EdgeSwitch - VLAN Walkthrough with EdgeSwitch using Sample Enterprise Topology

Overview


In this article, readers will learn how to configure the EdgeSwitch to support Virtual LANs (VLANs). 

Implementing VLANs requires a managed switch, such as EdgeSwitch. Per IEEE 802.1Q, layer-2 frame headers are tagged with VLAN information so that VLAN-aware devices (e.g., switches, access points) can forward the packet (frame) accordingly.

Before deploying VLANs in your network, commit the following ideas to memory:

  1. Although VLANs are typically paired with a unique subnet (layer-3 IP), VLANs are inherently a layer-2 concept, since VLAN information is contained in the header of frames (the PDU that encapsulates the IP packet).
  2. Inter-VLAN routing requires a router (or routing on a multi-layer switch). Google "Router-on-a-Stick" to learn more.
  3. Access ports connect to hosts (who are unaware of VLAN tagging). The VLAN header is always removed as the frame passes from the switch to the host. 
  4. Trunk ports receive and carry traffic between multiple VLANs, like when two switches are connected (or a switch and an access point). The VLAN configuration on both sides of the trunk should be identical in such cases.

Table of Contents


  1. Topology
  2. EdgeSwitch Configuration
    1. sw1 Configuration
    2. sw2 Configuration
  3. Restore Configuration
  4. EdgeRouter & UniFi Integration
  5. Related Articles

 

Topology


The following topology is an example of a network with several different VLANs:

  1. Management (VLAN1-default, untagged, black)
  2. Video (VLAN2, tagged, red)
  3. VoIP (VLAN3 tagged, yellow)
  4. Corporate (VLAN4, tagged, green)
  5. Guest (VLAN5, tagged, blue)

 

Device Information (Addresses, SSIDs, Description)

Router 1 (r1, ERLite-3)

  • eth0: 192.168.1.1
  • eth0.2: 192.168.2.1
  • eth0.3: 192.168.3.1
  • eth0.4: 192.168.4.1
  • eth0.5: 192.168.5.1

Switch 1 (sw1, ES-24-500W)

  • 192.168.1.2

Switch 2 (sw2, ES-48, 750W)

  • 192.168.1.3

Access Point 1 (ap1, UAP-PRO)

  • 192.168.1.4
  • WLAN-Corporate (VLAN4)
  • WLAN-Guest (VLAN5)

Note: Trunks carry VLANs 1-5 from r1 to sw1 to sw2, and VLANs 1, 4, & 5 to ap1. ap1 receives management traffic on VLAN1 while broadcasting WLANs associated with VLAN4 and VLAN5. 

Admin Computer (MBA 13")

  • 192.168.1.10

Note: We assume that this computer is responsible for centrally managing all equipment (e.g., controllers) while also configuring equipment per this walkthrough, and running ping tests for connectivity.

Camera 1 (UVC-Dome)

  • 192.168.2.23

Camera 2 (UVC)

  • 192.168.2.24

IP Phone (UVP)

  • 192.168.3.33

Wi-Fi Client 1 (iPhone)

  • 192.168.4.11

Wi-Fi Client 2 (iPod)

  • 192.168.5.11

Note: It is recommended that you configure the equipment from the topology in the following order:

  1. EdgeSwitch (but only Static IPs, Device Name and PoE Configuration to power devices)
  2. Cameras, Phones, etc. (but only with Static IPs & Gateway for testing)
  3. EdgeRouter (e.g., DHCP servers, virtual interfaces to allow inter-VLAN routing for testing)
  4. UniFiAP (e.g., Static IP for AP and VLAN tags to match created WLANs)
  5. EdgeSwitch (VLANs, see next section)

EdgeSwitch Configuration


We will begin to configure sw1, then sw2 to pass VLAN traffic according to our topology, and assume that the EdgeRouter and UniFi equipment have already been configured.

 

Note: The following configuration presumes the switches are set to factory default, having only had changes made to the following:

  1. System Name (to identify the device)
  2. System IP (to avoid IP conflict between multiple EdgeSwitch)
  3. PoE Configuration settings (to power devices to begin managing)

sw1 Configuration

Note: In case a configuration change causes you to lose access to the EdgeSwitch during configuration, simply power cycle the switch and the previous configuration will be restored.

  1. Connect the Admin Computer to Port 10 of sw1, then navigate to 192.168.1.2 in your web browser.

    Note: Make sure that PoE is disabled on this port prior to connecting your device.

