Hello fellow nerds, I am on a quest for knowledge!
Optional Context
My dad’s business recently decided it was time to upgrade their networking gear and I am taking the opportunity to learn a thing or two about VLANs. Here is the scenario:
10.0.0.1/24: All computers, wifi, printers, whatever.
10.0.1.1/24: Seperate network for payment terminals.
10.0.2.1/24: Phone system.
To keep the payment terminals protected from whatever other nonsense is happening on the network, I would like to put each subnet into a VLAN. I can do this easily enough.
My problem is that there are two offices on either side of the factory/warehouse, connected by a single cat6 cable. The secondary office has no payment terminals so it only needs the two VLANs. I was getting ready to run another cat6 cable over for the second VLAN that would need set up, but then I thought “there must be a better way” than having two cables plugged into each switch on either end.
So my questions:
Can a single port be assigned multiple VLANs, without traffic being able to “bleed over?”
If I assign a switch port to a VLAN, what happens to untagged traffic to the port? Say I were to just plug a laptop or printer in that isn’t specifically configured to go to the VLAN, where does it go?
Fantastic. I figured as much but thought I should ask first before creating a modeltestingsetting up a staging networkdeploying straight to production.
The trick with VLANs is that it seems like every brand uses different terminology which can make it a pain to figure out.
On my TP-link switches for example you can set a port as access, general or trunk where access lets you assign that port to a VLAN and then whatever you connect to that port will be on that VLAN, general which lets you tag VLANs which essentially splits the port and whatever you connect to it can tag traffic so it ends up on the right VLAN, and trunk is basically the same except it is tagged as all VLANs. Most switches will have functionality similar to this but the names and configuration can vary.
And if the other end does do VLAN, like pretty much any Linux machine with an Ethernet card (I guess some Ethernet doesn’t do VLAN but I have not seen one in a while?) you may need some switch port security.
Without any security settings I know that at least some switches will let a device send traffic with any VLAN tag and will allow it through. But if you have your secure admin network on VLAN 666 you may not want random switch ports to be allowed on that.
Although, thinking about it, that might have been a switch misconfiguration.
But at any rate, be sure to test that your network works. But also be sure to test that your network does NOT work for traffic it should block.
If you have 2 switches on each end, you can put the 2 VLANs on the ports connected by that cat6 cable. In Cisco terminology it’s called trunk port, in HPE it’s called tagged port. Nomenclature should be similar on other vendors. VLAN is designed to not “bleed over” traffic, but there can be misconfigurations, like plugging a port from PC LAN to a port from the Voice LAN (and oh god, if you ever manage a network where you offer ethernet ports freely accessible on walls, this will happen - and sometimes it might create a loop).
From a security standpoint, you should disable all the ports you don’t use and configure all end-device ports in mode access / untagged on the VLAN you want. If you are super crazy about security, you also limit access to the port by MAC address (but then it gets kinda hard to manage, especially if you plug and unplug different devices constantly). But until then, make sure your network is working and an end-device from the 2nd building can communicate with devices from the main one. There is plenty of info on the web on how to do this for each OEM and in case you get stuck, feel free to ask here for more help.
