OMG!OMG!OMG! A 10 minutes video which would surely have saved me 3 sleepless nights!! Nobody could have explained it better! A simple network design, for the home use (start of a home lab, maybe?) in which the main focus is to clarify important networking terminology (so useful for future reference!!!) which nobody does anymore....not even excellent technical youtubers like Lawrence Systems, David Bombal, Network Chuck...Great job! spent as a new comer in the networking field 3 nights trying to configure a vlan on a cisco switch, reading documentation, watching videos and still failing. Trunk or access that is pretty straight forward to understand but tagged or untagged that was a whole another story for me..
As a total beginner to networking who is better with visuals, your explanation along with your diagrams has helped out so much! Vlans now make significantly more sense than they did before. thank you!
THANK YOU. I couldn't find any TP link config guides that could explain this to me. Your video helped this click after a couple hours screwing with it.
Just wanted to give a shout out to you on this video because I simply did not understand tagged/untagged on the TP switch. Now I do. I was able to FINALLY connect my pfsense vlan to the switch and have two separate networks. Thanks.
OMG, Gathering Fooling around for a few day's and Never Connected the PVID setting to be mandatory to untag ports. I'm Trying to get a simple OPNsense to use port 1,2,3,4 as "LAN" ports, and port 8 as WAN port of my TP-Link switch. Exactly at the moment you pointed out to the PVID section. I hit my keyboard with my face... Untagged the ports and the WAN ports are working LoL Thank you very very much 🙂this is what i needed for a low-budget project....
@@klarotech8885 Yeah i need to switch providers they joined. But the new one uses Zyxell routers and those really S*ck bad power supply crappy firmware. Back in the days i had 7 new routers in about 3-5 years. After i got a Fritz Box running for about 10 years now.. And i had a donation of ( not joking about 30 DELL ThinClients (AMD G-T48E Processor 2 cores, 2 threads) with 4GB memory and 16Gb Flash (SSD) TP-Link TL-SG108E 8-poorts just costs about 30 euro's on Amazon and they come with life time warranty I'm planning to make it with OPNsense router on VLANś so if there would be any failures in the future i can fix it myself. Maybe a idea for you to make a tutorial about that. Not found a single one that completed the tasks.
Thanks for this. I totally failed to see the PVID section and i couldn't figure out why my untagged VLAN wasn't working properly. Why they didn't just combine the 2 sections into one I'll never know.
Best guidance I've found is this: If it's untagged the switch will add the tag (Switch requires both 802.1Q VLAN and 802.1Q PVID to be completed) If it's tagged the switch expects the VM/hypervisor/firewall to have already tagged it (Switch requires ONLY 802.1Q VLAN to be completed)
For my two access points, they both have 'staff' SSID, and 'guest' SSID. I have enabled VLANs for both 'staff' and 'guest' , where 'staff' VLAN = 1, 'guest' VLAN = 20. Therefore, for the ports of the access points on the switch, I have enabled 'tagged' for both VLAN = 1 and 20. This seems to work but its not the way you did it? Also, if I make the switch port which my router is connected to, 'tagged' VLAN = 1, then i lose all connection and internet on my laptop
I will try to clarify what you are saying. You have created two VLANs in your router with VLAN ID of 1 and 20. On these two VLANs you have assigned a IP range that will be served to your staff SSID and guest SSID. The line from your router to your switch port, you have tagged VLAN 1 and 20, then you also tagged the ports that are going to your AP with the VLAN you desired. So, the tagged VLAN which is created in your router will go all the way to your AP where you configure your AP with the desired VLAN. This will work, except you can not use VLAN 1, that is the default untagged traffic. I mean by that , VLAN ID 1, not what you name the VLAN. I used a tagged and untagged line just to show the different scenarios, that is why mine is different. If you used VLAN ID 1, change that and it should work. So you could do VLAN 20 and VLAN 30, then tag it all the way through to your AP, that is it, Hope that helps, if I have understood your situation correctly.
4:14 What if my router doesn't support VLAN? Can I connect this switch to my non-VLAN router and then all my equipments to the switch? Will I be able to use only the VLAN on the switch? Thanks!
The router is really the brains of the operation when it comes to Vlans, usually the switch is just a carrier of the Vlan. How do you plan to use the Vlan?
@@klarotech8885 I was planning on buying this switch since it's much cheaper than a router, and for routers the VLAN capabilities are not advertised often. Just to learn about VLAN and eventually to have separate VLANs in my mini Proxmox server. Thanks for the reply, maybe the port based VLAN if this router might help me, I read somewhere that it's used when routers don't have VLAN, but not sure... Thanks!
Many thanks for the clear and concise presentation. One point of confusion for me is that in TP-link's user manual for another switch model: TL-SG1016PE, it shows a configuration use example where both the untagged and tagged ports are assigned PVID settings. I couldn't link it here, but it is on page 38 of the TP-Link TL-SG1016PE manual. I don't know if this is a mistake on their part or if I misunderstood the config example. Are there any situations where a tagged port would also have a PVID setting?
Some switches support ports for both tagged and untagged packets. If a packet comes without vlan tag, the pvid is applied. If packet comes in with vlan tag, it is allowed to continue. I cant say for sure if that is what is going on with this model, but I have seen other tp-link switches with different configuration methods, so I wouldn't be surprised. It is kind of confusing. There should be more of a standard. Here is a link that discusses the PVID. community.spiceworks.com/topic/994968-understanding-pvid
Hello, you helped me understand. I have a question, how would it be if I need the data to go to a port on my local network (not the data from the vlan) I understood that. tagged all data goes through (local network + vlan) untagged (only vlan) and if I want a port to receive a local IP. Is it possible in this same switch model?
