Vlan tagging

[mnemonicj]

Good day people.

I'm newb at vlan's, so I'm here for help. I currently have a setup of different vlans. I managed to add them to my Macbook's ethernet port through tagging. I can perfectly communicate with all the vlan's i added but there are some problems I am still having.

What do i do with the configuration of my ethernet port? Does it have to have an ip, subnet, and gateway assigned? I currently left it blank since all the networks I want to communicate with are on the vlan tags.

Also, i only need to assign 1 gateway to one of the vlans, and it currently works, but i can't assign a different gateway to another vlan, it just won't work. I know i shouldn't assign two gateways at the same time.

Best regards.

 

[seniorstinky]

You state that you can communicate with all the vlans but don't quite explain the problems that you are still having.

Once your tagging is in place and your switch is configured correctly, you are clear for Layer 3 communications. You should be able to change route information if needed or add a second gateway, albeit likely from route commands on the cli.

More details would make it easier to help you.

 

[jtara]

I'm a little confused. What are you using the VLAN tags for? I'm guessing with all these VLAN tags, your computer is at a large company. So, why don't you ask the IT Guy to fix it?

If you're using VLAN tags at home, why? You want the kids to have a separate network? Each one of them? And the dog?

Yes, of course you need IP, subnet, gateway. VLANs work at a layer below IP, they only involve Ethernet. Your computers CAN'T talk to each other without IP, so if you haven't assigned IP, subnet, gateway, and are not using DHCP, then they could be talking using local-link address scheme if they are all Apples. But you're not going to get to the outside world like this. If you're using local-link address, you DO have an IP assigned - it's just that it was self-assigned.

 

[mnemonicj]

You state that you can communicate with all the vlans but don't quite explain the problems that you are still having.

Once your tagging is in place and your switch is configured correctly, you are clear for Layer 3 communications. You should be able to change route information if needed or add a second gateway, albeit likely from route commands on the cli.

More details would make it easier to help you.

thanks for your response. my question is, does my ethernet card have to have an ip assigned?

so far, i've used the gui to assign all the ip configurations on my vlans. do i need to use the cli to add a gateway to one of my vlans?

 

[mnemonicj]

Hello people. I'm reviving this thread back from a few months because I'm still with this issue. I'll try to break down everything as detailed as possible.

I have a switch that allows vlans. I also have a dell PC which its ethernet card allows vlan tagging. The process of adding vlans is fairly simple, I just add the Vlan ID's I need on the card and assign an ip and subnet to each one and they work perfectly great. I also add a gateway and dns server to which ever vlan i need internet access with and so far so good.

Now, I know my macbook aluminum also supports vlan tagging. I do basically exactly the same thing but some vlans actually work and some don't. I add the same Vlan Id's, the same ip configuration, same subnet, etc. but when i try to assign a gateway or dns server to a different vlan, i do not get any internet access. Sometimes I communicate with some vlans but sometimes I can't. This is all done on the same port switch so it should work like it does on my dell pc.

Also, something i've noticed is that the ethernet port on my dell pc no longer shows up under network preferences once I start adding vlan ID's, I can only see the vlan ID's which I can assign ip's to. On my macbook the ethernet port is still available and I just leave it as dhcp for it to grab any ip since all I care about are my vlan's.

Any help?

 

[belvdr]

Two views on this:

1. Obviously security is not a concern, so why not use one VLAN and route between them?
2. If security is a concern, you shouldn't be doing this anyway. You should still route and use an ACL.

 

[jasonvp]

On my macbook the ethernet port is still available and I just leave it as dhcp for it to grab any ip since all I care about are my vlan's.

OK, you have a couple of challenges here, I think:

• You don't want your raw Ethernet port DHCP'ing out for an IP if you're running VLANs as well. The VLAN interfaces on the Mac (I think they're en0.<vlanid>) do need IP addresses, but the main Ethernet port (en0) does not.
• You only want one default route, of course. That's why it's called a default route. That means only one of the VLAN interfaces will align with your default route. The rest of them will need static routes if you intend to send packets from them to other LANs.

What's the second bullet mean? Let's say your Mac is connecting to 3 VLANs:

• VLAN 100: 10.0.100.0/24
• VLAN 200: 10.0.200.0/24
• VLAN 300: 10.0.300.0/24

Each of those VLANs also has a router on it, numbered .1. Now, you'll need to figure out which of those 3 VLANs you want as your default route, and set it accordingly. So assuming you want VLAN 100 as your default, in your network configuration for that interface, set the Router to 10.0.100.1.

Disable DHCP configuration for the Ethernet interface. Set it to Manually and ignore it from there. That way it'll be link up (L1/L2) but you won't have to worry about it taking an IP and setting its own default route (L3).

If you want your other VLAN interfaces to contact things outside of their respective VLANs, then you need to set up static routes. Let's say, for instance, you have another VLAN somewhere else with IP block 10.0.400.0/24, and you want your VLAN 300 interface to communicate with that. I'm not sure if OS X has a way to do that via the GUI, because I just generally use the BSD command line for that.

sudo route add -net 10.0.400.0/24 10.0.300.1

After all is said and done, verify your work from the CLI. What does your routing table look like?

netstat -nr

Hopefully you only see one default route and not N of them.

jas

 

[jswade]

VLAN Tagging

To expand on the original question, if all of your traffic is over tagged VLANs and you have no need for an untagged network connection, you can set the base Ethernet port to "Off". The tagged VLAN interfaces will continue to operate properly.