, did you configure your MAIN as a VLAN or is it the LAN connection under which VLANs 11, 61, and 101 were created as subnets? 2. Did you create a VLAN1 in your router to link to the Default VLAN1 on the switch? 3. Curious which router did you use? Thanks 1 Default 10 Main 11 DJP 61 Audio 101 Internet
I actually have two routers on my network... the one that is connected directly to my ISP (a Ubiquiti Edge Router X on VLAN 101) and a second (a D-Link something or other) which provides routing for my main LAN (VLAN 3). And yet another router in my trailer, and the LAN side of that is on VLAN 11. While my Ubiquiti Edge Router X does have VLAN capability, I'm not using it. In my case it isn't even aware that I'm using VLANs on my network. It's plugged into a port which is set as Untagged for VLAN 3 and a PVID of 3. In this demo my internet connection is on VLAN 101. My main LAN has Internet through my D-Link router on VLAN 3,and my trailer has Internet access through its own router on VLAN 11. The other networks do not have Internet access by design. My audio network (61) doesn't have any kind of router or DHCP server -- I use auto-configured IP addresses, as recommended by Audinate for Dante networks.
@@djp_video The ER-X is very flexible if you use the vlan-aware switch0. But there are some oddities when using vlan-aware, as it won't route between switch0 and the vlan subinterfaces (what EdgeOS refers to a vif e.g. switch0.101). So you need to have all your vlans "tagged" to the internal switch, then you can untag a specific switch-port by specifying the pvid. You can see the vlans that the ER-X reserves for itself using the unsupported /sbin/switch program. For example, sudo switch vlan dump, sudo switch pvid dump and to see the mac address table, sudo switch dump.
Best example of setting up a Netgear switch. Will a GS308E allow me to have one device isolated from the WAN and other devices on the switch have access to the isolated device and the WAN?
Not using just VLANs. Think of VLANs as completely separate networks that can't see one another. So, just like separate physical networks, a router is required to 'route' data between the two networks. Some managed switches provide some basic routing capabilities, but if you're using consumer gear like the GS308 you're unlikely to find routing features built-in. And when I say 'router' I'm not referring to consumer routers -- you need something a little more sophisticated than that.
Yes, the Edge Router series will do it. You'll separate the ethernet ports into individual VLANs, then give the device an IP address for each VLAN, and then add entries to the routing table to route the required traffic between the VLANs. If you haven't seen my video on IP networking yet, that's a good start: ua-cam.com/video/eSaKz1MKsVM/v-deo.html
Doug, do you have a spreadsheet or table you use to map out and plan the configuration of ports on multiple switches? I'd think there would be s too many variables and settings to configuring your switches ad hoc and without having it all worked out ahead of time. Again, great job.
Hello, I just just part one and part two and found your videos vey helpful, so thanks for making them. That said I did notice that some info was not covered and as a total noob still could not get my vlans to work. Info missing is do you need fixed IP address or can dynamic ip work for devices. Also as a noob Having one switch connect to another switch and then one to the router. I could not seem to keep some devices from seeing others and changes I tried then I got no devices on one switch to access to internet at all. I ended up Factory resetting Switches back to Factory and not touching vlan at all. Is there a good book on vlans with examples?
Each VLAN is its own separate network. And if you want to use IP on each network, it either has to have its own DHCP server or all devices need to use static or auto-assign IP addresses. Which usually means that each network gets its own router, or at least some device to act as a router. Connecting one switch to another usually involves setting all applicable VLANs as Tagged on the ports that connect them to preserve the VLAN ID information as data moves from one switch to the next.
Hey Doug, greatest explanation of VLANs I come across so far. I have a question tho. In my setup I have a bunch of Dante devices, Allen and Heath AHM64 controllers, 2 IP PTZ cameras and one streaming PC, all connected to one netgear managed switch. The PC is used for streaming and managing the network. It makes sense to separate the Dante devices, the A&H controllers and the IP cameras on 3 separate VLANs so they don’t talk to each other. But how do I setup the port on the switch which is connected to the streaming PC, so it can take audio from the Dante network, video from the cameras and can control the mixer settings remotely?
Bottom line is without multiple network interface devices on your computer you can't. If Dante wasn't one of the requirements, you might be able to. Some network interfaces will support multiple VLANs through a command-line utility, but Dante (by design) will not work with a network interface device which has VLAN support turned on. So what you can do is add a USB network interface specifically for your Dante network. And maybe another for your PTZ cameras. Or possibly look into whether your current NIC supports VLANs. If you do elect to use a NIC with VLAN support enabled, you'll setup your switch to tag outgoing Ethernet packets with the VLAN tag so the NIC will know which VLAN the traffic comes from. And each one of those VLANs will show up as its own virtual NIC in Windows. I don't recommend this configuration though, as it tends to be fragile and get reset after driver updates and the like.
Great two videos. Thank you. Very Informative and quality was great. I learned so much. Great job! My situation is a bit different than your setup. My Goal: Separate my work laptop (with Wired and Wireless connections) on a different VLAN than my home where my work cannot access my home network (wired or wireless). My current ISP provides Phone, Internet and Cable and I have cellphones, tablets and WI-FI enabled devices. Two questions regarding your network. Was the Phone you mentioned in Video 1 a cellphone or VOIP Phone? And, On your main Ubiquiti Edge Router X that is plugged to your ISP; how do you handle Wi-Fi access since I read it has to have an additional WI-FI access point device? Did you use WI-FI on one of the other VLAN routers? (I realize that I need routers for each separate VLAN) Thanks in advanced for your help!
The phone I mentioned could be anything, but I was thinking of a VoIP phone when I created the video. I have wireless access points that provide WiFi for the VLANs that need it. And the access points that I use (as many business-grade units do) can provide wireless connectivity for multiple VLANs simultaneously over a single trunk connection -- so each VLAN gets one or multiple SSIDs (network name) and wireless security settings. (VLAN 1 might get a name of Wireless1 where VLAN 2 might be called WiFi2, or whatever you want). Just look for a Wireless Access Point (WAP) with multiple VLAN capability.
I should mention that some routers, like the Edge Router X that I use, can provide your routing needs for multiple VLANs simultaneously. You don’t necessarily have to have a separate physical router for each VLAN if you get a router than knows how to work with multiple VLANs.
I like both the videos and great job on those with excellent break down, thank you . However, all I'm trying to do is to create VLANs using my ISP router and a single managed switch (TP link-SG108E) all wirelessly . No multi switches, no cables, Just ISP router connected to 8 port switch to make multi VLANs all wireless in order to segment my IoTs and my personal devices and computers. Any advise?
Well, you'd need additional equipment to do that. Your ISP router almost certainly doesn't support VLANs, either in terms of providing Internet access for them or creating multiple wireless networks. Almost no "consumer" routers support VLANs natively. You'd need to step up to a router that does, and a separate wireless access point to create your WiFi networks. In terms of routers, the least expensive option I know of is the Edge Router X from Ubiquiti. But it isn't easy to setup, especially if you want multiple VLANs. Another option is to use an old PC and install pfSense on it. But again, not easy to setup. Getting multiple wireless networks from multiple VLANs is a little easier. Most dedicate Access Points can do this. You'd set up multiple wireless networks, and tie each one to a separate VLAN. The closest you're going to get with a single device would be a "Guest network" which separates network data on to its own wireless network, but that's about all you can achieve using consumer equipment.
thank you very much for taking the time to explain in a way that makes logical sense - by far the best understnad explaination of VLANS Ive seen! I'm using opnSense with two physical NICS one NIC connected to ISP as WAN the other is my LAN interface connected directly to port 1 on a TL-SG108E with 5 VLANS defined in addition to the default the VLANS are defined on ports 2-7 with the vlan untagged on the port and tagging ports 1,8 I have one cable run from port 8 ON SW1 to port 1 on a second TL-SG108E everything works great on switch one. SW2 still giving me issues, I can get traffic flow from my main subnet or Main Lan Subnet from all the ports by I am unable to extend the subnets to the second switch. any thoguhts. I can share the 802.1Q configs screenshots for each switch if that helps.. thanks!!!
Yes, all of the equipment has to support and be configured for the VLANs you're trying to setup. An unmanaged (or unconfigured) switch won't know what to do with the VLAN tags and they usually just ignore those packets altogether.
This cable port 1, switch one. Its going as u say to your switch. My question is what if is going to your router? All together with trunk? Can router split that VLANs or better to say read? Thx
what is the ip address of each vlan of the dante audio of each switch? for my case, each switches assign different ip address in different subnet (DHCP). Therefore when i connect pc via second switch, while all dante device connect to the first switch, dante controller shows all dante devices in red (in different subnet). therefore i can't do any including assign the routing
Creating a VLAN doesn't on its own setup DHCP or assign any IP addresses to any devices. You decide on whether you want DHCP or static IP addresses, and have to add your own DHCP server to a VLAN if you want to use DHCP, or manually assign IP addresses to each device if you don't. It doesn't happen automatically. If you're getting IP address/subnet errors in Dante Controller, you've got a different issue. What that likely means is that you've got a misconfiguration for your VLANs and you're getting network traffic from what you intend to be different VLAN(s) mixed into a single VLAN (for example, you want all Dante traffic on VLAN 20 but it's making it into VLAN 10). The most common cause of this would be assigning multiple VLANs to a single switch port. Go back and make sure that every port is only assigned to one VLAN, and that for each of those ports the PVID assignment matches the intended VLAN ID.
@@djp_video when creating vlan, it is asking to choose between manual ip assignment or dhcp. I have one switch in 192.168.1.1 and second switch in 192.168.10.1. Dhcp set on respective 192.168.1.0 /24 and 192.168.10.0 /24. I am positive i am communicating to correct vlan pvid. It just that vlan2 (for example) in first switch is in 192.168.1.xxx subnet and vlan2 is second switch is in in 192.168.10.xxx subnet.. I did not know what i do wrongly
What device are you using? Are you using the industry standard 802.1Q VLANs? From your description it sounds like something else. What model switch are you using?
Doug, I have a question for you on the ATEM Extreme ISO.... just bought it, put it in a case and used it for the first time yesterday in a trail run. The unit will not record. Not using hardware or the software connected via ethernet. I am using a T7 brand new... I know its not on the supported list. I could not get a T5, and the Sandisk has been reported to have its own issues. I reformatted the drive, exfat... and it is recognized, and shows an empty drive available.... but the record buttons simply will not work. Also, the Display, Record all cameras, and record ISO ARE checked. Any thoughts.
T7 didn’t work for me - I hooked one up to a Blackmagic video assist 12g and it would record for a half second. Switched to a Sandisk and it recorded ok. Something fishy with the T7…
What about DHCP servers for each VLAN on your router, say pfSense for example? That's my sticking point - any device I have configured (let's say from a guest SSID on a WAP) for a VLAN hang at getting an IP address from my router. Hundreds of videos later and I still haven't figured out what the problem is yet.
