Configure new dlink dgs-1248 switch
We currently have many unmanaged switches. I'm adding a 48 port dlink and configuring mutliple vlans. I have created vid 01 for port one and assigned it pvid 01. I have created vid 02 for dmz servers, port 2-16 and made pvid 02. Ports 17-34 are for internal systems, vid 03 and pvid 03. Ports 35-48 are for a dedicated backup network, vid 04 and pvid 04. All vid's are configured as untagged, other than backup vid 04 which i have marked as tagged.
My confusion is from the vid, pvid, and tagging, what effect my current setup will have on traffic. My goal is to segment dmz, internal and backup traffic. I would like only backup traffic on ports 35-48 and all others dropped there. A firewall, already configured, will be connected to the individual vlans 02 and 03, one each for dmz and internal vlans. Is this the correct setup for what I want to do? How do the pvid setings effect traffic on these switches? WHat about tagging?
My confusion is from the vid, pvid, and tagging, what effect my current setup will have on traffic. My goal is to segment dmz, internal and backup traffic. I would like only backup traffic on ports 35-48 and all others dropped there. A firewall, already configured, will be connected to the individual vlans 02 and 03, one each for dmz and internal vlans. Is this the correct setup for what I want to do? How do the pvid setings effect traffic on these switches? WHat about tagging?
ASKER
Thank you very much! Your explanation was very clear and confirmed in a way what I was thinking. So I'm really going to leave everything untagged? Should I just turn off Assymetric VLANs. Would that remove the PVID option? COuld you explain the difference, if so?
Furthermore, I believe I am going to use a dedicated unmanaged switch for backup traffic and keep it separate from the DLink and the rest of the network. So, I will just not add the backup_systems vlan and use 17-46 for internal connections. conf vlan internal add untagged 17-46
I will need to connect a separate unmanaged switch to this DLink, for the remainder of our clients internally. Should I have a special port configured for the link from unmanaged switch to DLink? Maybe consider Trunking for additional BW? I have (2) ports open 47-48.
I also want to make sure I have this setup to monitor our network connections and possibly do Qos. I have enabled SNMP and given unique public and private strings.
Thanks again
Furthermore, I believe I am going to use a dedicated unmanaged switch for backup traffic and keep it separate from the DLink and the rest of the network. So, I will just not add the backup_systems vlan and use 17-46 for internal connections. conf vlan internal add untagged 17-46
I will need to connect a separate unmanaged switch to this DLink, for the remainder of our clients internally. Should I have a special port configured for the link from unmanaged switch to DLink? Maybe consider Trunking for additional BW? I have (2) ports open 47-48.
I also want to make sure I have this setup to monitor our network connections and possibly do Qos. I have enabled SNMP and given unique public and private strings.
Thanks again
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
Thank you. I will disable the asymmetric vlan option. The switch will be configured like you said and nothing special will be configured to add the unmanaged switch. Thank you for helping me get this straight.
always welcome and good luck with your network!
let us clarify some terms:
vlan (Virtual Lan) is represented by vlan id and in most cases each vlan has it's own IP subnet.
switch port can belong to one or several vlans
if it belongs to a single vlan, than port has pvid (Port Vlan ID) because switch has to understand to which virtula lan unmarked packets should be sent to
if port belongs to multiple vlans, then it is tagged and pvid is used for traffic without vlan markings, tagged packets are send to a particular vlan (if that vlan is allowed on a particular port)
I would try do create a configuration in d-link commands (suitable for des-3526 and others, but I know that syntax can be different in some models)
configure vlan default del 2-48 --- removes all ports except 1st from vlan default (vid=1)
create vlan dmz tag 2
conf vlan dmz add untagged 2-16 -- we create vlan 2 and assign ports 2-16 to it as untagged
create vlan internal tag 3
conf vlan internal add untagged 17-34
create vlan backup_systems tag 4
conf vlan backup_systems add untagged 35-48 -- please note, that you don't need these ports to be tagged, because they belongs to a single vlan only
so what to do next? I expect you to take router(firewall) with 4 interfaces and connect it to your switch in the following way:
switch port 2 - with let's say dmz interface and address 192.168.2.1/24
port 17 - to internal interface with address 192.168.3.1/24
port 35 - to a second internal interface for a backup networks with address of let's say 192.168.4.1/24
wan port - to the ISP's router with an ip provided by your ISP.
so your firewall effectively routes traffic between vlans and internet.