ML
    • Recent
    • Categories
    • Tags
    • Popular
    • Users
    • Groups
    • Register
    • Login

    Trying to understand this particular VLAN configuration (Dell N3000 & SonicWall)

    IT Discussion
    3
    7
    680
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • dave247D
      dave247
      last edited by dave247

      Hi guys, I'm an idiot trying to wrap my head around VLANs, specifically with one particular configuration I have set up. First thing, this has been set up for a while now and it's working fine, as I had help from Dell support. I'm just not 100% clear on how this works.

      Overview: I set up two VLANs, one for corporate wifi and the other for guest. Two SonicPoints (wifi access points) connect directly to specifically configured ports on the switch, then a third port connects to X3 on the SonicWall. I then can further apply rules to each wifi zone from the SonicWall.

      SonicWall firewall (which has these zones of interest):

      LAN: X1
      WLAN: X3
      WLAN-Guest: X3:V200

      PowerConnect N3048P:

      VLAN 0: Default data VLAN (not tagged)
      VLAN 2: Corp wifi
      VLAN 200: Guest wifi

      Here are the port configurations on the switch. The first two connect to SonicPoint access point units, and the third connects to X3 of the SonicWall:

      interface Gi5/0/25
      switchport mode general
      switchport general pvid 2
      switchport general allowed vlan add 2
      switchport general allowed vlan add 200 tagged
      exit
      !
      interface Gi5/0/27
      switchport mode general
      switchport general pvid 2
      switchport general allowed vlan add 2
      switchport general allowed vlan add 200 tagged
      exit
      !
      interface Gi5/0/29
      switchport mode general
      switchport general pvid 2
      switchport general allowed vlan add 2
      switchport general allowed vlan add 200 tagged
      exit

      My confusion:

      • In the switch config, why does VLAN 200 have "tagged" added next to the command but 2 does not?
      • I thought VLANs were always tagged (except the default VLAN) and that's how traffic was differentiated
      • I don't understand how VLAN 2 and the data VLAN could both be untagged and still separated as VLANs
      • I do see that the PVID of each port is set to 2, and that each port allows traffic from 2 and 200. So based on this, I am assuming that VLAN 2 and 200 tagged from the perspective of the switch, but only 200 is tagged from the perspective of the SonicWall.
      • Does this mean that the switch is tagging only VLAN 2 and the SonicWall is tagging only VLAN 200, but the switch is allowing traffic from both VLAN 2 and 200?
      DashrenderD dbeatoD 2 Replies Last reply Reply Quote 0
      • DashrenderD
        Dashrender @dave247
        last edited by

        @dave247 said in [Trying to understand this particular VLAN configuration (Dell N3000 & SonicWall)](/post/366783

        My confusion:

        • In the switch config, why does VLAN 200 have "tagged" added next to the command but 2 does not?

        Not sure

        • I thought VLANs were always tagged (except the default VLAN) and that's how traffic was differentiated

        VLANs aren't always tagged. The port that traffic is on can dictate what VLAN that traffic is on, just the same as the default VLAN.

        • I don't understand how VLAN 2 and the data VLAN could both be untagged and still separated as VLANs

        In your case, you don't have two different pieces of traffic untagged. Untagged traffic from the connected device on those ports is tagged by the switch with VLAN 2 tags via the switchport general pvid 2 command.

        • I do see that the PVID of each port is set to 2, and that each port allows traffic from 2 and 200. So based on this, I am assuming that VLAN 2 and 200 tagged from the perspective of the switch, but only 200 is tagged from the perspective of the SonicWall.

        Correct. VLAN 2 is handled purely inside the switch.

        • Does this mean that the switch is tagging only VLAN 2 and the SonicWall is tagging only VLAN 200, but the switch is allowing traffic from both VLAN 2 and 200?

        Correct. The switch is adding tags to VLAN 2 packets.

        dave247D 1 Reply Last reply Reply Quote 1
        • dave247D
          dave247 @Dashrender
          last edited by dave247

          @dashrender said in Trying to understand this particular VLAN configuration (Dell N3000 & SonicWall):

          @dave247 said in [Trying to understand this particular VLAN configuration (Dell N3000 & SonicWall)](/post/366783

          My confusion:

          • In the switch config, why does VLAN 200 have "tagged" added next to the command but 2 does not?

          Not sure

          • I thought VLANs were always tagged (except the default VLAN) and that's how traffic was differentiated

          VLANs aren't always tagged. The port that traffic is on can dictate what VLAN that traffic is on, just the same as the default VLAN.

          • I don't understand how VLAN 2 and the data VLAN could both be untagged and still separated as VLANs

          In your case, you don't have two different pieces of traffic untagged. Untagged traffic from the connected device on those ports is tagged by the switch with VLAN 2 tags via the switchport general pvid 2 command.