Your trunk line from your router will be carrying you default IP range and your vlan, the ports you do not configure for either tagged or untagged will carry your default IP range from router. Just make sure you tag the port coming from your router with the vlan, then you have the option for the rest of the ports to either 1) tagged 2) untagged 3) or default.
More or less. On a smaller network you might just go from router to managed switch to Access Point. VLANs have their place, I would not consider them my first option if I had a choice.
Yes, you can create multiple VLANs in your router, sends those through a switch by tagging them, and at the end point, in your case a AP, you would assign the VLANs to multiple SSID's. The end result would be network segregation where you could have each SSID on a different IP range for manipulation. But this all starts with proper planning and configuration in your router, hope that helps.
@@klarotech8885 Thank you for your reply, appreciate it alot. I have 2 more questions. 1. When I create multiple Vlans on the switch, can I assign the same port to all the VLAns and tag them? since I will be connecting the AP on that port with an ethernet cable 2. I don't have a router that supports VLANS, that's why I got a switch to segment the network. Why do I need a router that supports VLANS if I have a switch to segment the netowrk.
yes, you can tag multiple VLANS on one port. So one cat5/6 going from a port on the switch going to the AP can have multiple VLAN's, as long as it's configured in the switch. As far as the router, that is really where VLANs are useful. Switches primarily carry the VLANS through, all the real manipulation takes place in the router. For example, if you have Untangle or Pfsense you can do all kinds of things once your network is segregated, like applying different captive portals to different SSID’s and routing through the firewall, just to name a few. What are trying to do with the VLANs?
Vlan 1 is the default vlan and is a system setting. The newly assigned vlan overrides the default vlan. If the assigned vlan is deleted, the default vlan is valid again.
Yes, the second switch was used to provide more examples. You could go from router, to switch, to end-point devices (AP, Computer etc.). Thank you for your question!
Is it possible to plug unmanaged or ordinary 16 port hub to untagged port on vlan switch and then connect all the computers on that ordinary 16 port hub? Does it still control the traffic on all the computers plug on that ordinary hub? Set up is like the 16 port ordinary hub connected to the 1 port of untagged vlan port, then all computers connect to the ordinary hub.
You can connect an unmanaged or ordinary switch to the untagged port. You just can’t carry the tagged vlan through them. The untagged port becomes the same as a physical port, carrying just the IP range that you have assigned to the vlan. In your case, the 16 port ordinary switch and everything connected to it will just have to IP range assigned to the vlan. Hope that helps.
Some models of TP-Link switches and access points don't handle VLANs and multicasts properly. They allow the main LAN multicasts to leak into the VLAN. As a result, I could not run IPv6 on my guest WiFi VLAN. Later versions of the firmware may have fixed this, but I don't know for certain. I replaced the TP-Link AP with another make, which runs fine with IPv6.
@@klarotech8885 I have both a TP-Link TL--S105E switch and TL-WA901ND access point. Both have the problem and neither have an update available. Both have been superseded by newer versions. I don't know if the newer versions have the problem or not. Also, I called TP-Link support and the person I was talking to insisted that was correct behaviour. Apparently he wasn't aware that VLANs are supposed to be logically separate. I later was speaking to someone from 2nd level support and he agreed that was a fault, but there was no software update for my AP. I replaced the AP with a Unifi AC-Lite, which works properly and I use the switch where 802.1Q VLANs are not needed, though I do use port specific VLANs with it.
Hey man, great video. thanks for the help. In my case I am still a bit confused, not by this, since I got this working with your help. My issue is that now that everything in the vlan is working I am confused as to how to access it from my main network. In this case I have all my IoT devices in vlan 107, whille the guest network is in vlan 50 and the TVs are in vlan 78. I have a NAS used as a server in the main LAN used for backups and as a plex server. I want to be able to access some of the IoT devices from my PCs, as well as being able to access the Plex server from the TVs. Could you help me out as to how to do this on a TPlink switch please? I have an asus RT-AX88U router.
What you are dealing with concerns network segregation. You have used VLANs to segregate your network. This means that each VLAN has a different subnetwork ( IP address range). For example, you might have VLAN 50 with the range of 192.168.50.1 to 192.168.50.254 and VLAN 78 with a range of 192.168.78.1 to 192.168.78.254. Your network has been segregated, and by design, the devices on one IP range cannot communicate with devices on another range (unless you configure your firewall in the router to allow cross-range communication). One way to communicate with a device in a different IP range than the PC you are using is to manually change the IP address on the PC to be in the same range as the device. This would, however, be a temporary solution for configuring purposes only. The best way would be to configure your firewall to allow different subnets to communicate with each other. I would need to know more about why you segregated your network in the first place to advise further. If you don’t configure your firewall correctly, you could defeat the purpose of the network segregation in the first place.