Just remember that each VLAN is its own separate network, so if you want Internet access, it has to have a router of some kind. And that means DHCP for each VLAN as well. You can either setup a dedicated DHCP server for each network, or configure a managed switch with DHCP relaying to send those requests to a DHCP server which supports it (hint: consumer routers don't do that). One inexpensive, easy way to provide DHCP to each network is to add a dedicated consumer router to each. In my case, I use a Ubiquiti Edge Router X, and have it setup to provide Internet connections for up to 4 separate VLANs. (It can do more than that though.) Each of its Ethernet ports can be setup to be on its own network, and those connected into a separate VLAN, or with a little time and patience one or more of its ports can be setup with VLAN support as well, so you can serve DHCP and routing to multiple networks with a single cable. That's starting to get into some complicated configuration, though, so if you aren't up for that the simplest solution is just to pick up a few consumer routers and put one one each VLAN that needs Internet, and then connect the WAN side of those to a single master router which provides Internet for everything. pfSense can be made to do it too -- you'll either need separate NICs for each network, or to configure a supported NIC for separate VLANs and make sure that packets are tagged properly in both directions. Again, it can be done, but it can be a little tedious to get it all setup and working.
@@djp_video One thing: if I need to physically isolate the networks from each other, it kind of defeats the whole 'virtual' aspect of a VLAN. Physical isolation is easy, I wouldn't need any help with that. I could use a Raspberry Pi to act as a DHCP server on the isolated network, but I thought you could 'virtually' isolated the traffic using VLAN's. Am I wrong to assume that?
You are virtually isolating the LANs. They behave as if they are completely separate and have no connection to one another, unless you explicitly have some kind of router on the networks to relay data between them. Because they are separate networks, even though they are on a single switch, each one needs its own DHCP and routing. The VLANs can't talk to one another without routing between them. The advantage of VLANs is that you can (1) manage and troubleshoot multiple networks on a single network switch, and (2) combine traffic from multiple VLANs on to a single cable, provided that the devices on both end of that cable know how to handle VLAN tagging. VLANs also limit the size of the broadcast domain, which essentially means that you get a reduction in "broadast" network traffic since broadcasts don't cross VLANs, and the broadcast traffic increases almost in an n^2 relationship with the number of devices on the network. But that's beyond the scope of this discussion. Let me back up just a little bit to help this make sense. VLANs are a function of Layer 2 of Ethernet -- basically managing network traffic based on device MAC addresses and the switch ports they are connected to. IP, TCP/IP, etc. are Layer 3 protocols -- they happen above layer 2 -- in other words, on top of, but independent from Ethernet and MAC addresses and the like. (That essentially means that IP can also travel over other types of networks, like WiFi, dial-up, VPNs, etc. and don't require Ethernet to function, and Ethernet is independent of IP). VLANs segment a network and normally devices on different VLANs cannot see or talk to each other without a device configured to route data between them, hence the term 'router.' Managed switches come in a few varieties... A classic 'Layer 2' Managed switch lets you isolate different networks into VLANs by having the switch 'tag' packets with a VLAN ID. And they have rules internally which tell them how to distribute that traffic. That's what the video you watched is about-- setting the rules for the switches on how they tag incoming packets (PVID), where to send them based on those tags, and whether or not to remove the tags when sending out to a device (Tag/Untag rules). All of that happens in Layer 2, which means that it is unaware of IP, TCP/IP, DHCP, DNS, all of that. So a strictly Layer 2 Managed switch can't help with IP routing. It doesn't even know that IP exists. Layer 3 managed switches do everything a Layer 2 switch does, but are also aware of IP, and can route traffic based on IP addresses, routing tables, etc. They usually provide some basic services to make that happen, like DHCP, DNS, routing tables, ARP, etc. So if a switch is a Layer 3 switch, it can handle the routing between VLANs if you configure it to do so. Layer 3 switches can be classified as routers. But most routers are not layer 3 switches. But, that said, if a L3 switch doesn't support Network Address Translation, you STILL need another device (router) that does. So if you have a strictly Layer 2 switch, you have to have something on your network to provide IP-based services. The switch can't do that for you, because it just doesn't have the software to handle things happening at layer 3. DHCP and DNS and everything else related to connecting to the internet are IP-based protocols, so they happen in layer 3... which means that devices which are layer 2-only can't provide services related to those protocols/functions. Many consumer switches are labeled as "managed" or "smart" provide some subset of the functionality of a full layer 2 managed switch. But usually enough to do the kinds of things we're talking about. They almost never provide any layer 3 services. There is also a bit of a gray area -- we'll call it Layer 2.5 Managed Swiches for the sake of discussion -- where a Layer 2 switch does have some limited Layer 3 functionality. For example, the TP-Link switches I use in my home, video production trailer, and on location at client venues, can do really basic routing ("Take traffic from the 10.1.1.0 network destined for 10.2.2.0 and send it over to that network") and provide DHCP relay, where a device on one of the VLANs can make a DHCP request and these switches will take it from that particular VLAN and send it to a DHCP server on another VLAN which has been configured to know how to respond to a relayed request, and then send the response back through the switch so devices on that network can get an IP address. That said, most of those types of devices do not support NAT routing, so even in those cases you still need a separate router with NAT functionality if you want Internet access. In terms of connections to pfSense, it can provide all of the Layer 3 functionality you need and then some -- routing, DNS, etc. if you happen to have a NIC which supports VLAN tagging (not all do), and the driver for that NIC supports VLAN tagging, you can run a single cable from a managed switch to your pfSense router, and set up the connected switch port and PC to preserve the VLAN tags, then you can have pfSense perform any routing between VLANs and/or the Internet as you'd like. (Sharing traffic from multiple VLANs on a single cable is called trunking, FYI). But if your NIC or its driver don't support VLANs, or you'd prefer not to take the time to set that up, you do need to have separate NICs in that computer for each VLAN for them to talk to each other or the Internet. Once pfSense is setup to talk to the VLANs, you can assign unique IP address ranges for each VLAN, then add a DHCP server for each VLAN, and add some routing rules to tell it how to route data between them. If you'd like a primer on IP and how it works (and how it relates to layer 2), I have a video about that specifically: ua-cam.com/video/eSaKz1MKsVM/v-deo.html. While I don't explicitly cover the layers of the OSI model, conceptually I do cover a lot of what is happening under the covers and it might clarify some things for you.
I have the TP Link switch. Does it need something upstream to establish the VLAN ? My Asus router doesn't do VLAN so not sure if my switch can look after that function itself.
As mentioned in my last reply, you either have to have a router which supports routing across multiple VLANs, or use multiple routers -- one for each VLAN/subnet, plus one additional to combine traffic from the various VLANs. Layer 3 switches can do routing for you as well, but those get expensive quickly.
Hello Sir! I have faced to a huge problem. my scenario is: I want to receive the TV_Production feed (which is encoded by encoder) in default vlan 1 and my internet is in vlan 30 . but when I connect the feed cable to the vlan 1 my internet is disconnect and at the time I do not have the TV_feed. I have used Netgear and cisco switches for this scenario.
As you've probably figured out, each VLAN is completely separate from one another and having internet access on one VLAN does not grant internet access on another VLAN. It is just like having two completely separate networks, and some device needs to provide an Internet connection for each VLAN. The way to solve this is to use a router for each VLAN. And if you do have multiple VLANs with multiple routers, you may also need another router in front of the VLAN routers to provide Internet access for each of those. Or, if your switch has routing capability and supports NAT, you can have your switch perform that function for you. Or use a router that can support multiple subnets. I use the Edge Router X from Ubiquiti, which can provide Internet access for multiple separate networks.
@@djp_video Thank you for your prompt response. However, I would like to mention that my scenario differs slightly from what you gathered from my initial comment. Allow me to explain it clearly. I have three Netgear managed switches, each of which has been configured with two VLANs (1 and 30). In SW1, the SFP 25 port is set to T for VLAN 30. In SW2, both the SFP 25 and Gig18 ports are set to T for VLAN 30. In SW3, the Gig18 port is set to T and connected to the Gig18 T port in SW2. These connections are for my internet connection and are functioning without any issues. VLAN 1 is dedicated to my TV feed, which is encoded by an encoder. I want to transmit this feed over IP using Cat 6 and then transfer it via fiber to another building where it will be decoded. In VLAN 1, the SFP 26 ports in SW1 and SW2 are set to T. However, in SW3 with VLAN 1, I do not have a T port. Whenever I connect the TV feed Out (from the encoder) to the U port in SW3, my internet connection in VLAN 30 gets disconnected, and simultaneously, I am unable to receive the TV feed.
Question (maybe someone can answer): having a Proxmox, with many VMs/container, there is 1 LAN card from it, and it carries multiple VLANs, depending on the VM in use: what should be the configuration for the port where Proxmox is connected: Tagged (because it carries all)? or which one? thx.
If the Proxmox has VLAN support enabled, you'll want to set the port up the same way as it is in Proxmox... which would likely mean that everything would be Tagged.
@@djp_video Thank you, I was thinking the same way: vlan aware Proxmox vmbr and then ports on switch ( I use multiple as redundancy) as Tagged for all VLANs that are supposed to be visible by VMs/CTs. Thank you again.
If an unmanaged switch or a Managed switch with NO VLAN ID's set, in your example the 2nd switch, just passes whatever comes into device 'A" to the device "C" based on the router MAC info, why would one need to setup VLANs on the 2nd and 3rd router? While it might reduce some network traffic and add some security and Isolation, is not the 1st Managed switch doing all that heavy lifting? Why do the other two switches need to also have the exact same VLAN's setup on them? This is a simple low level question, as I am new to VLAN setup. I appreciate your video's just not sure if this was a demo and not a requirement of having 3 switches setup exactly the same.
Before I answer that question, I'll provide a little bit of context. When an Ethernet frame (similar to a packet) receives a VLAN tag, the structure of that frame is actually altered... four additional bytes are added to the header, and do so in such a way that devices which are not capable of recognizing VLAN tags will not know how to decode it (the entire frame)... it looks like a malformed frame and is discarded. That's why we have the Untagged option -- in order to remove that tag portion of the frame so the data being is recognizable to those devices once again. Unmanaged switches are *usually* not aware of the existence of a VLAN tag and will *usually* just ignore the VLAN tag and forward those tagged Ethernet frames on to the intended devices (unchanged) based on the destination MAC address. That may or may not be what you want. If it is forwarded to another device, the receiving device will still need to be VLAN aware, as the VLAN tag is still intact. If it is not, the entire frame will not be recognized by devices that aren't capable of dealing with the tag and they'll just ignore it. But I wouldn't for a second be surprised if there are switches out there that just discard tagged packets. I haven't personally done any testing in that regard to know how specific devices behave. Managed or smart switches which support 802.1Q behave differently based on how they are configured. Many models will let you determine the behavior... whether it accepts those frames and forwards them on or discards them.
