Switches, Hubs, and Modems
cancel
Showing results for 
Search instead for 
Did you mean: 

VLAN configuration on 1810G-24

MultiNet_1
Occasional Visitor

VLAN configuration on 1810G-24

I need to configure two new 1810G-24 switches in our network but I am confused about the VLAN setup.

There are two switches in this senario. The idea is to have one connected to the firewall on the untrusted network port and the other switch on the trusted firewall port. As not all ports are in use on any of the two switches, in case of failure, one switch should be able replace both. I hope to do this by defining VLANs on the switch.

VLAN2 = Untrused
VLAN3 = Trusted
VLAN4 = Special1
VLAN5 = Special2
...

To be able to physically replace the switches, both have exactly the same configuration and port assignements. Port 23 is assigned to VLAN2 and port 24 in assigned to VLAN3.

First problem I faced is that the firewall is VLAN aware, but I can not change the configuration, and it is currently not having VLANs configured. To what VLAN tagging mode do I assign port 23 of the switch which is connected to the untrusted port of the firewall? I would say Tagged to VLAN2 and Excluded for VLAN3 and VLAN4/VLAN5/.... Tagged because in that case the switch tags the packages. But will this work? I know that if your device is not VLAN aware or configured, that it will ignore the tagging information. So normally I would think it works fine. I then do exactly the same for port 24, connecting it on the trusted firewall port, assign it as Tagged to VLAN3 and Excluded for VLAN2 and VLAN4/VLAN5/....

The goal is that when I connect devices on this same physical switch, with the above configuration, that the trusted servers will use port 24 to talk to the firewall and untrusted servers to port 23 on the untrusted side of the firewall. On each port of the switch I will configure the port as Tagged for the correct VLAN and Excluded to the other.

- will this work?
- will the firewall, unaware of the VLANs, be able to handle the traffic flow correctly?
- will this prevent from having untrusted traffic on the trusted network and trusted on the untrusted if one physical switch is used?

The second problem. VLAN4, VLAN5, ... are in some way a sub-network on the trusted side. They are split of in VLANs having extra control and security. They should be able to talk to some infrastructure servers, like the DNS and SQL server, which are on VLAN3. They should NOT be able to connect with the other servers on VLAN3.
I hoped to do this by setting the following tagging in place. Set the port of the SQL and DNS as Tagged for VLAN3, Tagged for VLAN4 & VLAN5 and Excluded for VLAN2 (untrusted). For the device on VLAN 4 I set: Tagged for VLAN 4, excluded for VLAN 5 and VLAN 2 (untrusted), and UNtagged for VLAN3 (trusted). For all other servers on VLAN2 I set VLAN2 as tagged, and all other VLANs as Excluded.

Note: I can be that new 'special' VLANs, like 4 and 5 are added in the future. They should act exactly the same.

- will the system on VLAN4 or VLAN5 be able to connect to the infra server on VLAN3? And the other way (from VLAN2 to VLAN4/5)?
- how will the firewall handle this traffic (unaware of the VLANs)?
- is there, in general, an easier senario, with the same hardware?
- should I assign the VLANs on the NICs of the servers too? Or does is this not needed? I think I allow the switch to handle it correctly, especially because some ports are untagged.
- I am not sure how the firewall will handle the traffic; knowning that the switch ports are tagged, but the firewall is no VLAN aware.