@Klaro Tech, Question for you: My home is pre-wired with ETH ports on the wall of my rooms and my Living room is going to have an AP power over ETH 2.5G port. My Main switch is an M2 switch doing L2/L2+ functionality and has 8 PoE ports. At my Onq panel (which has my controller/router/switch) all my ETH terminates at the 8 port poe switch. Now, if i connect my AP from the wall port then I dont have any other ports to wire my Iptv and PS4. If i want to also have them wired, can i use a dumb switch (switch 2 per your diagram) with Poe capability and has 2.5G, and use port 2 to connect to my AP and Port 3 & 4 (untagged in same VLAN) to my iptv & PS4? will my ipv4 and PS4 be part of VLAN as untagged but will still get wired connectivity?
Sorry I missed your reply. The untagged VLAN can not be manipulated again. If you want your AP and IPTV and PS4 segregated you must use a Tagged VLAN. I am not totally sure I understand your network layout and what your trying to do though. Sometime its helpful to draw out what your trying to do.
Thx for a insightful video. Not using Omada software controller as not compatible with TL-R470T+ at this time but want to secure IOT devices. Using 3 EAP235 AP's whose ports are hardwired to TVs and gaming consoles along with standard wifi access for multiple IOT devices. Can those AP wired ports have VLAN assignments( thinking yes )? Is that done via the AP interface or would using the Omada software controller be a better approach?
You can use the AP interface and the Omada controller to relay the VLAN to the end point. But you need a router to create the VLAN where you could manipulate it. Most of the time VLANs are used for network segregation by IP ranges. Once you segregate your network by IP range you can manipulate your network how you want, but all this needs to happen at your source, the router.
I am not very good at networking but I can follow directions very well. I have tplink Archer_A9 acting as a WiFi router and a couple of ASUS old routers acting as AP and repeater. I also have this switch that’s in the video and would like to put my ioT devices in a vlan network. Can I do it with these devices in mind? If so would you be willing to make a video showing how to do it using the switch you showed in the video?
The switch carries the vlan to its destination, but you need a router that can create the vlan and segregate your network how you want it. The Archer A9 does not have those capabilities. You need to move from a home router to a business or enterprise router. You have a few different options 1) Buy a business class router 2) Flash a router with dd-wrt 3) get a small factor computer (or even an old desktop with 2 lans) and install pfsense or untangle. Finding a router that is the right version to flash dd-wrt can sometimes be a hassle. If you take the dd-wrt route, your best bet is probably to look on ebay for a Linksys router that you can flash dd-wrt , just make sure you check the dd-wrt database for a router that you can flash, the version has to be the same also. I think I will try to make a video on how to setup a network using vlans with option 3. The other older routers you mentioned most likely don’t have vlan capabilities. You would have to find access point that have vlan capabilities, or ones you can flash with dd-wrt. I would recommend option 3 at the end of the day. Pfsense or Untangle with give you lots of options for setting up your network how you want.
Thanks for the video, very useful. I have found a lot of unmanaged switches do allow tagged data through, all TP-Link switches have 802.1Q pass through. If I set PVID to 5 on all ports, can I assume the default VLAN 1 for untagged ports is overridden? I dont want anyone who plugs in to the switch to automatically be allowed onto the Management Lan. If I did that I assume the switch itself would have a tag of 5 when it communicates to the next switch?
Yes, you are correct, changing the PVID with override the default of 1. If you did that for all ports then there would be no default ports. As far as the 5 tag going to the next switch, it will not because it is untagged. Think of the untagged port acting exactly like a physical port. The untagged port will receive the 5 tag and push out that IP range assigned in the router, but it will not continue, you would need a tagged port for that. It is like the untagged port acts virtually on the input (for the lack of better way to describe it, switches don’t really have inputs or outputs per se), but physically on the output. Another reminder, network segregation has to happen in the router correctly, in the firewall. Make sure to test by pinging the networks you wish to segregate.
@@klarotech8885 thanks for the reply! So if I have two managed switches and switch one connects to switch two, and everything has pvid 5, does switch one get tagged with 5 or does the switch never send the info it just passes it on? I assumed since it has an ip address the switch itself would be given a tag?
Once you make a port untagged, the tag is stripped away. The untagged port then pushes from your DHCP server the IP range assigned to that VLAN. Once untagged you can no longer use the VLAN 5 tag, only the IP range is pushed out. I provided a diagram that might help also. drive.google.com/file/d/1NNFdiySe3VvhCIRgLeYPJVwD9spsiHXg/view?usp=drive_link
How do you setup the switch, so that one can access the switch over a TRUNK PORT, like all my other switches. For example I have the TPLINK behind another switch. On the trunk port from this other switch, goes into PORT on the TPLINK and carries vlans 10 and 50. We assigned an IP address on the vlan10 subnet (trusted). Ports 1-4 are going to dumb devices on vlan50. Ports 5-7 are going to dumb devices on vlan10. My setup. PVID: ports 1-4 =50, ports 5-7 =10 port 8 = 1 ( no change, default of 1 kept). My setup. Membership vlan 50, Ports 1-4 Untagged / port 8 tagged ............ vlan10, ports 5-7 tagged / 8 tagged My setup. Membership vlan1, port - untagged. Thus port 8 is a classic trunk port with two vlans coming in and 7 ports are access ports 1-4 members of vlan50 and 5-7 members of vlan 10 From another computer attached to the main router on vlan10, I cannot reach or ping the TPlink switch, with IP address on the same vlan. I can confirm that traffic to the switch prior to the TPLINK gets all the vlans correctly from the MAIN router. Baffled!! Just to compare, I have four vlans going to Main Switch from Router (trunk port to trunk port all tagged vlans). From the main switch two vlans go from main switch to tplink on a trunk port 2 tagged vlans on both sides. Please explain on the MAIN switch how you reach the Main switch, From a PC connected to the router on vlan10?? Same with second switch, how do you access the switch to configure it, if the pc connected to your router is on vlan10?? Note. When you assign a PVID to an access port going to a dumb device, you should be untagging vlanid=1 from that port as well.