@@djp_video thanks for taking time to reply with a very detailed explanation. Four of the five switches I have in my house are smart managed switches, and the only unmanaged switch is in the back bedroom which would give wired connections to my TV and Roku device. I've been watching a lot of videos lately on proxmox and I'm setting up pfSense on an older computer with proxmox as the hypervisor. The thing that I find frustrating of the hundreds of videos that I've watched on computers network setup VM setup etc., they all do a pretty good job of what to do. What very few of them do is why they make the choices they make in configuring and setting things up. I realize that often that is part of personal preference but how can I have a preference if I don't know why option one that they chose is better than option two or option 3 or option 4. Knowing why they configured things the way they did let's meet decide which choice is best for me, rather than just blindly following their step by step instructions. By the way your new studio looks good. There are some big time UA-cam content creators I don't like what they have in the background. Some have a right light bulb in the background or LEDs constantly spinning and changing colors Jeff has his Pac-Man for donkey Kong running in the background all the time. Then there is this German guy who has great explanations but it is filmed in a room with clutter in the background I spend too much time thinking about. 🥴
@@djp_video Ok, thanks for the reply. Are all devices other than the network ones with static ip's then? Or does the router still give devices on other Vlans ip's as well?
Even with static IPs you still have to have routers to move traffic from one network to another. In the case of getting out to the Internet, this usually means routers with NAT routing, which all consumer routers do. But when you have multiple VLANs which need Internet access and you're using consumer routers, this usually means multiple routers -- one for each VLAN, and all of those behind another router which combines the signals from the others. There are routers out there which will support multiple VLANs simultaneously, but they are generally more complicated than the consumer routers that you'll find at your local big box store. I use the Ubiquiti Edge Router X in my trailer to accomplish this -- you can set up as many separate networks as you like, each with its own subnet, getting its own unique IP address range, and being able to route traffic between the various networks. But there are many other models that can do this as well... they just tend to be much harder to configure than consumer products.
@@djp_video Ok, so if I understand it correctly if I want to let different Vlans have internet it need's to be configuered in the Router, and if I just want to split up the network like dante I can do it on the switches? Also could do a video on how you set up the router in your trailer? how does that work if you connect to a venues system that already has a router in it?
Is Port 7 Internet where you plug in from your router? So from router LAN to Switch port 7? . My router Lan connects to port 8 of my switch. It seems that it has to be part of my vlan1. Does that sound correct? when i made it 101 like your internet, i lost the network connection. I'm assuming your "internet 101" is going out to your other switch... thanks for any input you have...
In these examples, port 1 on the switches shown connects to the upstream switch, which is then connected to my router. The network created by my ISP router is on my VLAN 101. That's something I setup, not something that came from the provider. Did you watch part 1 of these videos?
The VLAN itself doesn't. Segmenting a network into VLANs means that each one of those VLANs, for all intents and purposes, is a completely separate network, just as if you were using two separate, un-connected switches. For IP networking to work, you'd need to add that on top of the VLAN, just like you would for any Ethernet network. In most cases that means adding a router with DHCP to provide IP addresses and/or Internet access for that VLAN.
For networks that need it, yes, it is provided by my Ubiquiti Edge Router X. For my Dante network, I don't use DHCP. I let my devices use auto-configured IP addresses unless I"m integrating into a Dante network at a client venue, at which point I use their DHCP.
@@djp_video I used to do all this with Cisco command line. Never liked the GUI. It's been over 10 years now since I last worked tagged and/or trunked VLANS/PORTS. Trying to figure it out how to do this (trunk) on a draytek vigor router. VLANS is the easy part but one trunked link to another switch is doing my head in. Hence I'm watching videos on UA-cam lol
Most are good. But I've had really good luck with the TP-Link models, for example: 8-Port: amzn.to/42ntM6h 8-Port with PoE: amzn.to/3JRb5R6 24-Port: amzn.to/40lWgv9
BEWARE of those small tplink ( "Smart" - line ok, "easy smart" line - not ok) and netgear (Plus line - GSxxxE) are not ok, (Pro line - GSxxxT ok) switches. They allow access to web interface from any VLAN you create on them. Not fun if you want to create separate network for your guests or clients and they can access your web panel . Thats why im retuning my rp108ge and just ordered zyxel gs1200-8 as a replacement. Zyxels seem to allow to set management VLAN
@@djp_video Considering the fact that you can't enable https and also that you can only use alfanumeric characters (tplink, I don't know about netgear) i don't think that changing password to longer is effective workaround. Ive seen NVIDIA cards breaking even quite strong passwords in relatively short time. Also sometimes there are those 0day bugs which allow to access without password. Overall I think that its better to just hide such things (webpanel) from prying eyes. Mentioned Zyxel arrived and works fine, no access from VLANs except the one set in Management VID. I power it with tplink tl-poe10r so its perferct replacement for rp108ge.
@@djp_video (lol, yt deleted my previous comment) Tplinks (easy smart) don't allow special characters in passwords so even longer ones could be broken with some NVIDIA cards in relatively short time (have seen some charts somewhere, ill edit comment if i find them). But there is second problem - lack of https. Such passwords probably could be just sniffed somehow. Overall i think that just hiding such things like login panels from prying eyes mitigates majority of risks. But offcourse i just left the comment as warning, everyone have to consider their situation and risks involved. EDIT Oh and Zyxel switch arrived and works as it should - no access to web uil from any VLAN except one set as Management VID. I power it with TL-poe10r switched to 5V output
OK I did exactly that maybe these dumb TP-link Smart switches will actually talk to each other? You've at least proved that these things should work. I am fairly knowledgeable around networking but then for the past five years I've been fighting with everything networking for myself and can't get a thing of it working. I at least know now that I need to remove the tag for the default VLAN1 TP Link site does not document whether that needs to stay or go. Theoretically anything that has an untagged port should act like a dumb switch for that VLAN. And anything that's tagged will pass the native untagged traffic along with the tag traffic. And yet I've been banging my head against the wall with this for the past few hours.
Start with a really basic setup... just one VLAN per port. Write down on a sheet of paper what your VLAN IDs are going to be and the purpose/name for each, and then decide which (single) VLAN each port should be a part of. With that written down, in the web interface or app for your switches, assign each port to its designated VLAN ID by setting it as Untagged for that VLAN ID, and remove all other assignments (only that one VLAN ID as Untagged, and none set to Tagged), and set the PVID for each port to its assigned VLAN ID. That includes any links between switches... for the initial setup, use Untagged ports to relay traffic between switches (if you want to get traffic for 3 VLANs from Switch A to Switch B, use 3 separate cables at first); don't attempt Tagged ports or multiple VLANs per port just yet. When that is configured correctly, any devices on each VLAN should be able to talk to other devices on the same VLAN, but nothing else should see each other. That usually means that you won't have Internet access on anything but your primary VLAN, and devices on non-primary VLANs won't even be able to obtain an IP address automatically. Once you've got that working and are comfortable with that, you can move to the next level -- tagged VLANs. And keep in mind that those should only be used when connected directly to devices which support that feature. Pick which ports need to convey additional VLAN traffic (on top of the assignments you've already made), then add those VLAN IDs as Tagged for those ports (e.g. Add VLANS 10, 20, 30 as Tagged to port 8, which is already assigned as Untagged for VLAN 1). If you connected any cables between switches for VLANs besides your default (e.g. to relay VLAN 10), disconnect those cables between the switches before adding those VLAN IDs as tagged to another connected trunk/relay port. Depending on the model of switch, you might need to adjust the port/link type/VLAN mode to support some of these configurations. ACCESS is used for ports which will only need to be on one VLAN, GENERAL is for ports that need to be on multiple VLANs but one of them will be untagged, and TRUNK is for any multiple VLAN configuration (though usually all tagged).
@@djp_video I finally figured it out. Thanks for the reply. Might've been helpful two days ago but behind on my email. Well probably still will be helpful. What I've been doing is taking a strip of masking tape across the top of the switch and laying out what should be what. Although I've had this layout figured out for a good few years and not had time to work on things, I have actually most of my switch ports labeled with the LabelMaker. I probably have 5x 8 ports and 2x 5 port units at this point. I have a text document that lists in number order my VLANs and descriptions, bold and large font. I have 4 to 6 local VLANs and 4 WAN VLANs. ( primary Cable, cellular back up, Cellular hotspot and Test. That's at Home but I also wanted to mirror that onto my smaller unit which I plan to use as a super powerful travel router ). And mostly everything can stay virtual except for one port for each and not everything actually needs to come out. My original goal was that I wanted to be able to enable a VLAN Interface on my laptop and get a public facing IP to test stuff bypassing the router entirely from within my local network. And the other goal was sometimes I need to set some thing up and it would really be nice if I could just plug a switch into My LAN which would break out those 4 WAN connections anywhere I would want them. I ran into 3 problems. The first one was second-guessing myself and wondering if I was actually setting the right settings in the switch and this video was so helpful. I got so deep down into it I was thinking I have to be doing something wrong. I've watched probably a dozen videos over the last few years, but nothing has been this clear. And covered the same configuration across different vendors. The second problem is that I'm using a NetGate 3100 hardware box and I think when I originally set it up their documentation was different. It has 3 dedicated interfaces one of them breaks out into a 4 port switch built into the unit. And their documentation said to add the tags to each of the four ports that you wanted them on, easy. What was neglected to mention I think and the biggest part I was missing the internal 5th port is between the switch and the router and it needed to also be tagged to pass that traffic. so as soon as I did that, boom I'm getting IP addresses on 4 different interfaces. And the third problem. My management network is untagged zero and I wanted to bridge that within the router out to a VLAN. so devices could either be on the management VLAN or on the untagged LAN and get the same IP, Broadcast domain, visibility. I Could never quite get this working, then I got to a point where enabling something would break everything. Finally I got to a point where the switch I was using would tell me that there is a loop condition and what port which really helped me narrow down what was happening and where. Unfortunately I think I'm gonna have to set up another IP address range and forward through routing rules. But at least everything else is functional. Part of what was tripping me up there's no distinction between general and trunk with the TP Link Smart switches (dumb smart switches). Very helpful information though I'll be rereading it multiple times as there's always something to learn. It was a lot of I turn switch on, light should come on, why is light not coming on, check lightbulb, repeat. At least 4 of my VLANs are pretty much identical with different IP addresses it was a lot of repeat 4 times and everything should be set up and working but wasn't. The 4 WAN VLAN were also pretty much similar just going into the router rather than out. so again just repeat 4 times and that was sort of working, I was getting WAN connections with IP's but they weren't passing through the switch to another switch. And I had part of this working with my old router so I was trying to rebuild from scratch on the new router over the course of the last four years on and off. I was Hired by a very manipulative person who hired me to do his event and some computer work. and it turned into a two-story addition working on classic cars cleaning the garage working on tractors and a heavy dose of manipulation whenever I asked for a day off. because apparently I was supposed to be there Monday through Monday 8 to 8 then go set his event up on Friday and get home at 11 (mostly by myself, but he wants TED talk Apple event quality) then be there Saturday morning two hours before he shows up with the guest speaker but he would never say when he was going to get there. Then in November last year he called me a liar said I was off loafing on company time and a month earlier there's no way I could've gotten lost in the nearby state when I took his truck and trailer and other employee to pick a literal 2 tons of wood scrap up at an auction. that's when I said if you're gonna play that card I'm gonna play my card, I'm not your employee, goodbye a week before his event. Which put the bargaining chip back in my realm to say I'm only doing your events. And then of course that follows 3 to 4 months of catching up on 3 years worth of lost sleep before I could be productive again. But I digress. I do live video streaming, audio, sound mixing, video, small Office IT and computer support etc. so most of my home network configuration can get mirrored to my travel router as well NetGate 1100, although the interfaces on this one are a little bit different which makes setting a lot of this up easier. Which means all my segmentation can pretty much carry over. As I am planning to have hotel Internet on WAN1, 2 Cellular hotspots on WAN2/WAN3 so it just makes sense to have 4 WAN connections available. On the LAN Side primary, secured guest, guest/public/IOT, Test.
