Netgear VLAN config - Behaviour I don't understand

jaseruk · 2014-08-07T12:44:01.000Z

Every time I think I’ve got my head round VLANs something else crops up and I feel like I’m right back to square one Can anyone help to explain this please!

I have a Netgear FS726T switch at the core of my network. I’m confused about the behaviour of 2 ports;

VLAN 10 is my main LAN, 1001 is my “dud” VLAN (so I don’t have the default of 1 left everywhere). This is the initial setup

Port 11 (live server attached) - PVID 10, tagged 1001, untagged 10

Port 12 (no system) - PVID 1001, Tagged 1001

I need to add a system to port 12, so set that to untagged in 10 but didn’t update the PVID (forgot), so what I had was;

Port 11 - PVID 10, tagged 1001, untagged 10

Port 12 - PVID 1001 , tagged 1001, untagged 10

What I see now is that the new system can ping the server on port 12, but nothing else. Once I set the PVID to 10 on port 12 then every thing works fine and it can access the rest of the network.

What I don’t understand is how when the PVID is set to 1001 the system on port 12 can ping the system on port 11.

Surely the packet is entering port 12 and the PVID adds 1001 to the packet, but then because port 11 is tagged as 1001 it should send the packet out with 1001 still attached, and the server shouldn’t recognise it as there is no VLAN configured on the NIC?

I’ve added a laptop to port 13 and set port to - PVID 10, tagged 1001, untagged 10 and I see the same, I can ping ports 11 and 13, but nothing else unless I change the PVID on port 11 to be 10. So that rules out the server responding to all VLANs.

Any ideas guys?

Thanks in advance!!

Jason

Robert5205 · 2014-08-07T13:11:17.000Z

From an IBM site:

A Port VLAN ID (pvid) is a default VLAN ID that is assigned to an access port to designate the virtual LAN segment to which this port is connected. The pvid places the port into the set of ports that are connected under the designated VLAN ID. Also, if a trunk port has not been configured with any VLAN memberships, the virtual switch’s Port VLAN ID (pvid) becomes the default VLAN ID for the ports connection.

I think using the PVID is putting frames from one vlan on the segment you’ve associated with a different vlan.

Robert5205 · 2014-08-07T13:15:01.000Z

A vlan is just a lan - a separate segment of wire. If you want the server to respond to requests on a different lan, you’ll need to route the packets there, just as you would with different wire segments.

gerrymchugh · 2014-08-07T13:17:05.000Z

I haven’t used Netgear for VLANs, but on our switches PVID is used for “General” ports - so it tags that VLAN ID to the packets. If you are setting an ID by “tagged” that is the ID it will get, rather than the PVID.

UNTAGGED is a regular ethernet data packet

TAGGED is an ethernet data packet with an addition which contains a VLAN ID

A PVID (Port VLAN ID) is used when an UNTAGGED packet that enters a switch port , the PVID is attached to the untagged packet and forwarded to a VLAN specified by the ID part of the PVID

CharlesHTN · 2014-08-07T13:23:09.000Z

That’s a very old Netgear switch. Hopefully, it’s at least a FS726T v2.

I would start by checking for firmware updates to the switch. I would caution you, however, to be sure you have a spare on hand before applying a firmware update to it, as Netgear switches are REALLY bad about bricking on firmware updates (I’ve bricked 4-5 over the last few years out of about 25 I manage). They do have a lifetime warranty, so you can get it replaced if it bricks (only applies to switches you bought new, and you have to register them). Expect 2 week plus turn around for warranty replacements from them…

jaseruk · 2014-08-08T06:10:58.000Z

Hi guys,

@Robert5205

I think using the PVID is putting frames from one vlan on the segment you've associated with a different vlan.

That’s what it looks like to me, see below.

 If you want the server to respond to requests on a different lan, you'll need to route the packets there

I don’t want to route the packets to 1001, that’s a dud VLAN that I intend on assigning all unused ports to so that they can’t be used if someone just plugs into them.

@Gerry McHugh. My understanding is that the PVID is the same as a “native” VLAN, so that any packets that arrive without a tag will have the VLAN of the PVID attached. The packet from the laptop leaves with no tag, hits port 12 at which point the PVID sticks 1001 into the packet.

Because port 11 is tagged as 1001 that means it can carry VLAN 1001, but as the server doesn’t have 1001 set on the NIC it shouldn’t respond surely? Especially since it will also respond when the PVID on 12 is set to VLAN 10 as well.

It seems to respond to both VLAN 10 and 1001 traffic.

@CharlesHTN It is very old, and it a V1 I’m afraid. Do you agree that this is odd behaviour and possibly a bug then? Or am I missing something?

gerrymchugh · 2014-08-08T08:15:12.000Z

Hi Jason,

A PVID is not exactly the same as a native VLAN, well at least not on Cisco and Dell switches, but some switches do things a little different (HP for example almost seem to use reverse logic for their port setup!) - whats difference between native vlan and pvid - Cisco Community
A native VLAN does not carry a VLAN tag, the traffic goes to other members of the same VLAN.

Without being familiar with Netgear managed switches, what port options do you have? (for example, Access / General / Trunk). There is an interesting thread on it here, but it’s Cisco specific - https://learningnetwork.cisco.com/thread/51854

I see your point, and that is indeed strange behaviour. What are the port settings for the rest of the systems that communicate with the server?

jaseruk · 2014-08-08T09:10:15.000Z

There is very little consistency with regards to terminology between vendors. For example with my HP switches there is no PVID setting, the PVID is automatically set to which ever VLAN you mark as “untagged” on a port. Which makes sense really, why would I untag and PVID on seperate VLANs? You can only mark one VLAN as untagged on a port.

As for config on the rest of the switch I have port 25 (the uplink) set as;

PVID = 1, untagged VLAN 1, Tagged VLAN 111, 40, 50, 500.

Ports 1 and 2 are then all tagged with;

Port 1 - 10, 1001, 11

Port 2 - 50, 500, 1001, 11

And on the switches these are connected to the uplink ports do not have tag/untags for VLAN 1001, but are tagged for the other VLANs.

No other ports are tagged/untagged as VLAN 1, so my thinking is that any untagged packets on the cable in port 25 (which there shouldn’t be as it’s a trunk) get added to VLAN 1, and then can’t go anywhere so get dropped. 1001 is not tagged or untagged on 25, so if someone does plug into another port with PVID of 1001 there is no path for it to go up to another switch.

I hope I’m making sense with this and you can follow it all! I’ve attached a screen shot of the excel sheet I keep track of the tags/untags, hopefully that will help!

switchconfig.jpg1425×824 147 KB