• October 31, 2024, 09:28:40 PM
  • Welcome, Guest
Please login or register.

Login with username, password and session length
Advanced search  

News:

This Forum Beta is ONLY for registered owners of D-Link products in the USA for which we have created boards at this time.

Author Topic: Sharing an internet access (gateway) between two VLANs  (Read 5750 times)

Second Dragon

  • Level 1 Member
  • *
  • Posts: 1
Sharing an internet access (gateway) between two VLANs
« on: January 16, 2018, 01:44:06 PM »

Good Evening. I need some help with a simple network configuration:

I actually have one physical LAN including a shared printer, a shared gateway/firewall (Cisco) for internet access, two Access Points all connected via a D-LINK DGS 1210 24 ports.

I'd like to create two VLANs, as two different companies are using the same LAN and pcs of each company can see the other company ones, but they need to both have access to the printer, the gateway/dhcp (192.168.2.1) and one access point each.

I was thinking about this setup:

VLAN 1: ports of Company 1 + printer port + router port + access point 1 port untagged - ports of company 2 not member

VLAN 2: ports of Company 2 + printer port + router port + access point 2 port untagged - ports of company 1 not member

Is it a correct configuration?

Step 2: PVID: how do I configure PVID of the shared ports (printer and Router)?

I mean, e.g., if port 3 belongs to company 1 it will be PVID=1, but what about PVID for shared ports, e.g. number 16 (the router port)? If i set PVID= 2 company 2 (VLAN 2) will be able to access the internet via the router but not company 1...

Thanks in advance for the support.

Logged

PacketTracer

  • Level 4 Member
  • ****
  • Posts: 441
Re: Sharing an internet access (gateway) between two VLANs
« Reply #1 on: January 17, 2018, 04:42:29 PM »

Hi,

to solve this problem you have to activate the "asymmetric VLAN" feature and configure the following:

.--------+----+----+----+----+----+----+----+----+----+----+-------------.
|  Port  | 01 | 02 | .. | 16 | 17 | 18 | 19 | 20 | .. | 24 | VLAN Name   |
+--------+----+----+----+----+----+----+----+----+----+----+-------------+
|  VID 3 |    |    |    |  X |  X |  X |  X |  X |  X |  X | company2    |
+--------+----+----+----+----+----+----+----+----+----+----+-------------+
|  VID 2 |  X |  X |  X |  X |  X |    |    |    |    |    | company1    |
+--------+----+----+----+----+----+----+----+----+----+----+-------------+
|  VID 1 |  X |  X |  X |  X |  X |  X |  X |  X |  X |  X | default     |
+--------+----+----+----+----+----+----+----+----+----+----+-------------+
|  PVID  |  2 |  2 |  2 |  1 |  1 |  3 |  3 |  3 |  3 |  3 |             |
`--------+----+----+----+----+----+----+----+----+----+----+-------------´
            |    |    |    |    |    |    |    |    |    |
            A    P    P    R    P    P    P    P    P    A
            P    C    C    O    R    C    C    C    C    P
            1    1    x    U    I    1    2    3    x    2
            -    -    -    T    N    -    -    -    -    -
            C    C    C    E    T    C    C    C    C    C
            1    1    1    R    E    2    2    2    2    2
                                R


(For a general discussion of the basics of "asymmetric VLANs" see e.g. here and the links embedded there. If you know Cisco's private VLAN (PVLAN) implementation, then D-Link's "asymmetric VLANs" can be seen as a proprietary implementation of the PVLAN idea as described and standardized via RFC5517, where the "shared VLAN" corresponds to the "primary VLAN" and any "access VLAN" corresponds to a secondary "community VLAN". The drawback of D-Link's implementation is that it lacks "isolated PVLANs")

Here an 'X' means: The switch port denominated by the column's title is an untagged member of the VLAN denominated by the row's title.

This perfectly reflects the asymmetric VLAN descriptions and examples given elsewhere, where
  • VLAN 1 (default) is the shared VLAN and ports 16 (router) and 17 (printer assumed) span the shared port group.
  • VLAN 2 (company1) is the first access VLAN with ports 1-15 spanning the corresponding access port group (AP1-C1, PC1-C1, PCx-C1, ...)
  • VLAN 3 (company2) is the second access VLAN with ports 18-24 spanning the corresponding access port group (AP2-C2, PC1-C2, PCx-C2, ...)

Of course you have to adapt the port assignments to devices to your real conditions (you only told your router being plugged to port 16)

<EDIT>
One important remark: Leave the port where you connect your Admin PC for switch management unchanged (default: PVID=1, untagged member of VLAN 1 ),  otherwise you might lose the connection to the switch management interface. Leave this port reserved/free for temporal management access. You can't access the switch  management interface from any of the access VLANs 2 or 3.
</EDIT>

PT
« Last Edit: January 18, 2018, 05:53:55 AM by PacketTracer »
Logged