@@djp_video TLDR I've only been half shooting myself in the foot part of it was a router problem part of it was a me problem. Finally at a point in my life where it's time to use the knowledge of the VLAN's and actually having a reason to implementing it makes sense and then when I go to implement it for myself it just doesn't seem to work. But then I go over and fix somebody's computer no problem. It's like when did I move to the Bermuda triangle? I finally got things talking. Most of the problem was an extra step on the router which I think the documentation missed and then the floodgates opened, which helped me narrow down the other problems I was having.
Sadly you didnt separate the native vlan1 with what should a management vlan on any number but one and the HOME or MAIN vlan. It is not recommended to setup a network with vlan1 as our main data subnet OR the management network. The native vlan1 should solely exist in the background ( untagged member of any trunk port and pvid of any port not used. For any access port, the pvid of that port replaces pvid-=1. Best if you redo this video with that in mind. To be frank your video is ON POINT in terms of what most internet users need to see......just the approach with vlan1 is not the best or optimal setup. For setup purposes and to not get locked out, this works. The second step would be to apply ingress filtering and the last step would be to add frame type limitations. At this point native vlan1 cannot bypass your security by being passed on trunk ports.
I think you've missed who the target audience for these two videos actually is. They aren't meant to cover all of the best practices or provide complete coverage of everything a properly trained IT department would do when setting up VLANs. They're meant as a starting point for people who might have heard of VLANs, are maybe curious about VLANs, but don't remotely have an IT background, and specifically are those using consumer-grade gear. "Here's the basic concept of a VLAN, and here are the minimum step to get them up and working." That's all. While I do, in fact, set up my own networks as you describe with a VLAN reserved for management (I actually take things a step farther and don't even use VLAN 1 for management -- I don't put anything on VLAN 1 so traffic on an unconfigured switch can't reach anything), I wasn't about to go into that level of detail in these videos. The two videos I made needed to be as simple as possible -- covering the basic concepts and providing the easiest working setup possible. Not as definitive tomes on everything related to VLANs. These are home users watching these videos. They aren't at risk of someone trying to hack into their switches to alter their configuration. Do you have any idea how many comments I'd get and people coming to me for help if I was to recommend using a different VLAN as the default? When all of a sudden users couldn't connect to their switches any longer? At a minimum the videos would get downvoted, and I'd likely have to take these videos down due to the overwhelming number of requests for help. That setup requires either setting up routing (good luck describing that to a novice), or adding a separate NIC to any computer they want to use for administration... again, a level of detail I just don't want to get into in introductory videos. These videos take a "this is the basic concept of a VLAN, and here is what it takes to get it up and working" approach. Nearly all of the other VLAN videos on UA-cam make things far too technical, far too difficult to understand, and leave most people more confused and scratching their heads rather than being able to get their equipment up and functional. They alienate rather than help people. I wanted to take away the intimidation factor and put it in terms that real people can understand. So, your comments, while technically correct, if implemented would just make these videos completely unapproachable for my intended audience, just like all the rest of the VLAN videos on UA-cam do. I made a very conscious choice not to do that -- to keep things as simple as possible. These two videos have been tremendously helpful for a lot of people, specifically because I didn't delve into the nitty gritty details of setting up a full corporate-style network, giving them access to a tool which is unavailable otherwise. (Also, I'd mention that switches at this level don't usually even have ingress filtering as an option. For even those that do, that feature doesn't have meaningful real-world impact anyway, as for the described setup the filtering is already happening in the connected device, and even if it wasn't, reply traffic would be discarded and not reach the target device.)
Dude, I watched so many videos, trying to ascertain how to do this using netgear switches. You were the only one who made this make sense. As a matter of fact, no one was really doing it right and I think were just making videos with bad information. No one created trunk ports going out to the next hop in any of the other videos. So frustrating and I really appreciate your video!
Ive started to recommend this video every time someone mentions about VLANs learning or about some cheap home switches for it. You deserve much more viewers.
Best VLAN video so far - with demos on 3 popular home brands. Thanks a lot!
I cannot thank you enough, hands down the best VLAN explanation!
I've watched countless videos on VLANs but this is the first time everything finally clicked.... THANK YOU
These two videos provide a good "Layman's Guide to VLANS", and they have about the level of info that most home users want. I really like that you created a "Rosetta stone" for the same configuration on three common "consumer" smart switches that home users are more likely to have than full featured managed switches. Having a plan before you start, like the sheet of paper with the vlan membership of all ports, and whether the device connected to the port will be using vlan tags on a specific vlan or not, is an important key to a successful vlan configuration on the switch. Great job! 👍
This and part 1 allowed me to finally get my VLAN setup working! Thank you so much! The way you explained things and showed how to configure the various ports was extremely helpful!
The best explanation I've seen so far. And with costumer switches and examples. Congratulations
I’m so glad I found your site. I know Its not rocket science but some of the other sites made me feel like I was an idiot. Thanks for the concise explanation it’s made what I’m doing so much easier!
best explanation of vlans on various switches on the internet !....many thanks
Thanks so much. I finally got my VLANs working after 3 days of pulling my hair out. Your explanation helped a lot.
Short and simple, manageable, yet comprehensive tutorial. Great
Thank you for this. After going through several other UA-cam videos, your VLAN instructions finally solved my issue.
This is probably the best VLAN video I have found on UA-cam. Thanks for this. What I'm confused about is inter-vlan routing. While a lot of my systems are split out on their own vlan I do have systems that need to talk to each other across vlans. Such as my Synergy software for keyboard and mouse sharing. It's the darn PVID that's confusing me :) Thanks again.
indeed!
i wish i found this video sooner. vlans can be confusing between vendors. this video cleared all the confusion i had. Thanks a lot.
The best VLAN tagged and untagged explaination in youtube😍😍😍
Thanks so much for this and the first Video.
Never saw one explaining VLANs so good.
All the best for you in 2023!
dude please do more educational content like a+ material/net+ you explain things PERFECTLY
Thank you for These two Videos! The explanation was great and I got it now. That you showed my Switch (TpLink) was perfect and now my Network ist Running Like I planned it. thank you so much!!
Thanks a lot for explaining the Tagged and Untagged settings. I have the TP-Link switch so you showing the settings on this was extra helpful. Now my network setup is working! Thanks a lot!
After watching god knows how many videos on this topic finally I understand it after watching this one!
And managed to configure several LANs on my TP link switch, trunked from a UDM. Thank you
Very well done. Amazing how in this day and age, some places still are not able to make a simple and elegant. Then they change the interface in the next update or newer line of same switches. Very frustrating. Used some Netgear but mostly Cisco SMB like SG2xx/SG3xx and now CBS250/350. Now have a TP-Link SG3210X-M2 and learning to configure it.
Thank you very much,this is very informative and clear. Thank you from South Africa
Just watched these videos and wow, what an eye opener. Thanks for the clear and concise explanation.
That's great content. Good highlight of differences between brands but in general it is simpler after this video.
OMG this video saved me a ton of grey hairs! I'm very inexperienced with VLANs and the VID concept was totally unknown to me. Was trying to pass my WAN connection through a VLAN but it wasn't workig till I assigned the VID to that untagged port. Now everything work!
Thanks!
Thank you very much for the video explaining vlan's on switches. I don't have vlan's setup on my home network yet, but after your video I do want to use that capability. I currently have a TP Link LS-1008G switch connected to my At&t BGW320-500 modem/router combo provided from my ISP. I also have two AT&T 4971 extenders connected via ethernet cable for a wired backhaul for a mesh network to cover some deadspots that the main gateway/router could not cover well in my house. I have connected most devices via ethernet cables to my TP link switch. The 4971 extenders also feed into the TP link switch. Then, port 8 on the TP link switch switch feeds to the connection on the back of the AT&T modem/wifi router.
I work from home and I would like to setup vlan's to separate my work computer from my personal computers as well as all my IoT devices. I don't really trust the security of IoT devices. My thoughts after watching your video would be:
vlan 1 = work computer
vlan 2 = personal computer and devices
vlan 3 = IoT devices (google hub, samsung smartthings hub, smart bulbs, etc)
All three of the vlan's would need internet connection. If I replace my TP-Link LS1008g with the TP Link SG108E smart switch, would I be able to achieve the above vlan setup? I have read that the router and switches all need to support vlan capability for vlans to work. But my AT&T modem/combo does not support vlan capability. Would just TP Link SG108E smart switch be able to accomplish this? I am hoping to not have to buy a whole new wifi router that supports vlan to put in line between AT&T modem and smart switch due to my budget. I am hoping to continue using the AT&T mesh system provided (if possible).
Because each VLAN is a separate network, any one of them that needs Internet access also needs a way to get out to the internet, which means having a router on that network.
Consumer routers do not (as far as I have been able to determine) provide Internet access for multiple networks. But that doesn't mean that hope is lost. There are two paths you can take:
If your AT&T modem actually has a NAT router in it, you can use it to provide Internet for three additional routers for your 3 VLANs. Each router would be plugged into the AT&T modem on its WAN port, then a LAN port would then connect to a VLAN to provide Internet for that VLAN. That involves double NATting, but that isn't much of a problem these days. And in this configuration it might make sense to disable WiFi on the routers where you don't need wireless access for that network.
Alternately you could switch to a router which does support multiple networks (or VLANs). I use the Ubiquiti Edge Router X, but it's far from the only one that does. The trouble with it, and generally anything else that has this capability, is that they aren't very easy to setup to support this. The device is very capable of doing what you need, but it's not going to happen through the GUI -- it involves dropping down into the command line to setup the multiple networks, NAT, and a DHCP and DNS server for each. If you want it to natively support VLANs it can, but that, again means more command-line commands.
The GL.iNET routers I've talked about on this channel are technically capable of supporting VLANs as well, but it, again, involves dropping into a command-line interface to set it up. And most of the guides I've found online stop short of providing step-by-step instructions for doing so.
Really visual exploration! Just what I needed!
Thx for making these. Helped to get my Dante Cert Level 2. =D
This is a very informative tutorial. I learned a lot from it and I will try it out. Thank you very much!
Thanks dude! Very well explained. Will you make a video of configuring routers aswell? Routing between VLANs.
its super easy if you know pfsense. its an open source firewall and router that you can install on any pc hardware. ua-cam.com/video/rHE6MCL4Gz8/v-deo.html
Thank you great explanation and visuals
Awesome videos! Thank you so much, this helped tremendously.
Best explanation on Vlan
you did a great job man . well done
Great job!
me gustó mucho tu video
gracias por la explicación
he reforzado mis conocimientos en switching
great upload - subbed
Excellent tutorial!
Thank you! Subscribed
Great Video!