What IP range are the switches in? The easiest would be to set the switch to dynamic and set the IP address in the DHCP server on the router in the default IP range of the router. Then, any PC on your network set within the default router IP range should be able to hit the switch. I usually start from the source and work my way out. Hook the switch to the router, if your are able to hit the switch move it out to the switch and so on. Sometimes all that does not work and you have to reset the switch and start over.
@@klarotech8885 All good, the chap I was helping out via TeamV, had his cables mixed up in the attic and thus the reason I could not get it to work. Once done, it was trunk from one switch to the TP LINK carrying all the vlans and setup properly on TP Link. As expected the only untagged ports for vlan1, were the trunk ports, and NOT a member of any access ports either.
It is tagged with the vlan. It’s like tagging the data with little stickers identifying it as belonging to the vlan you are assigning it as. With these tags (stickers) data can be segregated. With untagged, no tags are given and all data is seen as the vlan assigned.
I segragatex the IoT, due to their inheent security risks. The tvs was done because my cable provider gives me android boxes with who know what software is in it, so that is the reason. The only issue I am having is when I try to access plex thru my tvs locally, I am getting sent to the internet and back and with only a 100 mb service I get choppy video all the time.
I have an asus gt-ax11000 router with 2 ax aimesh node. The main router has a 2.5 GbE ethernet port with a QNAP 2.5 GbE managed switch connected to it, and another 2 1 GbE cables from the router are LAGged into a 2 GbE connection to my TP-Link Jetstream 48 port Gigabit Smart PoE+ switch. VLANs are assigned in the router. The tp-link jetstream has all the tag/untags in it. Ignore the 2.5 GbE switch, since it has no bearing in this problem.
So the tvs are not reaching the plex server at all? Can you ping the plex server ? 100 mbps should play anything you have without any problems as far as the internet goes.
VLANs can go through dumb switches. I've done it. A dumb switch doesn't have the intelligence to filter out VLANs, so it will pass the tagged frames, but will not affect them.
Some will, some will not , it usually says on it , in my experience, thank you for pointing this out! Sometimes it will “work” , but you might have intermittent problems. Another good reminder to always do your own research on your specific hardware.
This is really annoying. Never have i seen having to pvid a port and not just select it as untagged on 802.1q. I've wasted in total probably 12h on issues caused by this as they are located in different buildings.
I lose internet connection when I do the PVID for lets say port 1 and port 5 untagged. why? trying to setup cameras and router , separate the traffic but i have a testing systems PC on port 1 and 5 and when i PVID , port 5 loses internet , 1 still has
I would first check if a device on port 5 is getting the right IP address. The VLAN is created by the router and the VLAN is assigned IP range. The line coming from the router to the switch port needs tagged. Then port that is untagged on the switch needs to have PVID setup. Start with the source and test at each step, for sure you will not have internet if you do not have right IP range, so that is the first thing to check.
After a lot of research on the internet, it seems that this video clearly and concisely explains the concepts of tagging and untagging. Thanks!
Glad to help!
OMG!OMG!OMG! A 10 minutes video which would surely have saved me 3 sleepless nights!! Nobody could have explained it better! A simple network design, for the home use (start of a home lab, maybe?) in which the main focus is to clarify important networking terminology (so useful for future reference!!!) which nobody does anymore....not even excellent technical youtubers like Lawrence Systems, David Bombal, Network Chuck...Great job! spent as a new comer in the networking field 3 nights trying to configure a vlan on a cisco switch, reading documentation, watching videos and still failing. Trunk or access that is pretty straight forward to understand but tagged or untagged that was a whole another story for me..
Thank you for taking the time to write that comment! Helping someone else is why I made the video :)
As a total beginner to networking who is better with visuals, your explanation along with your diagrams has helped out so much! Vlans now make significantly more sense than they did before. thank you!
Thank you for your comment, glad to help:)
THANK YOU. I couldn't find any TP link config guides that could explain this to me. Your video helped this click after a couple hours screwing with it.
Your welcome, thank you for taking the time to let us know how the video helped!
Before buying the switches I wanted to confirm if I could use VLANs and tagged & untagged ports.
Thanks for the video!
Glad to help , they work great for vlans using tagged/untagged ports!
Nicely done! I’ve been struggling with this for months and now - thanks to you - I finally get it!!!
You’re welcome, glad to help!
Just wanted to give a shout out to you on this video because I simply did not understand tagged/untagged on the TP switch. Now I do. I was able to FINALLY connect my pfsense vlan to the switch and have two separate networks. Thanks.
Thank you for taking the time to leave that comment, glad to hear the video saved you some time!
I was banging my head against the wall with this - and this video cleared it up for me. Thank you!
Glad we could help!
Thanks for the very clear video on how to do the VLAN on this TP-Link Switch. Now fully understand
Happy to help :)
Thank you for this video! I've been hitting my head against a brick wall... I had no idea about the 802.1Q VLAN PVID Setting
Glad to help! Thank you!
