jk's blog

Netgear GS108T VLANs

When you reset the 108T, the system creates three default VLANs.

This isn’t some kind of industry standard – it’s a netgear non-feature, and we have to live with it. So going forward, I’m not going to make any vlans for 2 and 3. We may end up using these for voip, anyway. There’s a lot to be said for built-in features that are supported, and so far, my experience with netgear voip support has been okay.

To create a new vlan, you fill in the form in the purple line, and press “Add” at the bottom of the page. We will create:

4 "Guest" Static
5 "Call Center" Static

Static is the only type available.

Next, we need to set up each vlan. Click on “Advanced” in the navigation on the left. Then click “VLAN Membership”. Then, look for the little arrow in the first orange line – it doesn’t have a label. Click it and “Port” will appear.

Click on the boxes to toggle them through “U”, “T”, and blank.
U means Untagged.
T means Tagged.
Blank means that port is not part of the vlan.

Untagged means that the switch expects traffic at the port to lack 802.1q tagging, aka, vlan tagging. The traffic looks like ethernet frames without a vlan. When traffic enters the switch here, a tag will be added. When it exits the switch, the tag will be removed. (But this won’t happen immediately – we need to change the PVIDs too.)

Tagged means that the switch expects traffic to have tags. Thus, port 8 is expecting traffic entering and exit to have tags, and won’t mess with them.

If the box is blank. the port is not part of the vlan.

This configuration puts ports 1 and 2 on vlan1, and uses port 8 as the uplink port.

After the ports are set up, click on “Apply” in the lower right to save the settings.

Next we need to set the PVID, port vlan id. The pvid assigns a vlan to a port, so that ingressing traffic (going into the switch), is either tagged or filtered.

The basic idea here is that we want devices on port 1 and 2 to be on vlan1. This configuration actually puts ALL the ports except 8 on vlan1, but later on this will change.

Port 8, g8, is on vlan 16, which is a nonexistent vlan. This is a convention, to use an unused vlan for the uplink and downlink ports. My convention is to use the last two ports for downlinks and uplinks. In this specific configuration, only port 8 is used as the uplink.

Remember that in the previous screen, port 8 was set to “T”agged, meaning that the port expects vlan tagged traffic. It’ll pass all traffic.

Also, there’s a little variation between ports 1 and 2 on the ingress filtering. The two settings “acceptable frame types” and “ingress filtering” are used to filter out non-matching frames.

Acceptable frame types filters traffic going into the switch. Ingress filtering filters traffic exiting the switch. I think it’s called “ingress” because the traffic is entering the network.

Since most of our devices don’t do vlan, we set the acceptable frame type to “Admit All” – this will cause the switch to add the 802.1q tag for the vlan.

We then enable ingress filtering so that traffic that doesn’t match vlan1 is not sent to the connected device. If traffic matches the vlan, it’s allowed, and if it matches the PVID, then the tag is removed. (A port can participate in more than one vlan, via tagging. It can have only one PVID, though.)

Port 1 is set to disable ingress filtering because, in our convention, port 1 is an administrative port. I want to be able to see other vlans traffic on there.

I then set up vlan4 and vlan5. Instead of screenshots, here’s a textual representation of the ports and their U/T states.

port   1 2 3 4 5 6 7 8
vlan1  U U _ _ _ _ _ T
vlan4  _ _ U U _ _ _ T
vlan5  _ _ _ _ U U _ T

The final settings for the PVIDs are:

We just changed the id numbers on ports 3, 4, 5, and 6. To do this, select the ports, and enter the new value in the box above it, and click “apply” in the lower right of the page.