Thanks a lot for explaning how to configure VLAN on the switches an what the PVIDs are actually for. There are suprisingly few videos about that, compared to the whole bunch of the videos about the VLAN basics which imho are definitely much less confusing. I almost dare to migrate my plain network now. The only thing I still don't know is, what should be best practise to do a migration. So, what are the most terrible things to do (e.g. actions to lock out the computer from the network, that I am using to do the migration)? And where to start the reconfiguration and so on? What are my fallbacks? I can't find those questions sufficiently answered anywhere on YT. But if you feel able to give some advices for a reasonable migration path, why not considering to make a YT video about it? I would really appreciate that.
I guess the best advice I would give would be to configure the ports on your switches that connect to your crucial devices (computer being used to do the configuration and router, for example) last, leaving them set to their default settings until you know you've configured and tested all of the other ports to make sure they're working as intended first. You can setup new ports for the required functionality and move the critical devices to the new ports temporarily to test them. Once you know everything is working as desired you can complete the configuration by copying settings from the working ports to the last ports.
But I'd advise that you always leave at least one switch port with its original configuration left alone so you can always use it to configure the switch.
@@djp_video Again full of valuable advices. Thanks a lot for your reply. Guess, I'm gonna give it a try this way.
@@CarbonRacer some switches have a feature were they dont fully save changes until you hit save all changes. so you can config and check if everything work if its not you can simply reboot the switch and revert the changes otherwise can press the reset button and start over
Love these videos!! They have helped a lot.
When you are going over the tagging in this video do you have to worry about tagging vlan 1(default) from switch to switch or do you leave vlan1 (default) with all its ports Untagged? Hope that question makes sense.
I'll summarize what is happening so this makes sense. Here are the scenarios that can happen with VLANs...
Incoming (ingress) packets:
- Untagged packet enters a switch port with PVID set to 3 -> packet is tagged as belonging to vlan 3 and is forwarded to applicable ports assigned to VLAN 3
- A packet is already tagged with VLAN ID 5 when it enters a switch port set to accept traffic for VLAN 5, the tag is preserved and packet treated like any other packets tagged as VLAN 5 and forwarded to any ports assigned to 5.
Outgoing (egress) packets: (All packets inside of a managed switch are tagged, even if you haven't configured the VLAN feature, usually defaulting to VLAN 1)
* The packet is tagged internallly as VLAN 5 -> packet is routed to all applicable ports assigned to VLAN 5, where...
- If the egress port is set to Untagged for VLAN 5, the tag is removed and the packet leaves the switch with the VLAN tag removed
- If the egress port is set to Tagged for VLAN 5, the tag is preserved and the packet leaves the switch with the tag in place
There is a difference between tagged and untagged packets. Tagging a packet with a VLAN ID of 1 is not the same as not being tagged; they actually have additional data and are structured slightly differently. In fact, most devices don't even recognize tagged packets at all and will just ignore them, even if that ID is 1. So when you connect a computer or printer or whatever, you have to make sure that the port it is connecting to is set to Untagged or it won't see any incoming data.
Now to your question... if both the sending switch and receiving switch are managed switches, you can either leave the tag in place (set to Tagged on egress and ingress), or set it as Untagged on one switch and set the PVID on the other and it will have the same net effect. In one case the tag is removed at one end (Untag assigment) and re-added at the other (PVID), in the other (Tagged on both ends) the tag is left in place so it neither has to be removed nor added.
These days, in most cases when connecting managed switches I will set the primary VLAN ID for that port as Untagged, and all other VLAN IDs on that port as Tagged. That gives two advantages: (1) that port could be used for a computer or other device if needed since it includes Untagged packets that the computer can recognize, ignoring all Tagged packets, and (2) If I need to re-assign to a different VLAN ID in another switch I can do so just by setting the receiving port's PVID value to whatever I'd like.
Most switches come with all ports defaulting to Untagged for VLAN 1, and PVID of 1. So to make configuration easier, it's not at all uncommon to have VLAN 1 be the default for the majority of connected devices since those ports probably won't have to be configured manually.
Does that clear it up?
Wow yes that clears it up for me! thank you so much for your time in responding to my question. your channel has helped me greatly in a lot of areas in A/V. @@djp_video
Thank you so much this information is very helpful, my only question is why have a dedicated internet port and a separate LAN port for your home network? Wouldn't you have internet already integrated into your home LAN?
A lot of reasons… some for purposes of organization (e.g. personal devices on one, business on another), but many are focused on security. Both networks have internet access, but are isolated from talking to one another. For example, keeping devices you can’t trust off of your primary network made up of your computers and other devices which potentially contain/process personal or sensitive data (passwords, financial/health information, etc.) Some of those I want to keep off of my LAN might include computers/phones of visiting guests, or devices designed or manufactured in countries or by companies with potentially malicious intent or are apathetic to security. I can’t trust a WiFi lightbulb made by a no-name company in China to take security seriously, or trust that the computers or phones owned by guests haven’t been compromised by malware, and would prefer that the opportunities for those to scan or infect devices on my network be kept as low as possible.
Thank you for the clarification.@@djp_video
I agree with others that this video does a better job of explaining VLANs than anything else I've found on UA-cam or elsewhere. Turns out I have the same Netgear and TP-Link smart switches as the author, but my third switch is a HPE ProCurve 1810G-24 managed switch (J9450A). Does anyone know where to find an explanation of setting up the HPE switch with the clarity and thoroughness of this video?
If you apply the same principles (setting ports to tagged or untagged, setting the PVID) you can figure it out.
A couple questions please:
1. When you configured the VLANs in your router, did you configure your MAIN as a VLAN or is it the LAN connection under which VLANs 11, 61, and 101 were created as subnets?
2. Did you create a VLAN1 in your router to link to the Default VLAN1 on the switch?
3. Curious which router did you use?
Thanks
1 Default
10 Main
11 DJP
61 Audio
101 Internet
I actually have two routers on my network... the one that is connected directly to my ISP (a Ubiquiti Edge Router X on VLAN 101) and a second (a D-Link something or other) which provides routing for my main LAN (VLAN 3). And yet another router in my trailer, and the LAN side of that is on VLAN 11.
While my Ubiquiti Edge Router X does have VLAN capability, I'm not using it. In my case it isn't even aware that I'm using VLANs on my network. It's plugged into a port which is set as Untagged for VLAN 3 and a PVID of 3.
In this demo my internet connection is on VLAN 101. My main LAN has Internet through my D-Link router on VLAN 3,and my trailer has Internet access through its own router on VLAN 11. The other networks do not have Internet access by design. My audio network (61) doesn't have any kind of router or DHCP server -- I use auto-configured IP addresses, as recommended by Audinate for Dante networks.
@@djp_video The ER-X is very flexible if you use the vlan-aware switch0. But there are some oddities when using vlan-aware, as it won't route between switch0 and the vlan subinterfaces (what EdgeOS refers to a vif e.g. switch0.101). So you need to have all your vlans "tagged" to the internal switch, then you can untag a specific switch-port by specifying the pvid. You can see the vlans that the ER-X reserves for itself using the unsupported /sbin/switch program. For example, sudo switch vlan dump, sudo switch pvid dump and to see the mac address table, sudo switch dump.
Hi Doug, What Router are using with your VLans. Your 2 Video were great on the VLans. Thanks Russ Wagner
Ubiquiti Edge Router X
Best example of setting up a Netgear switch.
Will a GS308E allow me to have one device isolated from the WAN and other devices on the switch have access to the isolated device and the WAN?
Not using just VLANs. Think of VLANs as completely separate networks that can't see one another. So, just like separate physical networks, a router is required to 'route' data between the two networks. Some managed switches provide some basic routing capabilities, but if you're using consumer gear like the GS308 you're unlikely to find routing features built-in. And when I say 'router' I'm not referring to consumer routers -- you need something a little more sophisticated than that.
@@djp_video Any recommendations? Will an Edge Router X work?
Yes, the Edge Router series will do it. You'll separate the ethernet ports into individual VLANs, then give the device an IP address for each VLAN, and then add entries to the routing table to route the required traffic between the VLANs.
If you haven't seen my video on IP networking yet, that's a good start: ua-cam.com/video/eSaKz1MKsVM/v-deo.html
Doug, do you have a spreadsheet or table you use to map out and plan the configuration of ports on multiple switches? I'd think there would be s too many variables and settings to configuring your switches ad hoc and without having it all worked out ahead of time. Again, great job.
I'll do a spreadsheet or Word doc indicating which VLAN I want each port to be assigned to. But that's about as complicated as I make it.
Hello,
I just just part one and part two and found your videos vey helpful, so thanks for making them.
That said I did notice that some info was not covered and as a total noob still could not get my vlans to work.
Info missing is do you need fixed IP address or can dynamic ip work for devices.
Also as a noob Having one switch connect to another switch and then one to the router.
I could not seem to keep some devices from seeing others and changes I tried then I got no devices on one switch to access to internet at all.
I ended up Factory resetting Switches back to Factory and not touching vlan at all.
Is there a good book on vlans with examples?
Each VLAN is its own separate network. And if you want to use IP on each network, it either has to have its own DHCP server or all devices need to use static or auto-assign IP addresses. Which usually means that each network gets its own router, or at least some device to act as a router.
Connecting one switch to another usually involves setting all applicable VLANs as Tagged on the ports that connect them to preserve the VLAN ID information as data moves from one switch to the next.
@@djp_video Hello, Thanks for the reply and help, I really appreciate it. Will give it a try tomorrow and see if I get it working. Thanks
Hey Doug, greatest explanation of VLANs I come across so far.
I have a question tho.
In my setup I have a bunch of Dante devices, Allen and Heath AHM64 controllers, 2 IP PTZ cameras and one streaming PC, all connected to one netgear managed switch.
The PC is used for streaming and managing the network.
It makes sense to separate the Dante devices, the A&H controllers and the IP cameras on 3 separate VLANs so they don’t talk to each other.
But how do I setup the port on the switch which is connected to the streaming PC, so it can take audio from the Dante network, video from the cameras and can control the mixer settings remotely?
Bottom line is without multiple network interface devices on your computer you can't.
If Dante wasn't one of the requirements, you might be able to. Some network interfaces will support multiple VLANs through a command-line utility, but Dante (by design) will not work with a network interface device which has VLAN support turned on.
So what you can do is add a USB network interface specifically for your Dante network. And maybe another for your PTZ cameras. Or possibly look into whether your current NIC supports VLANs.
If you do elect to use a NIC with VLAN support enabled, you'll setup your switch to tag outgoing Ethernet packets with the VLAN tag so the NIC will know which VLAN the traffic comes from. And each one of those VLANs will show up as its own virtual NIC in Windows. I don't recommend this configuration though, as it tends to be fragile and get reset after driver updates and the like.
Great! I’ll just get a couple USB to Ethernet dongles then. Thanks a lot!
Great two videos. Thank you. Very Informative and quality was great. I learned so much. Great job! My situation is a bit different than your setup. My Goal: Separate my work laptop (with Wired and Wireless connections) on a different VLAN than my home where my work cannot access my home network (wired or wireless). My current ISP provides Phone, Internet and Cable and I have cellphones, tablets and WI-FI enabled devices.
Two questions regarding your network. Was the Phone you mentioned in Video 1 a cellphone or VOIP Phone? And, On your main Ubiquiti Edge Router X that is plugged to your ISP; how do you handle Wi-Fi access since I read it has to have an additional WI-FI access point device? Did you use WI-FI on one of the other VLAN routers? (I realize that I need routers for each separate VLAN)
Thanks in advanced for your help!