The best work I saw after watching many videos around this topic! Hat's off!
Thank you, your welcome!
Thank you for this vid, I was trying to wrap my head around how tp-link vlans work, but coming from unifi, i wasn't getting very far!
Glad it helped!
OMG, Gathering Fooling around for a few day's and Never Connected the PVID setting to be mandatory to untag ports.
I'm Trying to get a simple OPNsense to use port 1,2,3,4 as "LAN" ports, and port 8 as WAN port of my TP-Link switch.
Exactly at the moment you pointed out to the PVID section. I hit my keyboard with my face... Untagged the ports and the WAN ports are working LoL
Thank you very very much 🙂this is what i needed for a low-budget project....
Glad to help! Low-budget projects is what inspired me make video and hopefully more!
@@klarotech8885 Yeah i need to switch providers they joined. But the new one uses Zyxell routers and those really S*ck bad power supply crappy firmware.
Back in the days i had 7 new routers in about 3-5 years. After i got a Fritz Box running for about 10 years now..
And i had a donation of ( not joking about 30 DELL ThinClients (AMD G-T48E Processor 2 cores, 2 threads) with 4GB memory and 16Gb Flash (SSD)
TP-Link TL-SG108E 8-poorts just costs about 30 euro's on Amazon and they come with life time warranty
I'm planning to make it with OPNsense router on VLANś so if there would be any failures in the future i can fix it myself.
Maybe a idea for you to make a tutorial about that. Not found a single one that completed the tasks.
Thanks for this. I totally failed to see the PVID section and i couldn't figure out why my untagged VLAN wasn't working properly.
Why they didn't just combine the 2 sections into one I'll never know.
I wonder that too, it’s not very intuitive for sure.
Amazing. This exactly what I was looking for. Big thank you!
Glad it helped!
Best guidance I've found is this:
If it's untagged the switch will add the tag (Switch requires both 802.1Q VLAN and 802.1Q PVID to be completed)
If it's tagged the switch expects the VM/hypervisor/firewall to have already tagged it (Switch requires ONLY 802.1Q VLAN to be completed)
Yes, the switch is only carrying the VLAN, not creating it.
ive tried to learn this for some time now. and finally now i get it! :)
I know the feeling :), it’s not very intuitive the way they have it set up
For my two access points, they both have 'staff' SSID, and 'guest' SSID.
I have enabled VLANs for both 'staff' and 'guest' , where 'staff' VLAN = 1, 'guest' VLAN = 20.
Therefore, for the ports of the access points on the switch, I have enabled 'tagged' for both VLAN = 1 and 20.
This seems to work but its not the way you did it?
Also, if I make the switch port which my router is connected to, 'tagged' VLAN = 1, then i lose all connection and internet on my laptop
I will try to clarify what you are saying. You have created two VLANs in your router with VLAN ID of 1 and 20. On these two VLANs you have assigned a IP range that will be served to your staff SSID and guest SSID. The line from your router to your switch port, you have tagged VLAN 1 and 20, then you also tagged the ports that are going to your AP with the VLAN you desired. So, the tagged VLAN which is created in your router will go all the way to your AP where you configure your AP with the desired VLAN. This will work, except you can not use VLAN 1, that is the default untagged traffic. I mean by that , VLAN ID 1, not what you name the VLAN. I used a tagged and untagged line just to show the different scenarios, that is why mine is different.
If you used VLAN ID 1, change that and it should work. So you could do VLAN 20 and VLAN 30, then tag it all the way through to your AP, that is it, Hope that helps, if I have understood your situation correctly.
When you say vlan on router does that mean i need to be able to configure it there too? i use an all in one router with no capability of vlans.
Yes, the router is where you can take full advantage of vlans, that’s where they are created and manipulated. What are you going to do with the vlans?
4:14 What if my router doesn't support VLAN? Can I connect this switch to my non-VLAN router and then all my equipments to the switch? Will I be able to use only the VLAN on the switch? Thanks!
The router is really the brains of the operation when it comes to Vlans, usually the switch is just a carrier of the Vlan. How do you plan to use the Vlan?
@@klarotech8885 I was planning on buying this switch since it's much cheaper than a router, and for routers the VLAN capabilities are not advertised often. Just to learn about VLAN and eventually to have separate VLANs in my mini Proxmox server. Thanks for the reply, maybe the port based VLAN if this router might help me, I read somewhere that it's used when routers don't have VLAN, but not sure... Thanks!
At 6:00, what is VLAN 10 on router? and what kind of tp-link router?
I was using Untangle. VLAN 10 was the VLAN I created in the router, in my case I was using Untangle.
Many thanks for the clear and concise presentation. One point of confusion for me is that in TP-link's user manual for another switch model: TL-SG1016PE, it shows a configuration use example where both the untagged and tagged ports are assigned PVID settings. I couldn't link it here, but it is on page 38 of the TP-Link TL-SG1016PE manual. I don't know if this is a mistake on their part or if I misunderstood the config example. Are there any situations where a tagged port would also have a PVID setting?