  2. Under Switching > VLAN > Status, click Add to add 2-5 to the range of VLANs on the EdgeSwitch.



    Note: The VLAN IDs associated with sw1 now includes 1-5, where:
    1. Management (VLAN1-default, untagged)
    2. Video (VLAN2, tagged)
    3. VoIP (VLAN3, tagged)
    4. Corporate (VLAN4, tagged)
    5. Guest (VLAN5, tagged)



  3. Next, navigate to Switching > VLAN > Port Configuration and make sure that VLAN ID 1 is selected from the dropdown menu. Then select All from theDisplay rows dropdown menu to begin configuring VLAN1 across all ports on sw1.



  4. Select all ports except Interface 0/10/10, and, 0/24, then click Edit and the bottom of the GUI. Port 0/1 and 0/24 are trunk ports while Port 10 exists as amanagement port (belonging to the default VLAN1).

    Note: The purpose of this step is to prevent access to the default, Management VLAN by unauthorized users (e.g., user plugs into random switch port).

    Note: Although you may be tempted to click Edit All, this will in fact, edit all ports including the trunk and management ports, which could lock you out from the device. Via the GUI, you must select each port individually to be configured.



  5. Ensure the correct ports are listed, then select Exclude, then click Submit.



    Note: Normal, untagged packets arriving on any port except 0/1, 0/10, or, 0/24, will now be rejected.

    Note: If you lose access, you have likely locked yourself out of the switch and will need to follow the steps in the later section of this walkthrough entitled, "Restore Configuration".

  6. While still under Switching > VLAN > Port Configuration, select 2 from the dropdown menu for VLAN ID.



  7. Then select Ports 0/1 and 0/24 (the trunk ports) and apply the following configuration:



    Then select Port 0/23 (the access port for UVC belonging to Video VLAN2) and apply the following configuration:



    Note: Ports 0/1 and 0/24 (trunk ports) for sw1 are now marked to participate in VLAN2, meaning they will pass traffic tagged with VLAN2 in the header. Theaccess port (0/23) for sw1 also participates in VLAN2 and will 1) tag packets (frames) as they are passed upstream (away from the UVC), or, 2) untagpackets (frames) as they are passed downstream (toward the UVC).

  8. Next, navigate to Switching > VLAN > Port Summary, select All from the Display rows dropdown menu. Then select Port 0/23, click Edit, then apply the following configuration:



    Note: The VLAN ID identifies the VLAN that receives untagged or priority-tagged frames on this port. This value is also known as the Port VLAN ID (PVID). In a tagged frame, the VLAN is identified by the VLAN ID in the tag.

    Note: Access port 0/23 will now accept and receive tagged and untagged frames belonging to VLAN2. Assuming that Inter-VLAN routing has been correctly configured on r1, you can ping 192.168.2.23 (the UVC in Video VLAN2 connected to sw1) to test that the VLAN configuration on sw1 is working correctly.



  9. Return to Switching > VLAN > Port Configuration and select VLAN ID 3 from the dropdown menu.



  10. Select Ports 0/1 and 0/24 (the trunk ports), click Edit, then click Submit after applying the following configuration:



  11. Repeat steps 9 and 10 for both VLAN ID 4 and 5 (again on Ports 0/1 and 0/24, the trunk ports).





    Note: sw1 is now configured to pass all traffic on trunk ports 0/1 and 0/24, Management traffic on port 0/10 and Video (VLAN2) traffic on Port 0/23.

  12. Finally, click the Save Configuration button at the top-right of the screen to apply the active configuration to the boot configuration, then follow the prompts that appear.



    Note: The active configuration is updated after the Submit button is clicked following a configuration change, but is not permanent. To make permanent changes, the active configuration must be saved to the boot configuration.



 

sw2 Configuration

 

Note: sw2 will be configured similarly to sw1, where trunk ports carry all desired traffic while access ports pass only traffic relative to the PVID. This means that trunk port 0/1 will carry all VLAN traffic while trunk port 0/48 will pass select (VLAN1, 4, and, 5) traffic, while access port 0/24 will pass Video (VLAN2) traffic while access port 0/33 will pass VoIP (VLAN3) traffic.

 

  1. Leave the Admin Computer connected to Port 0/10 of sw1 and connect Port 0/24 of sw1 to Port 0/1 of sw2, then navigate to 192.168.1.3 in your web browser.

    Note: Make sure that Passive PoE is disabled on both ports prior to connecting the switches.

    Note: If all the steps were correctly followed in the previous configuration, you should have access to sw2 on 192.168.1.3, despite being connected to 0/10of sw1. If you cannot access sw2, check your VLAN configuration, then directly connect to sw2 to check its configuration.