The phone I mentioned could be anything, but I was thinking of a VoIP phone when I created the video.
I have wireless access points that provide WiFi for the VLANs that need it. And the access points that I use (as many business-grade units do) can provide wireless connectivity for multiple VLANs simultaneously over a single trunk connection -- so each VLAN gets one or multiple SSIDs (network name) and wireless security settings. (VLAN 1 might get a name of Wireless1 where VLAN 2 might be called WiFi2, or whatever you want). Just look for a Wireless Access Point (WAP) with multiple VLAN capability.
I should mention that some routers, like the Edge Router X that I use, can provide your routing needs for multiple VLANs simultaneously. You don’t necessarily have to have a separate physical router for each VLAN if you get a router than knows how to work with multiple VLANs.
@@djp_video Thank you so much. Once again that was very helpful. Have a super day!
I like both the videos and great job on those with excellent break down, thank you . However, all I'm trying to do is to create VLANs using my ISP router and a single managed switch (TP link-SG108E) all wirelessly . No multi switches, no cables, Just ISP router connected to 8 port switch to make multi VLANs all wireless in order to segment my IoTs and my personal devices and computers. Any advise?
Well, you'd need additional equipment to do that. Your ISP router almost certainly doesn't support VLANs, either in terms of providing Internet access for them or creating multiple wireless networks.
Almost no "consumer" routers support VLANs natively. You'd need to step up to a router that does, and a separate wireless access point to create your WiFi networks.
In terms of routers, the least expensive option I know of is the Edge Router X from Ubiquiti. But it isn't easy to setup, especially if you want multiple VLANs. Another option is to use an old PC and install pfSense on it. But again, not easy to setup.
Getting multiple wireless networks from multiple VLANs is a little easier. Most dedicate Access Points can do this. You'd set up multiple wireless networks, and tie each one to a separate VLAN.
The closest you're going to get with a single device would be a "Guest network" which separates network data on to its own wireless network, but that's about all you can achieve using consumer equipment.
Thank you, I have purchased Netgear Orbi pro (Multiple SSID and VLANs support )and I think I finally got the missing piece :) @@djp_video
thank you very much for taking the time to explain in a way that makes logical sense - by far the best understnad explaination of VLANS Ive seen!
I'm using opnSense with two physical NICS
one NIC connected to ISP as WAN
the other is my LAN interface connected directly to port 1 on a TL-SG108E with 5 VLANS defined in addition to the default
the VLANS are defined on ports 2-7 with the vlan untagged on the port and tagging ports 1,8
I have one cable run from port 8 ON SW1 to port 1 on a second TL-SG108E
everything works great on switch one.
SW2 still giving me issues, I can get traffic flow from my main subnet or Main Lan Subnet from all the ports
by I am unable to extend the subnets to the second switch. any thoguhts.
I can share the 802.1Q configs screenshots for each switch if that helps..
thanks!!!
I think i found the issue, I found a layer two switch between the trunk line between the two layer 3 switches.
Yes, all of the equipment has to support and be configured for the VLANs you're trying to setup. An unmanaged (or unconfigured) switch won't know what to do with the VLAN tags and they usually just ignore those packets altogether.
This cable port 1, switch one. Its going as u say to your switch. My question is what if is going to your router? All together with trunk? Can router split that VLANs or better to say read?
Thx
If the router supports, and is configured for, VLANs, yes. Otherwise, you’d need to use a port on your switch which is configured to untag VLAN IDs
what is the ip address of each vlan of the dante audio of each switch? for my case, each switches assign different ip address in different subnet (DHCP). Therefore when i connect pc via second switch, while all dante device connect to the first switch, dante controller shows all dante devices in red (in different subnet). therefore i can't do any including assign the routing
Creating a VLAN doesn't on its own setup DHCP or assign any IP addresses to any devices. You decide on whether you want DHCP or static IP addresses, and have to add your own DHCP server to a VLAN if you want to use DHCP, or manually assign IP addresses to each device if you don't. It doesn't happen automatically.
If you're getting IP address/subnet errors in Dante Controller, you've got a different issue. What that likely means is that you've got a misconfiguration for your VLANs and you're getting network traffic from what you intend to be different VLAN(s) mixed into a single VLAN (for example, you want all Dante traffic on VLAN 20 but it's making it into VLAN 10). The most common cause of this would be assigning multiple VLANs to a single switch port. Go back and make sure that every port is only assigned to one VLAN, and that for each of those ports the PVID assignment matches the intended VLAN ID.
@@djp_video when creating vlan, it is asking to choose between manual ip assignment or dhcp. I have one switch in 192.168.1.1 and second switch in 192.168.10.1. Dhcp set on respective 192.168.1.0 /24 and 192.168.10.0 /24. I am positive i am communicating to correct vlan pvid. It just that vlan2 (for example) in first switch is in 192.168.1.xxx subnet and vlan2 is second switch is in in 192.168.10.xxx subnet.. I did not know what i do wrongly
What device are you using? Are you using the industry standard 802.1Q VLANs? From your description it sounds like something else. What model switch are you using?
Doug, I have a question for you on the ATEM Extreme ISO.... just bought it, put it in a case and used it for the first time yesterday in a trail run. The unit will not record. Not using hardware or the software connected via ethernet. I am using a T7 brand new... I know its not on the supported list. I could not get a T5, and the Sandisk has been reported to have its own issues. I reformatted the drive, exfat... and it is recognized, and shows an empty drive available.... but the record buttons simply will not work. Also, the Display, Record all cameras, and record ISO ARE checked. Any thoughts.
T7 didn’t work for me - I hooked one up to a Blackmagic video assist 12g and it would record for a half second. Switched to a Sandisk and it recorded ok. Something fishy with the T7…
What about DHCP servers for each VLAN on your router, say pfSense for example? That's my sticking point - any device I have configured (let's say from a guest SSID on a WAP) for a VLAN hang at getting an IP address from my router. Hundreds of videos later and I still haven't figured out what the problem is yet.
Just remember that each VLAN is its own separate network, so if you want Internet access, it has to have a router of some kind. And that means DHCP for each VLAN as well.
You can either setup a dedicated DHCP server for each network, or configure a managed switch with DHCP relaying to send those requests to a DHCP server which supports it (hint: consumer routers don't do that). One inexpensive, easy way to provide DHCP to each network is to add a dedicated consumer router to each.
In my case, I use a Ubiquiti Edge Router X, and have it setup to provide Internet connections for up to 4 separate VLANs. (It can do more than that though.) Each of its Ethernet ports can be setup to be on its own network, and those connected into a separate VLAN, or with a little time and patience one or more of its ports can be setup with VLAN support as well, so you can serve DHCP and routing to multiple networks with a single cable. That's starting to get into some complicated configuration, though, so if you aren't up for that the simplest solution is just to pick up a few consumer routers and put one one each VLAN that needs Internet, and then connect the WAN side of those to a single master router which provides Internet for everything.
pfSense can be made to do it too -- you'll either need separate NICs for each network, or to configure a supported NIC for separate VLANs and make sure that packets are tagged properly in both directions. Again, it can be done, but it can be a little tedious to get it all setup and working.
@@djp_video One thing: if I need to physically isolate the networks from each other, it kind of defeats the whole 'virtual' aspect of a VLAN. Physical isolation is easy, I wouldn't need any help with that. I could use a Raspberry Pi to act as a DHCP server on the isolated network, but I thought you could 'virtually' isolated the traffic using VLAN's. Am I wrong to assume that?
You are virtually isolating the LANs. They behave as if they are completely separate and have no connection to one another, unless you explicitly have some kind of router on the networks to relay data between them. Because they are separate networks, even though they are on a single switch, each one needs its own DHCP and routing. The VLANs can't talk to one another without routing between them.
The advantage of VLANs is that you can (1) manage and troubleshoot multiple networks on a single network switch, and (2) combine traffic from multiple VLANs on to a single cable, provided that the devices on both end of that cable know how to handle VLAN tagging. VLANs also limit the size of the broadcast domain, which essentially means that you get a reduction in "broadast" network traffic since broadcasts don't cross VLANs, and the broadcast traffic increases almost in an n^2 relationship with the number of devices on the network. But that's beyond the scope of this discussion.
Let me back up just a little bit to help this make sense.
VLANs are a function of Layer 2 of Ethernet -- basically managing network traffic based on device MAC addresses and the switch ports they are connected to. IP, TCP/IP, etc. are Layer 3 protocols -- they happen above layer 2 -- in other words, on top of, but independent from Ethernet and MAC addresses and the like. (That essentially means that IP can also travel over other types of networks, like WiFi, dial-up, VPNs, etc. and don't require Ethernet to function, and Ethernet is independent of IP). VLANs segment a network and normally devices on different VLANs cannot see or talk to each other without a device configured to route data between them, hence the term 'router.'
Managed switches come in a few varieties... A classic 'Layer 2' Managed switch lets you isolate different networks into VLANs by having the switch 'tag' packets with a VLAN ID. And they have rules internally which tell them how to distribute that traffic. That's what the video you watched is about-- setting the rules for the switches on how they tag incoming packets (PVID), where to send them based on those tags, and whether or not to remove the tags when sending out to a device (Tag/Untag rules). All of that happens in Layer 2, which means that it is unaware of IP, TCP/IP, DHCP, DNS, all of that. So a strictly Layer 2 Managed switch can't help with IP routing. It doesn't even know that IP exists.
Layer 3 managed switches do everything a Layer 2 switch does, but are also aware of IP, and can route traffic based on IP addresses, routing tables, etc. They usually provide some basic services to make that happen, like DHCP, DNS, routing tables, ARP, etc. So if a switch is a Layer 3 switch, it can handle the routing between VLANs if you configure it to do so. Layer 3 switches can be classified as routers. But most routers are not layer 3 switches. But, that said, if a L3 switch doesn't support Network Address Translation, you STILL need another device (router) that does.
So if you have a strictly Layer 2 switch, you have to have something on your network to provide IP-based services. The switch can't do that for you, because it just doesn't have the software to handle things happening at layer 3. DHCP and DNS and everything else related to connecting to the internet are IP-based protocols, so they happen in layer 3... which means that devices which are layer 2-only can't provide services related to those protocols/functions.
Many consumer switches are labeled as "managed" or "smart" provide some subset of the functionality of a full layer 2 managed switch. But usually enough to do the kinds of things we're talking about. They almost never provide any layer 3 services.
There is also a bit of a gray area -- we'll call it Layer 2.5 Managed Swiches for the sake of discussion -- where a Layer 2 switch does have some limited Layer 3 functionality. For example, the TP-Link switches I use in my home, video production trailer, and on location at client venues, can do really basic routing ("Take traffic from the 10.1.1.0 network destined for 10.2.2.0 and send it over to that network") and provide DHCP relay, where a device on one of the VLANs can make a DHCP request and these switches will take it from that particular VLAN and send it to a DHCP server on another VLAN which has been configured to know how to respond to a relayed request, and then send the response back through the switch so devices on that network can get an IP address. That said, most of those types of devices do not support NAT routing, so even in those cases you still need a separate router with NAT functionality if you want Internet access.