Some switches support ports for both tagged and untagged packets. If a packet comes without vlan tag, the pvid is applied. If packet comes in with vlan tag, it is allowed to continue. I cant say for sure if that is what is going on with this model, but I have seen other tp-link switches with different configuration methods, so I wouldn't be surprised. It is kind of confusing. There should be more of a standard. Here is a link that discusses the PVID. community.spiceworks.com/topic/994968-understanding-pvid
Hello, you helped me understand. I have a question, how would it be if I need the data to go to a port on my local network (not the data from the vlan) I understood that. tagged all data goes through (local network + vlan) untagged (only vlan) and if I want a port to receive a local IP. Is it possible in this same switch model?
Your trunk line from your router will be carrying you default IP range and your vlan, the ports you do not configure for either tagged or untagged will carry your default IP range from router. Just make sure you tag the port coming from your router with the vlan, then you have the option for the rest of the ports to either 1) tagged 2) untagged 3) or default.
@@klarotech8885 Thank you very much. Greetings from Argentina. You cleared my mind.
So in order to use vlan .. Two managed switches are required ?
More or less. On a smaller network you might just go from router to managed switch to Access Point. VLANs have their place, I would not consider them my first option if I had a choice.
Hi, I have a question. Can I create multiple Vlans on one switch and connect it to an Access point with multi SSID?
Yes, you can create multiple VLANs in your router, sends those through a switch by tagging them, and at the end point, in your case a AP, you would assign the VLANs to multiple SSID's. The end result would be network segregation where you could have each SSID on a different IP range for manipulation. But this all starts with proper planning and configuration in your router, hope that helps.
@@klarotech8885 Thank you for your reply, appreciate it alot. I have 2 more questions. 1. When I create multiple Vlans on the switch, can I assign the same port to all the VLAns and tag them? since I will be connecting the AP on that port with an ethernet cable 2. I don't have a router that supports VLANS, that's why I got a switch to segment the network. Why do I need a router that supports VLANS if I have a switch to segment the netowrk.
yes, you can tag multiple VLANS on one port. So one cat5/6 going from a port on the switch going to the AP can have multiple VLAN's, as long as it's configured in the switch. As far as the router, that is really where VLANs are useful. Switches primarily carry the VLANS through, all the real manipulation takes place in the router. For example, if you have Untangle or Pfsense you can do all kinds of things once your network is segregated, like applying different captive portals to different SSID’s and routing through the firewall, just to name a few. What are trying to do with the VLANs?
since you have VLAN 1 untagged on ports 1-8 wouldn't there be a conflict on port 3 with also having VLAN 10 untagged?
Vlan 1 is the default vlan and is a system setting. The newly assigned vlan overrides the default vlan. If the assigned vlan is deleted, the default vlan is valid again.
Thank you for the video. Would it have been possible to make the modifications on the main switch and avoid having a secondary switch?
Yes, the second switch was used to provide more examples. You could go from router, to switch, to end-point devices (AP, Computer etc.). Thank you for your question!
Exactly what I was looking for.
Glad to help, thank you!
Is it possible to plug unmanaged or ordinary 16 port hub to untagged port on vlan switch and then connect all the computers on that ordinary 16 port hub? Does it still control the traffic on all the computers plug on that ordinary hub? Set up is like the 16 port ordinary hub connected to the 1 port of untagged vlan port, then all computers connect to the ordinary hub.
You can connect an unmanaged or ordinary switch to the untagged port. You just can’t carry the tagged vlan through them. The untagged port becomes the same as a physical port, carrying just the IP range that you have assigned to the vlan. In your case, the 16 port ordinary switch and everything connected to it will just have to IP range assigned to the vlan. Hope that helps.
Some models of TP-Link switches and access points don't handle VLANs and multicasts properly. They allow the main LAN multicasts to leak into the VLAN. As a result, I could not run IPv6 on my guest WiFi VLAN. Later versions of the firmware may have fixed this, but I don't know for certain. I replaced the TP-Link AP with another make, which runs fine with IPv6.
Thank you for sharing this! Another reminder to keep firmware updated, then decide whether to upgrade.
@@klarotech8885 I have both a TP-Link TL--S105E switch and TL-WA901ND access point. Both have the problem and neither have an update available. Both have been superseded by newer versions. I don't know if the newer versions have the problem or not.
Also, I called TP-Link support and the person I was talking to insisted that was correct behaviour. Apparently he wasn't aware that VLANs are supposed to be logically separate. I later was speaking to someone from 2nd level support and he agreed that was a fault, but there was no software update for my AP. I replaced the AP with a Unifi AC-Lite, which works properly and I use the switch where 802.1Q VLANs are not needed, though I do use port specific VLANs with it.
Tagged for all data passthrough while untagged for VLAN only. My understanding is reverse. Thank you for the information coming from the Philippines.
yeah, it is kind of confusing, not very intuitive, glad we could help :)
Hey man, great video. thanks for the help. In my case I am still a bit confused, not by this, since I got this working with your help. My issue is that now that everything in the vlan is working I am confused as to how to access it from my main network. In this case I have all my IoT devices in vlan 107, whille the guest network is in vlan 50 and the TVs are in vlan 78. I have a NAS used as a server in the main LAN used for backups and as a plex server. I want to be able to access some of the IoT devices from my PCs, as well as being able to access the Plex server from the TVs. Could you help me out as to how to do this on a TPlink switch please? I have an asus RT-AX88U router.
