Stupid question - can I plug in two uplinks to a single 48-port GbE switch?
Background:
I have two network layers - one that runs through a VPN and one that doesn’t.
Right now, they are physically separated.
I have a system that handles the VPN side of the network and a system that handles the non-VPN side of the network.
They are on different subnets.
I have a Netgear 48-port Managed GbE switch (Netgear GSM7248) and I was wondering if I would be able to plug both of the systems that’s doing the routing to the uplink ports of said GSM7248, and then be able to use VLAN tagging to separate out the traffic?
Yes, however:
You need to tell the switch (and the device on the other end) that those two cables lead to the same device, else one link gets blocked by spanning tree (or you get a lot of fast blinking lights because you got a loop).
No idea how Netgear calls Link Aggregation, but that is probably what you are describing.
So…to clarify – I am not trying to aggregate both links, i.e. the two “paths” are and should remain independent of each other.
My thought process that got me thinking down this path was that I was interpreting VLANs as being something like where you can take multiple, physical switches, and roll it into one, but then use VLAN tagging to still keep the traffic separated.
Most of the examples I’ve seen really only deal with one uplink path.
In my case, I have two separate and independent uplink paths.
Examples that I’ve seen of that usually refer to like dual internet connections (for HA/fail over), which also isn’t my use case neither.
Thus, my stupid question where I want to consolidate my two switches down to one, but then still maintain that “separation of traffic” where VLAN A isn’t behind a VPN whilst VLAN B is (behind a VPN).
You can do that, but you do not need two separate links for that. One link would be enough. You could tell your switch VLAN 10 and 20 will go over that one wire and then you tell your client it should create virtual network cards (on Linux in NetworkManager you can create VLAN interfaces) and tell the one to tag traffic with 10 and the other to tag traffic with 20. I mentioned Linux here because I know that Linux can create an arbitrary amount of virtual network interfaces for different VLANs while I do not know if Windows can do the same.
Point is you can have different VLANs on the same wire as long as you make sure the traffic gets separated on both ends of the wire. But your idea would work as well, you can also use two different wires. Two wires gives you double up to double the bandwidth so that might be of consideration for you as well.
If I don’t have separate links for that – how would I be able to tell it to go to system/router A (no VPN) vs. system/router B (w/ VPN)?
I appreciate you bringing this up.
Actually – this raises an interesting point because would mobile devices be able to handle VLAN tagged traffic?
I am not 100% sure of that given that 1/2 goes to a part of the network that is behind a VPN whilst the other 1/2 doesn’t.
For the downstream, client traffic - yes.
For the system A vs. system B connection to the switch – that I am not as sure about, hence my stupid question.
I might have to play with this to see how the Netgear L2 managed switch deals with this.
Thank you.
My understanding is that IF my Netgear GSM7248 can do trunk ports, and then tag the traffic with a VLAN tag, as long as my router/clients can deal with said VLAN tagged traffic, then it shouldn’t be an issue, correct?
mostly correct.
clients devices do not need to be VLAN aware. it is an invisible bridge to them. only the network knows what vlans go where. and on that note, switches can handle vlans and trunks, routers aggregate that data and connect it to IP addresses.
there is more that is possible, but the problem is a lot of people make this stuff harder than it needs to be. a VLAN does not need an IP address, a subnet does not need a VLAN, a CISCO trained person should not be anywhere near a config file.
On Linux the same way you would tell it to go to a different NIC. When you create a new interface for a VLAN it acts as a virtual network adapter, only sending traffic with the VLAN tag you specified on the interface. On the other end the managed switch will forward the packet only to other interfaces that are in the same VLAN, thus creating isolation.
So you could set the default route 0.0.0.0/0 to vlan-interface-1 and send 192.168.1.1/24 to vlan-interface-2. This way all traffic would go to the first interface with the exception of traffic going to this one subnet which would be routed through interface two.
This is a de-facto standard. The PVID specifies which VLAN the traffic will go to if you send it untagged into the wire and on top of that you can send as much tagged traffic over the wire for how many different VLANs as the switch supports. You can set the PVID to 10 and tell it to accept tagged traffic for 10, and that would mean that both untagged traffic on the wire as well as traffic tagged with ID 10 will both go into VLAN10! Hope this makes it clear, switches usually adhere to this.
You can have tagged and untagged traffic. When you send a package and tell your NIC or network interface to send it to a specific VLAN it adds a tag to a packet. Basically like a little number with the VLAN ID the packet is supposed to belong to. Normally, on a regular switch, and networks without VLANs traffic is untagged, it does not have a number to know where it belongs to because there are not different VLANs. When you send untagged traffic to the switch while you use VLANs the switch needs to know where this untagged packets are supposed to go to. So for each port on the switch you can specify the PVID, which is the ID of the VLAN the untagged traffic will be routed to. For all intents and purposes the switch will add the little number, the ID of the PVID, to the packet of the untagged traffic and with that continue to assign and route the packet in this VLAN.
But if a router is both getting tagged and untagged traffic, whereas it is supposed to be only receiving or processing VLAN tagged traffic – from some of my prior reading – I thought that the router wasn’t supposed to be getting said untagged traffic in the first place, no?
yes, are you building a router? what OS? what are you going to use to route?
are you using this arrangement now? or it is planned to move to this?
if we know what you have and want to do, it is easier to make recommendations. realistically you may not need VLANS if you are doing subnets. unless you want VLANS for some other reason also.
Currently - one side is using a Netgear router and the other side is using Eero.
I haven’t delve deep enough to plan to make the switch to VyOS or OPNsense/pfsense or anything like that (yet - though that might be another project for another day).
So…subnets was my “dummy” way of being able to separate out the different traffic “layers” (so to speak).
Again, that is driven because one side of my network isn’t behind a VPN whilst the other is.
So, to your question - my current thinking is that it is likely going to stay separated by subnet (and possibly VLAN) as well, but in the future, if the VLAN works well, then I might end up collapsing the subnets from two down to one.
Haven’t exactly decided on that yet mostly because I am working with what I can see and touch (where I have two 16-port GbE switches, and two separate routers).
But if I can consolidate it down from two separate switches to a single, managed L2 switch, that’d be a start.
So my original plan of having different subnets, with a VLAN each, is the best practice?
I’m not sure that I follow what this means.
Do you have additional reference or resource material that I would be able to read (or preferably, pictures of what this means) that you would be able to share?