          • I do see that the PVID of each port is set to 2, and that each port allows traffic from 2 and 200. So based on this, I am assuming that VLAN 2 and 200 tagged from the perspective of the switch, but only 200 is tagged from the perspective of the SonicWall.

          Correct. VLAN 2 is handled purely inside the switch.

          • Does this mean that the switch is tagging only VLAN 2 and the SonicWall is tagging only VLAN 200, but the switch is allowing traffic from both VLAN 2 and 200?

          Correct. The switch is adding tags to VLAN 2 packets.

          So it's kinda like a VLAN within a VLAN, or a sub-VLAN?.. ugh idk why this is so hard to comprehend for me 😢

          DashrenderD 1 Reply Last reply Reply Quote 0
          • DashrenderD
            Dashrender @dave247
            last edited by

            @dave247 said in Trying to understand this particular VLAN configuration (Dell N3000 & SonicWall):

            @dashrender said in Trying to understand this particular VLAN configuration (Dell N3000 & SonicWall):

            @dave247 said in [Trying to understand this particular VLAN configuration (Dell N3000 & SonicWall)](/post/366783

            My confusion:

            • In the switch config, why does VLAN 200 have "tagged" added next to the command but 2 does not?

            Not sure

            • I thought VLANs were always tagged (except the default VLAN) and that's how traffic was differentiated

            VLANs aren't always tagged. The port that traffic is on can dictate what VLAN that traffic is on, just the same as the default VLAN.

            • I don't understand how VLAN 2 and the data VLAN could both be untagged and still separated as VLANs

            In your case, you don't have two different pieces of traffic untagged. Untagged traffic from the connected device on those ports is tagged by the switch with VLAN 2 tags via the switchport general pvid 2 command.

            • I do see that the PVID of each port is set to 2, and that each port allows traffic from 2 and 200. So based on this, I am assuming that VLAN 2 and 200 tagged from the perspective of the switch, but only 200 is tagged from the perspective of the SonicWall.

            Correct. VLAN 2 is handled purely inside the switch.

            • Does this mean that the switch is tagging only VLAN 2 and the SonicWall is tagging only VLAN 200, but the switch is allowing traffic from both VLAN 2 and 200?

            Correct. The switch is adding tags to VLAN 2 packets.

            So it's kinda like a VLAN within a VLAN, or a sub-VLAN?.. ugh idk why this is so hard to comprehend for me 😢

            No, there's no sub anything here.

            The VLANing simply takes place 100% inside the switch instead of going all the way out to the end points.

            1 Reply Last reply Reply Quote 0
            • dbeatoD
              dbeato @dave247
              last edited by

              @dave247 said in Trying to understand this particular VLAN configuration (Dell N3000 & SonicWall):

              In the switch config, why does VLAN 200 have "tagged" added next to the command but 2 does not?
              I thought VLANs were always tagged (except the default VLAN) and that's how traffic was differentiated
              I don't understand how VLAN 2 and the data VLAN could both be untagged and still separated as VLANs
              I do see that the PVID of each port is set to 2, and that each port allows traffic from 2 and 200. So based on this, I am assuming that VLAN 2 and 200 tagged from the perspective of the switch, but only 200 is tagged from the perspective of the SonicWall.
              Does this mean that the switch is tagging only VLAN 2 and the SonicWall is tagging only VLAN 200, but the switch is allowing traffic from both VLAN 2 and 200?

              1- Because the VLAN 2 is setup as the default for that PORT and PVID is set to 2, so any device will use VLAN 2 connected to that port. VLAN 200 is just tagged.
              2- VLANS are not always tagged. That is what the PVID is for if you want a different VLAN as default for a port untagged.
              3- Nope, both VLANs are tagged on the Sonicwall, the switch is deciding to have VLAN 2 as the default on the switch port.
              4- Nope, refer to above (3).

              1 Reply Last reply Reply Quote 0
              • DashrenderD
                Dashrender
                last edited by

                @dbeato

                Would VLAN 2 fail if switchport general allowed vlan add 2 wasn't there? IE non tagged traffic would simply fail?

                dbeatoD 1 Reply Last reply Reply Quote 0
                • dbeatoD
                  dbeato @Dashrender
                  last edited by

                  @dashrender said in Trying to understand this particular VLAN configuration (Dell N3000 & SonicWall):

                  @dbeato

                  Would VLAN 2 fail if switchport general allowed vlan add 2 wasn't there? IE non tagged traffic would simply fail?

                  No, it will just be VLAN2 sending untagged on that port.
                  http://www.dell.com/support/article/us/en/19/how10261/how-to-use-general-switchport-mode-on-dell-networking-powerconnect-switches?lang=en

                  1 Reply Last reply Reply Quote 0
                  • 1 / 1
                  • First post
                    Last post