There is a lot of information out there about VLANs so I won’t spend too much time on what VLANs are and what they do. Instead I’ll dive deeper in how VLANs are configured in our Web Smart switches. In this example I’ll reference our EasySmart series, specifically the DGS-1100-05. Consider the topology below:
- VLAN 1 – Faculty/Staff Network. This VLAN consists of PCs and or tablets that are used for company productivity.
- VLAN 2 – Guest Network. This VLAN is dedicated for guest devices on the WiFi access point.
- VLAN 3 – Credit Processing Network. This VLAN is for credit card readers or swipers that perform CC transactions.
- VLAN 4 – IP Surveillance Network. This VLAN is dedicated for IP cameras and the NVR.
In the Front Office, the challenge is to put each device into the right VLAN to ensure that the correct VLAN-tagged traffic makes it back to the gateway, thus giving access to the correct DHCP server and IP subnet. Assume all devices are VLAN un-aware and need to be tagged at the port. Also assume Port 5 is connected to a VLAN aware device (DSR VPN Router), that it will accept tags and that it will keep tags on traffic back to the switch. Here is the summary for the port memberships:
U = Untagged, T = Tagged
Static VLAN Entry
- VID 1 – Port 1U, 2U, 3U, 5T
- VID 3 – Port 4U, 5T
- Port 1 = 1
- Port 2 = 1
- Port 3 = 1
- Port 4 = 3
- Port 5 = 1 (this is not as important as we will turn this port into a VLAN trunk)
So lets break down why these settings are important. For the PVID, this tells the switch to tag the traffic once it enters the port since the devices connected do not tag the traffic themselves. Take Port 1 for example, if the PVID is 1 it will tag any untagged traffic with VLAN ID 1. Sames goes for Port 4, any untagged traffic going into the port, or ingress, will be tagged with VLAN ID 3. Then when the traffic leaves the switch, or egress, it first has to check the Static VLAN Entries to see if it is allowed. Take Port 1 as an example again that has a PC connected to VLAN 1 which is a part of the faculty network.
Step 1 is the untagged traffic from the PC. Step 2 is where the PVID is executed and the traffic is tagged with VLAN ID 1. Then when the traffic tries to exit Port 5, it will check the Static VLAN Entries and find that Port find is indeed a part of that VLAN. And since Port 5 is Tagged, it will preserve the tag and forward the traffic out towards the DSR. This helps the DSR because it can understand VLANs and it will know that VLAN 1 is part of the 192.168.10.x network. The PC will get an IP address in the that same subnet/network, thus allowing communication with other devices in the same subnet like a printer.
Hopefully this scenario gives you insight to why you would implement VLANs in your network. The design can be as simple or as complicated as your requirements are, but my advice is to keep it as simple as possible. Identify the key groups or services you want to separate from each other and choose a switch that can support enough Static VLAN entries plus some extra for future growth. The DGS-1100-05 supports up to 32 Static VLAN Groups so that should be plenty for a small business network.