In terms of connections to pfSense, it can provide all of the Layer 3 functionality you need and then some -- routing, DNS, etc. if you happen to have a NIC which supports VLAN tagging (not all do), and the driver for that NIC supports VLAN tagging, you can run a single cable from a managed switch to your pfSense router, and set up the connected switch port and PC to preserve the VLAN tags, then you can have pfSense perform any routing between VLANs and/or the Internet as you'd like. (Sharing traffic from multiple VLANs on a single cable is called trunking, FYI). But if your NIC or its driver don't support VLANs, or you'd prefer not to take the time to set that up, you do need to have separate NICs in that computer for each VLAN for them to talk to each other or the Internet. Once pfSense is setup to talk to the VLANs, you can assign unique IP address ranges for each VLAN, then add a DHCP server for each VLAN, and add some routing rules to tell it how to route data between them.
If you'd like a primer on IP and how it works (and how it relates to layer 2), I have a video about that specifically: ua-cam.com/video/eSaKz1MKsVM/v-deo.html. While I don't explicitly cover the layers of the OSI model, conceptually I do cover a lot of what is happening under the covers and it might clarify some things for you.
I have the TP Link switch. Does it need something upstream to establish the VLAN ?
My Asus router doesn't do VLAN so not sure if my switch can look after that function itself.
As mentioned in my last reply, you either have to have a router which supports routing across multiple VLANs, or use multiple routers -- one for each VLAN/subnet, plus one additional to combine traffic from the various VLANs.
Layer 3 switches can do routing for you as well, but those get expensive quickly.
TY for this video.
Hello Sir!
I have faced to a huge problem. my scenario is: I want to receive the TV_Production feed (which is encoded by encoder) in default vlan 1 and my internet is in vlan 30 . but when I connect the feed cable to the vlan 1 my internet is disconnect and at the time I do not have the TV_feed. I have used Netgear and cisco switches for this scenario.
As you've probably figured out, each VLAN is completely separate from one another and having internet access on one VLAN does not grant internet access on another VLAN. It is just like having two completely separate networks, and some device needs to provide an Internet connection for each VLAN.
The way to solve this is to use a router for each VLAN. And if you do have multiple VLANs with multiple routers, you may also need another router in front of the VLAN routers to provide Internet access for each of those. Or, if your switch has routing capability and supports NAT, you can have your switch perform that function for you. Or use a router that can support multiple subnets. I use the Edge Router X from Ubiquiti, which can provide Internet access for multiple separate networks.
@@djp_video Thank you for your prompt response. However, I would like to mention that my scenario differs slightly from what you gathered from my initial comment. Allow me to explain it clearly. I have three Netgear managed switches, each of which has been configured with two VLANs (1 and 30). In SW1, the SFP 25 port is set to T for VLAN 30. In SW2, both the SFP 25 and Gig18 ports are set to T for VLAN 30. In SW3, the Gig18 port is set to T and connected to the Gig18 T port in SW2. These connections are for my internet connection and are functioning without any issues.
VLAN 1 is dedicated to my TV feed, which is encoded by an encoder. I want to transmit this feed over IP using Cat 6 and then transfer it via fiber to another building where it will be decoded. In VLAN 1, the SFP 26 ports in SW1 and SW2 are set to T. However, in SW3 with VLAN 1, I do not have a T port. Whenever I connect the TV feed Out (from the encoder) to the U port in SW3, my internet connection in VLAN 30 gets disconnected, and simultaneously, I am unable to receive the TV feed.
Question (maybe someone can answer): having a Proxmox, with many VMs/container, there is 1 LAN card from it, and it carries multiple VLANs, depending on the VM in use: what should be the configuration for the port where Proxmox is connected: Tagged (because it carries all)? or which one? thx.
If the Proxmox has VLAN support enabled, you'll want to set the port up the same way as it is in Proxmox... which would likely mean that everything would be Tagged.
@@djp_video Thank you, I was thinking the same way: vlan aware Proxmox vmbr and then ports on switch ( I use multiple as redundancy) as Tagged for all VLANs that are supposed to be visible by VMs/CTs. Thank you again.
If an unmanaged switch or a Managed switch with NO VLAN ID's set, in your example the 2nd switch, just passes whatever comes into device 'A" to the device "C" based on the router MAC info, why would one need to setup VLANs on the 2nd and 3rd router?
While it might reduce some network traffic and add some security and Isolation, is not the 1st Managed switch doing all that heavy lifting?
Why do the other two switches need to also have the exact same VLAN's setup on them?
This is a simple low level question, as I am new to VLAN setup.
I appreciate your video's just not sure if this was a demo and not a requirement of having 3 switches setup exactly the same.
Before I answer that question, I'll provide a little bit of context. When an Ethernet frame (similar to a packet) receives a VLAN tag, the structure of that frame is actually altered... four additional bytes are added to the header, and do so in such a way that devices which are not capable of recognizing VLAN tags will not know how to decode it (the entire frame)... it looks like a malformed frame and is discarded. That's why we have the Untagged option -- in order to remove that tag portion of the frame so the data being is recognizable to those devices once again.
Unmanaged switches are *usually* not aware of the existence of a VLAN tag and will *usually* just ignore the VLAN tag and forward those tagged Ethernet frames on to the intended devices (unchanged) based on the destination MAC address. That may or may not be what you want. If it is forwarded to another device, the receiving device will still need to be VLAN aware, as the VLAN tag is still intact. If it is not, the entire frame will not be recognized by devices that aren't capable of dealing with the tag and they'll just ignore it. But I wouldn't for a second be surprised if there are switches out there that just discard tagged packets. I haven't personally done any testing in that regard to know how specific devices behave.
Managed or smart switches which support 802.1Q behave differently based on how they are configured. Many models will let you determine the behavior... whether it accepts those frames and forwards them on or discards them.
@@djp_video thanks for taking time to reply with a very detailed explanation.
Four of the five switches I have in my house are smart managed switches, and the only unmanaged switch is in the back bedroom which would give wired connections to my TV and Roku device.
I've been watching a lot of videos lately on proxmox and I'm setting up pfSense on an older computer with proxmox as the hypervisor.
The thing that I find frustrating of the hundreds of videos that I've watched on computers network setup VM setup etc., they all do a pretty good job of what to do.
What very few of them do is why they make the choices they make in configuring and setting things up.
I realize that often that is part of personal preference but how can I have a preference if I don't know why option one that they chose is better than option two or option 3 or option 4.
Knowing why they configured things the way they did let's meet decide which choice is best for me, rather than just blindly following their step by step instructions.
By the way your new studio looks good.
There are some big time UA-cam content creators I don't like what they have in the background.
Some have a right light bulb in the background or LEDs constantly spinning and changing colors Jeff has his Pac-Man for donkey Kong running in the background all the time.
Then there is this German guy who has great explanations but it is filmed in a room with clutter in the background I spend too much time thinking about. 🥴
Awesome!
Brilliant !!
Hey, Just trying to figuere this out as well. Do you have the Vlans set on your router as well? Or just the switches?
I personally don't have any VLANs setup on my routers. Though many models do support it.
@@djp_video Ok, thanks for the reply. Are all devices other than the network ones with static ip's then? Or does the router still give devices on other Vlans ip's as well?
Even with static IPs you still have to have routers to move traffic from one network to another. In the case of getting out to the Internet, this usually means routers with NAT routing, which all consumer routers do. But when you have multiple VLANs which need Internet access and you're using consumer routers, this usually means multiple routers -- one for each VLAN, and all of those behind another router which combines the signals from the others.
There are routers out there which will support multiple VLANs simultaneously, but they are generally more complicated than the consumer routers that you'll find at your local big box store. I use the Ubiquiti Edge Router X in my trailer to accomplish this -- you can set up as many separate networks as you like, each with its own subnet, getting its own unique IP address range, and being able to route traffic between the various networks. But there are many other models that can do this as well... they just tend to be much harder to configure than consumer products.
@@djp_video Ok, so if I understand it correctly if I want to let different Vlans have internet it need's to be configuered in the Router, and if I just want to split up the network like dante I can do it on the switches?
Also could do a video on how you set up the router in your trailer? how does that work if you connect to a venues system that already has a router in it?
Is Port 7 Internet where you plug in from your router?
So from router LAN to Switch port 7?
.
My router Lan connects to port 8 of my switch.
It seems that it has to be part of my vlan1.
Does that sound correct?
when i made it 101 like your internet, i lost the network connection.
I'm assuming your "internet 101" is going out to your other switch...
thanks for any input you have...
In these examples, port 1 on the switches shown connects to the upstream switch, which is then connected to my router. The network created by my ISP router is on my VLAN 101. That's something I setup, not something that came from the provider.
Did you watch part 1 of these videos?
Very good!
How does the Vlan know what IPs range it has available?
The VLAN itself doesn't. Segmenting a network into VLANs means that each one of those VLANs, for all intents and purposes, is a completely separate network, just as if you were using two separate, un-connected switches.
For IP networking to work, you'd need to add that on top of the VLAN, just like you would for any Ethernet network. In most cases that means adding a router with DHCP to provide IP addresses and/or Internet access for that VLAN.
Where's the DHCP server at? I'm guessing your router?
For networks that need it, yes, it is provided by my Ubiquiti Edge Router X.
For my Dante network, I don't use DHCP. I let my devices use auto-configured IP addresses unless I"m integrating into a Dante network at a client venue, at which point I use their DHCP.
@@djp_video I used to do all this with Cisco command line. Never liked the GUI. It's been over 10 years now since I last worked tagged and/or trunked VLANS/PORTS. Trying to figure it out how to do this (trunk) on a draytek vigor router. VLANS is the easy part but one trunked link to another switch is doing my head in. Hence I'm watching videos on UA-cam lol
What cheap managed switches do you recommend??
Most are good. But I've had really good luck with the TP-Link models, for example:
8-Port: amzn.to/42ntM6h
8-Port with PoE: amzn.to/3JRb5R6
24-Port: amzn.to/40lWgv9
@@djp_video 🙏 thank you !!!
a network topology diagram would have been helpful
Thank you sir
BEWARE of those small tplink ( "Smart" - line ok, "easy smart" line - not ok) and netgear (Plus line - GSxxxE) are not ok, (Pro line - GSxxxT ok) switches. They allow access to web interface from any VLAN you create on them. Not fun if you want to create separate network for your guests or clients and they can access your web panel . Thats why im retuning my rp108ge and just ordered zyxel gs1200-8 as a replacement. Zyxels seem to allow to set management VLAN
Easily mitigated by assigning a strong password
@@djp_video Considering the fact that you can't enable https and also that you can only use alfanumeric characters (tplink, I don't know about netgear) i don't think that changing password to longer is effective workaround. Ive seen NVIDIA cards breaking even quite strong passwords in relatively short time. Also sometimes there are those 0day bugs which allow to access without password. Overall I think that its better to just hide such things (webpanel) from prying eyes. Mentioned Zyxel arrived and works fine, no access from VLANs except the one set in Management VID. I power it with tplink tl-poe10r so its perferct replacement for rp108ge.