What you are dealing with concerns network segregation. You have used VLANs to segregate your network. This means that each VLAN has a different subnetwork ( IP address range). For example, you might have VLAN 50 with the range of 192.168.50.1 to 192.168.50.254 and VLAN 78 with a range of 192.168.78.1 to 192.168.78.254. Your network has been segregated, and by design, the devices on one IP range cannot communicate with devices on another range (unless you configure your firewall in the router to allow cross-range communication). One way to communicate with a device in a different IP range than the PC you are using is to manually change the IP address on the PC to be in the same range as the device. This would, however, be a temporary solution for configuring purposes only. The best way would be to configure your firewall to allow different subnets to communicate with each other. I would need to know more about why you segregated your network in the first place to advise further. If you don’t configure your firewall correctly, you could defeat the purpose of the network segregation in the first place.
@Klaro Tech, Question for you: My home is pre-wired with ETH ports on the wall of my rooms and my Living room is going to have an AP power over ETH 2.5G port. My Main switch is an M2 switch doing L2/L2+ functionality and has 8 PoE ports. At my Onq panel (which has my controller/router/switch) all my ETH terminates at the 8 port poe switch. Now, if i connect my AP from the wall port then I dont have any other ports to wire my Iptv and PS4. If i want to also have them wired, can i use a dumb switch (switch 2 per your diagram) with Poe capability and has 2.5G, and use port 2 to connect to my AP and Port 3 & 4 (untagged in same VLAN) to my iptv & PS4? will my ipv4 and PS4 be part of VLAN as untagged but will still get wired connectivity?
Which device are you trying to put on a vlan ?
@@klarotech8885 my iptv and PS4
Sorry I missed your reply. The untagged VLAN can not be manipulated again. If you want your AP and IPTV and PS4 segregated you must use a Tagged VLAN. I am not totally sure I understand your network layout and what your trying to do though. Sometime its helpful to draw out what your trying to do.
Much better explanation how to create vlan.. i thought tagged port is the vlan.
glad it was helpful!
Thx for a insightful video. Not using Omada software controller as not compatible with TL-R470T+ at this time but want to secure IOT devices. Using 3 EAP235 AP's whose ports are hardwired to TVs and gaming consoles along with standard wifi access for multiple IOT devices. Can those AP wired ports have VLAN assignments( thinking yes )? Is that done via the AP interface or would using the Omada software controller be a better approach?
You can use the AP interface and the Omada controller to relay the VLAN to the end point. But you need a router to create the VLAN where you could manipulate it. Most of the time VLANs are used for network segregation by IP ranges. Once you segregate your network by IP range you can manipulate your network how you want, but all this needs to happen at your source, the router.
I am not very good at networking but I can follow directions very well. I have tplink Archer_A9 acting as a WiFi router and a couple of ASUS old routers acting as AP and repeater. I also have this switch that’s in the video and would like to put my ioT devices in a vlan network. Can I do it with these devices in mind? If so would you be willing to make a video showing how to do it using the switch you showed in the video?
The switch carries the vlan to its destination, but you need a router that can create the vlan and segregate your network how you want it. The Archer A9 does not have those capabilities. You need to move from a home router to a business or enterprise router. You have a few different options 1) Buy a business class router 2) Flash a router with dd-wrt 3) get a small factor computer (or even an old desktop with 2 lans) and install pfsense or untangle. Finding a router that is the right version to flash dd-wrt can sometimes be a hassle. If you take the dd-wrt route, your best bet is probably to look on ebay for a Linksys router that you can flash dd-wrt , just make sure you check the dd-wrt database for a router that you can flash, the version has to be the same also. I think I will try to make a video on how to setup a network using vlans with option 3. The other older routers you mentioned most likely don’t have vlan capabilities. You would have to find access point that have vlan capabilities, or ones you can flash with dd-wrt. I would recommend option 3 at the end of the day. Pfsense or Untangle with give you lots of options for setting up your network how you want.
@@klarotech8885 thank you so much for the detailed reply. I would love an option 3 video
Thanks for the video, very useful. I have found a lot of unmanaged switches do allow tagged data through, all TP-Link switches have 802.1Q pass through. If I set PVID to 5 on all ports, can I assume the default VLAN 1 for untagged ports is overridden? I dont want anyone who plugs in to the switch to automatically be allowed onto the Management Lan. If I did that I assume the switch itself would have a tag of 5 when it communicates to the next switch?
Yes, you are correct, changing the PVID with override the default of 1. If you did that for all ports then there would be no default ports. As far as the 5 tag going to the next switch, it will not because it is untagged. Think of the untagged port acting exactly like a physical port. The untagged port will receive the 5 tag and push out that IP range assigned in the router, but it will not continue, you would need a tagged port for that. It is like the untagged port acts virtually on the input (for the lack of better way to describe it, switches don’t really have inputs or outputs per se), but physically on the output.
Another reminder, network segregation has to happen in the router correctly, in the firewall. Make sure to test by pinging the networks you wish to segregate.
@@klarotech8885 thanks for the reply! So if I have two managed switches and switch one connects to switch two, and everything has pvid 5, does switch one get tagged with 5 or does the switch never send the info it just passes it on? I assumed since it has an ip address the switch itself would be given a tag?
Once you make a port untagged, the tag is stripped away. The untagged port then pushes from your DHCP server the IP range assigned to that VLAN. Once untagged you can no longer use the VLAN 5 tag, only the IP range is pushed out. I provided a diagram that might help also.
drive.google.com/file/d/1NNFdiySe3VvhCIRgLeYPJVwD9spsiHXg/view?usp=drive_link
How do you setup the switch, so that one can access the switch over a TRUNK PORT, like all my other switches. For example I have the TPLINK behind another switch. On the trunk port from this other switch, goes into PORT on the TPLINK and carries vlans 10 and 50. We assigned an IP address on the vlan10 subnet (trusted). Ports 1-4 are going to dumb devices on vlan50.