  2. Under Switching > VLAN > Status, click Add to add 2-5 to the range of VLANs on the EdgeSwitch.



    Note: Like with sw1, the VLAN IDs associated with sw2 now include 1-5, where:
    1. Management (VLAN1-default, untagged)
    2. Video (VLAN2, tagged)
    3. VoIP (VLAN3, tagged)
    4. Corporate (VLAN4, tagged)
    5. Guest (VLAN5, tagged)



  3. Next, navigate to Switching > VLAN > Port Configuration and make sure that VLAN ID 1 is selected from the dropdown menu. Then select All from theDisplay rows dropdown menu to begin configuring VLAN1 across all ports on sw2.



  4. Select all ports except Interface 0/1 and 0/48, then click Edit and the bottom of the GUI. Port 0/1 and 0/48 are trunk ports designed to carry alldesiredVLAN traffic.



  5. Ensure the correct ports are listed, then select Exclude, then click Submit.



    Note: Normal, untagged packets arriving on any port except 0/1 and 0/48 will now be rejected.

  6. While still under Switching > VLAN > Port Configuration, select 2 from the dropdown menu for VLAN ID.



  7. Then select Ports 0/1 (the trunk port back to r1) and apply the following configuration:



    Then select Port 0/24 (the access port for UVC belonging to Video VLAN2) and apply the following configuration:



    Note: Only Port 0/1 for sw2 is marked to participate in VLAN2 since Port 0/48 connects to ap1, which is not desired to pass Video (VLAN2) traffic. Theaccess port (0/24) for sw2 also participates in VLAN2 and will untag packets (frames) as they are passed downstream (to the airCam).

  8. Next, navigate to Switching > VLAN > Port Summary, then select Port 0/24, click Edit, then apply the following configuration:



    Note: Access port 0/24 will now accept and receive tagged and untagged frames belonging to VLAN2. Assuming that Inter-VLAN routing has been correctly configured on r1, you can ping 192.168.2.24 (the airCam in Video VLAN2 connected to sw2) to test that the VLAN configuration on sw1 and sw2 is working correctly.



  9. Return to Switching > VLAN > Port Configuration and select VLAN ID 3 from the dropdown menu.



  10. Then select Port 0/33 (the access port for UVP belonging to VoIP VLAN3) and apply the following configuration:



  11. Next, navigate to Switching > VLAN > Port Summary, then select Port 0/33, click Edit, then apply the following configuration:



    Note: Access port 0/33 will now accept and receive tagged and untagged frames belonging to VLAN3. Assuming that Inter-VLAN routing has been correctly configured on r1, you can ping 192.168.3.33 (the UVP in VoIP VLAN3 connected to sw2) to test that the VLAN configuration on sw1 and sw2 is working correctly.



  12. Return to Switching > VLAN > Port Configuration and select VLAN ID 4 from the dropdown menu.
  13. Then select Ports 0/1 and 0/48 (the trunk ports) and apply the following configuration:



  14. Repeat steps 11 and 12 for VLAN ID 5:



    Note: sw1 is now configured to pass all traffic on trunk ports 0/1, video (VLAN2) traffic on port 0/24,VoIP (VLAN3) traffic on port 0/33 and all desired(VLAN1, 4, and, 5) traffic on trunk port 0/48. Assuming that r1, ap1sw2, and sw1 are properly configured, wireless clients joining WLANs associated withCorporate VLAN4 and Guest VLAN5 will receive DHCP address information, confirming that VLANs are properly configured from end-to-end.



  15. Finally, click the Save Configuration button at the top-right of the screen to apply the active configuration to the boot configuration, then follow the prompts that appear.



    Note: The active configuration is updated after the Submit button is clicked following a configuration change, but is not permanent. To make permanent changes, the active configuration must be saved to the boot configuration.



 

Restore Configuration


Understand that if the VLAN Configuration is configured incorrectly you can take a number of actions to restore the default configuration:

 

  1. If you still have access to the EdgeSwitch Web GUI, you can reset the VLAN Configuration without losing other configuration changes (e.g., System IP, Device Name). Navigate to Switching > VLAN > Reset and follow the prompts to exercise the Reset VLAN Configuration function.





    Note: The VLAN Configuration will return to its factory default state (only default VLAN1 untagged enabled across all ports).

  2. If you no longer have access to the EdgeSwitch (e.g., locked out), and the configuration was not yet saved (per Step 11 in the sw1 Configuration section), you can power cycle the EdgeSwitch to restore the previous configuration (which existed prior to when changes were made).

    Note: Any other configuration changes made will also be lost.

  3. If you no longer have access to the EdgeSwitch and the configuration changes were saved, you will need to perform a hard-reset by pressing and holding the reset button until the LED cycles (15+ seconds).

 

EdgeRouter & UniFi Integration


To see how the EdgeRouter is configured, visit this KB article.

To see how VLANs are used with UniFi devices, take a look at this KB article.


Related Articles


Back to Top

 

Powered by Zendesk