@@djp_video (lol, yt deleted my previous comment) Tplinks (easy smart) don't allow special characters in passwords so even longer ones could be broken with some NVIDIA cards in relatively short time (have seen some charts somewhere, ill edit comment if i find them). But there is second problem - lack of https. Such passwords probably could be just sniffed somehow. Overall i think that just hiding such things like login panels from prying eyes mitigates majority of risks. But offcourse i just left the comment as warning, everyone have to consider their situation and risks involved. EDIT Oh and Zyxel switch arrived and works as it should - no access to web uil from any VLAN except one set as Management VID. I power it with TL-poe10r switched to 5V output
OK I did exactly that maybe these dumb TP-link Smart switches will actually talk to each other?
You've at least proved that these things should work. I am fairly knowledgeable around networking but then for the past five years I've been fighting with everything networking for myself and can't get a thing of it working. I at least know now that I need to remove the tag for the default VLAN1 TP Link site does not document whether that needs to stay or go. Theoretically anything that has an untagged port should act like a dumb switch for that VLAN. And anything that's tagged will pass the native untagged traffic along with the tag traffic. And yet I've been banging my head against the wall with this for the past few hours.
Start with a really basic setup... just one VLAN per port. Write down on a sheet of paper what your VLAN IDs are going to be and the purpose/name for each, and then decide which (single) VLAN each port should be a part of. With that written down, in the web interface or app for your switches, assign each port to its designated VLAN ID by setting it as Untagged for that VLAN ID, and remove all other assignments (only that one VLAN ID as Untagged, and none set to Tagged), and set the PVID for each port to its assigned VLAN ID. That includes any links between switches... for the initial setup, use Untagged ports to relay traffic between switches (if you want to get traffic for 3 VLANs from Switch A to Switch B, use 3 separate cables at first); don't attempt Tagged ports or multiple VLANs per port just yet. When that is configured correctly, any devices on each VLAN should be able to talk to other devices on the same VLAN, but nothing else should see each other. That usually means that you won't have Internet access on anything but your primary VLAN, and devices on non-primary VLANs won't even be able to obtain an IP address automatically.
Once you've got that working and are comfortable with that, you can move to the next level -- tagged VLANs. And keep in mind that those should only be used when connected directly to devices which support that feature. Pick which ports need to convey additional VLAN traffic (on top of the assignments you've already made), then add those VLAN IDs as Tagged for those ports (e.g. Add VLANS 10, 20, 30 as Tagged to port 8, which is already assigned as Untagged for VLAN 1). If you connected any cables between switches for VLANs besides your default (e.g. to relay VLAN 10), disconnect those cables between the switches before adding those VLAN IDs as tagged to another connected trunk/relay port.
Depending on the model of switch, you might need to adjust the port/link type/VLAN mode to support some of these configurations. ACCESS is used for ports which will only need to be on one VLAN, GENERAL is for ports that need to be on multiple VLANs but one of them will be untagged, and TRUNK is for any multiple VLAN configuration (though usually all tagged).
@@djp_video I finally figured it out. Thanks for the reply. Might've been helpful two days ago but behind on my email. Well probably still will be helpful.
What I've been doing is taking a strip of masking tape across the top of the switch and laying out what should be what.
Although I've had this layout figured out for a good few years and not had time to work on things, I have actually most of my switch ports labeled with the LabelMaker. I probably have 5x 8 ports and 2x 5 port units at this point.
I have a text document that lists in number order my VLANs and descriptions, bold and large font.
I have 4 to 6 local VLANs and 4 WAN VLANs. ( primary Cable, cellular back up, Cellular hotspot and Test. That's at Home but I also wanted to mirror that onto my smaller unit which I plan to use as a super powerful travel router ). And mostly everything can stay virtual except for one port for each and not everything actually needs to come out. My original goal was that I wanted to be able to enable a VLAN Interface on my laptop and get a public facing IP to test stuff bypassing the router entirely from within my local network. And the other goal was sometimes I need to set some thing up and it would really be nice if I could just plug a switch into My LAN which would break out those 4 WAN connections anywhere I would want them.
I ran into 3 problems. The first one was second-guessing myself and wondering if I was actually setting the right settings in the switch and this video was so helpful. I got so deep down into it I was thinking I have to be doing something wrong. I've watched probably a dozen videos over the last few years, but nothing has been this clear. And covered the same configuration across different vendors.
The second problem is that I'm using a NetGate 3100 hardware box and I think when I originally set it up their documentation was different. It has 3 dedicated interfaces one of them breaks out into a 4 port switch built into the unit. And their documentation said to add the tags to each of the four ports that you wanted them on, easy.
What was neglected to mention I think and the biggest part I was missing the internal 5th port is between the switch and the router and it needed to also be tagged to pass that traffic. so as soon as I did that, boom I'm getting IP addresses on 4 different interfaces.
And the third problem. My management network is untagged zero and I wanted to bridge that within the router out to a VLAN. so devices could either be on the management VLAN or on the untagged LAN and get the same IP, Broadcast domain, visibility.
I Could never quite get this working, then I got to a point where enabling something would break everything.
Finally I got to a point where the switch I was using would tell me that there is a loop condition and what port which really helped me narrow down what was happening and where. Unfortunately I think I'm gonna have to set up another IP address range and forward through routing rules. But at least everything else is functional.
Part of what was tripping me up there's no distinction between general and trunk with the TP Link Smart switches (dumb smart switches).
Very helpful information though I'll be rereading it multiple times as there's always something to learn.
It was a lot of I turn switch on, light should come on, why is light not coming on, check lightbulb, repeat.
At least 4 of my VLANs are pretty much identical with different IP addresses it was a lot of repeat 4 times and everything should be set up and working but wasn't. The 4 WAN VLAN were also pretty much similar just going into the router rather than out. so again just repeat 4 times and that was sort of working, I was getting WAN connections with IP's but they weren't passing through the switch to another switch.
And I had part of this working with my old router so I was trying to rebuild from scratch on the new router over the course of the last four years on and off.
I was Hired by a very manipulative person who hired me to do his event and some computer work. and it turned into a two-story addition working on classic cars cleaning the garage working on tractors and a heavy dose of manipulation whenever I asked for a day off. because apparently I was supposed to be there Monday through Monday 8 to 8 then go set his event up on Friday and get home at 11 (mostly by myself, but he wants TED talk Apple event quality) then be there Saturday morning two hours before he shows up with the guest speaker but he would never say when he was going to get there. Then in November last year he called me a liar said I was off loafing on company time and a month earlier there's no way I could've gotten lost in the nearby state when I took his truck and trailer and other employee to pick a literal 2 tons of wood scrap up at an auction. that's when I said if you're gonna play that card I'm gonna play my card, I'm not your employee, goodbye a week before his event. Which put the bargaining chip back in my realm to say I'm only doing your events. And then of course that follows 3 to 4 months of catching up on 3 years worth of lost sleep before I could be productive again. But I digress.
I do live video streaming, audio, sound mixing, video, small Office IT and computer support etc. so most of my home network configuration can get mirrored to my travel router as well NetGate 1100, although the interfaces on this one are a little bit different which makes setting a lot of this up easier. Which means all my segmentation can pretty much carry over. As I am planning to have hotel Internet on WAN1, 2 Cellular hotspots on WAN2/WAN3 so it just makes sense to have 4 WAN connections available. On the LAN Side primary, secured guest, guest/public/IOT, Test.
@@djp_video TLDR I've only been half shooting myself in the foot part of it was a router problem part of it was a me problem. Finally at a point in my life where it's time to use the knowledge of the VLAN's and actually having a reason to implementing it makes sense and then when I go to implement it for myself it just doesn't seem to work. But then I go over and fix somebody's computer no problem. It's like when did I move to the Bermuda triangle?
I finally got things talking. Most of the problem was an extra step on the router which I think the documentation missed and then the floodgates opened, which helped me narrow down the other problems I was having.
I learned in other videos, that VLAN 1 should never be used as admin VLAN.
I don’t buy that. For virtually every managed switch out there #1 is the default admin VLAN
Sadly you didnt separate the native vlan1 with what should a management vlan on any number but one and the HOME or MAIN vlan. It is not recommended to setup a network with vlan1 as our main data subnet OR the management network. The native vlan1 should solely exist in the background ( untagged member of any trunk port and pvid of any port not used. For any access port, the pvid of that port replaces pvid-=1. Best if you redo this video with that in mind. To be frank your video is ON POINT in terms of what most internet users need to see......just the approach with vlan1 is not the best or optimal setup. For setup purposes and to not get locked out, this works. The second step would be to apply ingress filtering and the last step would be to add frame type limitations. At this point native vlan1 cannot bypass your security by being passed on trunk ports.
I think you've missed who the target audience for these two videos actually is. They aren't meant to cover all of the best practices or provide complete coverage of everything a properly trained IT department would do when setting up VLANs. They're meant as a starting point for people who might have heard of VLANs, are maybe curious about VLANs, but don't remotely have an IT background, and specifically are those using consumer-grade gear. "Here's the basic concept of a VLAN, and here are the minimum step to get them up and working." That's all.
While I do, in fact, set up my own networks as you describe with a VLAN reserved for management (I actually take things a step farther and don't even use VLAN 1 for management -- I don't put anything on VLAN 1 so traffic on an unconfigured switch can't reach anything), I wasn't about to go into that level of detail in these videos. The two videos I made needed to be as simple as possible -- covering the basic concepts and providing the easiest working setup possible. Not as definitive tomes on everything related to VLANs.
These are home users watching these videos. They aren't at risk of someone trying to hack into their switches to alter their configuration.
Do you have any idea how many comments I'd get and people coming to me for help if I was to recommend using a different VLAN as the default? When all of a sudden users couldn't connect to their switches any longer? At a minimum the videos would get downvoted, and I'd likely have to take these videos down due to the overwhelming number of requests for help. That setup requires either setting up routing (good luck describing that to a novice), or adding a separate NIC to any computer they want to use for administration... again, a level of detail I just don't want to get into in introductory videos.
These videos take a "this is the basic concept of a VLAN, and here is what it takes to get it up and working" approach. Nearly all of the other VLAN videos on UA-cam make things far too technical, far too difficult to understand, and leave most people more confused and scratching their heads rather than being able to get their equipment up and functional. They alienate rather than help people. I wanted to take away the intimidation factor and put it in terms that real people can understand.
So, your comments, while technically correct, if implemented would just make these videos completely unapproachable for my intended audience, just like all the rest of the VLAN videos on UA-cam do. I made a very conscious choice not to do that -- to keep things as simple as possible. These two videos have been tremendously helpful for a lot of people, specifically because I didn't delve into the nitty gritty details of setting up a full corporate-style network, giving them access to a tool which is unavailable otherwise.
(Also, I'd mention that switches at this level don't usually even have ingress filtering as an option. For even those that do, that feature doesn't have meaningful real-world impact anyway, as for the described setup the filtering is already happening in the connected device, and even if it wasn't, reply traffic would be discarded and not reach the target device.)
@@djp_video Fair enough. As I said your video is the best Ive seen for consumer managed smart switch assistance............
DJ doesn't use wizards #thatsthetweet
Wish video was a better quality
What do you mean? It's high quality 4K.
I thought the video and audio quality were great. No problems viewing on my end.