Ports 5-7 are going to dumb devices on vlan10.
My setup. PVID: ports 1-4 =50, ports 5-7 =10 port 8 = 1 ( no change, default of 1 kept).
My setup. Membership vlan 50, Ports 1-4 Untagged / port 8 tagged ............ vlan10, ports 5-7 tagged / 8 tagged
My setup. Membership vlan1, port - untagged.
Thus port 8 is a classic trunk port with two vlans coming in and 7 ports are access ports 1-4 members of vlan50 and 5-7 members of vlan 10
From another computer attached to the main router on vlan10, I cannot reach or ping the TPlink switch, with IP address on the same vlan.
I can confirm that traffic to the switch prior to the TPLINK gets all the vlans correctly from the MAIN router.
Baffled!!
Just to compare, I have four vlans going to Main Switch from Router (trunk port to trunk port all tagged vlans). From the main switch two vlans go from main switch to tplink on a trunk port 2 tagged vlans on both sides.
Please explain on the MAIN switch how you reach the Main switch, From a PC connected to the router on vlan10??
Same with second switch, how do you access the switch to configure it, if the pc connected to your router is on vlan10??
Note. When you assign a PVID to an access port going to a dumb device, you should be untagging vlanid=1 from that port as well.
What IP range are the switches in? The easiest would be to set the switch to dynamic and set the IP address in the DHCP server on the router in the default IP range of the router. Then, any PC on your network set within the default router IP range should be able to hit the switch. I usually start from the source and work my way out. Hook the switch to the router, if your are able to hit the switch move it out to the switch and so on. Sometimes all that does not work and you have to reset the switch and start over.
@@klarotech8885 All good, the chap I was helping out via TeamV, had his cables mixed up in the attic and thus the reason I could not get it to work. Once done, it was trunk from one switch to the TP LINK carrying all the vlans and setup properly on TP Link. As expected the only untagged ports for vlan1, were the trunk ports, and NOT a member of any access ports either.
I think we all get our wires crossed from time to time :) , glad it’s working now!
Tagged, what's it tagged with ?
It is tagged with the vlan. It’s like tagging the data with little stickers identifying it as belonging to the vlan you are assigning it as. With these tags (stickers) data can be segregated. With untagged, no tags are given and all data is seen as the vlan assigned.
Всё чётко и понятно. очень помог. Спасибо!!!
your welcome!
I segragatex the IoT, due to their inheent security risks. The tvs was done because my cable provider gives me android boxes with who know what software is in it, so that is the reason.
The only issue I am having is when I try to access plex thru my tvs locally, I am getting sent to the internet and back and with only a 100 mb service I get choppy video all the time.
Is the switch a 10/100/1000 switch ? Not sure why you would have lag.
I have an asus gt-ax11000 router with 2 ax aimesh node. The main router has a 2.5 GbE ethernet port with a QNAP 2.5 GbE managed switch connected to it, and another 2 1 GbE cables from the router are LAGged into a 2 GbE connection to my TP-Link Jetstream 48 port Gigabit Smart PoE+ switch.
VLANs are assigned in the router. The tp-link jetstream has all the tag/untags in it. Ignore the 2.5 GbE switch, since it has no bearing in this problem.
So the tvs are not reaching the plex server at all? Can you ping the plex server ? 100 mbps should play anything you have without any problems as far as the internet goes.
thanks!
Welcome!
Thanks
Your welcome, glad to help!
VLANs can go through dumb switches. I've done it. A dumb switch doesn't have the intelligence to filter out VLANs, so it will pass the tagged frames, but will not affect them.
Some will, some will not , it usually says on it , in my experience, thank you for pointing this out! Sometimes it will “work” , but you might have intermittent problems. Another good reminder to always do your own research on your specific hardware.
This is really annoying. Never have i seen having to pvid a port and not just select it as untagged on 802.1q.
I've wasted in total probably 12h on issues caused by this as they are located in different buildings.
Yeah, it’s not a intuitive design, other than that the switch works good, especially for the price.
7:32 incoming and outgoing. This is not god terminology to use when teaching this because things can come in and out of every port.
I think your right , I should rephrase it, thank you.
Your video title is in SPANISH? Really? Please dont doit... I need content in my lenguaje, not english.
not sure what you mean
I lose internet connection when I do the PVID for lets say port 1 and port 5 untagged.
why?
trying to setup cameras and router , separate the traffic but i have a testing systems PC
on port 1 and 5 and when i PVID , port 5 loses internet , 1 still has
I would first check if a device on port 5 is getting the right IP address. The VLAN is created by the router and the VLAN is assigned IP range. The line coming from the router to the switch port needs tagged. Then port that is untagged on the switch needs to have PVID setup. Start with the source and test at each step, for sure you will not have internet if you do not have right IP range, so that is the first thing to check.
@@klarotech8885 ohhh
Do I set my switch to DHCP or set a ip and subnet mask
DHCP is set in the router. The router is where your network segregation takes place. The switch just manages the traffic. What router are you using?
@@klarotech8885 Netgear ax3000