Trying to understand this particular VLAN configuration (Dell N3000 & SonicWall)

dave247

Hi guys, I'm an idiot trying to wrap my head around VLANs, specifically with one particular configuration I have set up. First thing, this has been set up for a while now and it's working fine, as I had help from Dell support. I'm just not 100% clear on how this works.

Overview: I set up two VLANs, one for corporate wifi and the other for guest. Two SonicPoints (wifi access points) connect directly to specifically configured ports on the switch, then a third port connects to X3 on the SonicWall. I then can further apply rules to each wifi zone from the SonicWall.

SonicWall firewall (which has these zones of interest):

LAN: X1
WLAN: X3
WLAN-Guest: X3:V200

PowerConnect N3048P:

VLAN 0: Default data VLAN (not tagged)
VLAN 2: Corp wifi
VLAN 200: Guest wifi

Here are the port configurations on the switch. The first two connect to SonicPoint access point units, and the third connects to X3 of the SonicWall:

interface Gi5/0/25
switchport mode general
switchport general pvid 2
switchport general allowed vlan add 2
switchport general allowed vlan add 200 tagged
exit
!
interface Gi5/0/27
switchport mode general
switchport general pvid 2
switchport general allowed vlan add 2
switchport general allowed vlan add 200 tagged
exit
!
interface Gi5/0/29
switchport mode general
switchport general pvid 2
switchport general allowed vlan add 2
switchport general allowed vlan add 200 tagged
exit

My confusion:

• In the switch config, why does VLAN 200 have "tagged" added next to the command but 2 does not?
• I thought VLANs were always tagged (except the default VLAN) and that's how traffic was differentiated
• I don't understand how VLAN 2 and the data VLAN could both be untagged and still separated as VLANs
• I do see that the PVID of each port is set to 2, and that each port allows traffic from 2 and 200. So based on this, I am assuming that VLAN 2 and 200 tagged from the perspective of the switch, but only 200 is tagged from the perspective of the SonicWall.
• Does this mean that the switch is tagging only VLAN 2 and the SonicWall is tagging only VLAN 200, but the switch is allowing traffic from both VLAN 2 and 200?

Dashrender

@dave247 said in [Trying to understand this particular VLAN configuration (Dell N3000 & SonicWall)](/post/366783

My confusion:

• In the switch config, why does VLAN 200 have "tagged" added next to the command but 2 does not?

Not sure

• I thought VLANs were always tagged (except the default VLAN) and that's how traffic was differentiated

VLANs aren't always tagged. The port that traffic is on can dictate what VLAN that traffic is on, just the same as the default VLAN.

• I don't understand how VLAN 2 and the data VLAN could both be untagged and still separated as VLANs

In your case, you don't have two different pieces of traffic untagged. Untagged traffic from the connected device on those ports is tagged by the switch with VLAN 2 tags via the switchport general pvid 2 command.

• I do see that the PVID of each port is set to 2, and that each port allows traffic from 2 and 200. So based on this, I am assuming that VLAN 2 and 200 tagged from the perspective of the switch, but only 200 is tagged from the perspective of the SonicWall.

Correct. VLAN 2 is handled purely inside the switch.

• Does this mean that the switch is tagging only VLAN 2 and the SonicWall is tagging only VLAN 200, but the switch is allowing traffic from both VLAN 2 and 200?

Correct. The switch is adding tags to VLAN 2 packets.

dave247

@dashrender said in Trying to understand this particular VLAN configuration (Dell N3000 & SonicWall):

@dave247 said in [Trying to understand this particular VLAN configuration (Dell N3000 & SonicWall)](/post/366783

My confusion:

• In the switch config, why does VLAN 200 have "tagged" added next to the command but 2 does not?

Not sure

• I thought VLANs were always tagged (except the default VLAN) and that's how traffic was differentiated

VLANs aren't always tagged. The port that traffic is on can dictate what VLAN that traffic is on, just the same as the default VLAN.

• I don't understand how VLAN 2 and the data VLAN could both be untagged and still separated as VLANs

In your case, you don't have two different pieces of traffic untagged. Untagged traffic from the connected device on those ports is tagged by the switch with VLAN 2 tags via the switchport general pvid 2 command.

• I do see that the PVID of each port is set to 2, and that each port allows traffic from 2 and 200. So based on this, I am assuming that VLAN 2 and 200 tagged from the perspective of the switch, but only 200 is tagged from the perspective of the SonicWall.

Correct. VLAN 2 is handled purely inside the switch.

• Does this mean that the switch is tagging only VLAN 2 and the SonicWall is tagging only VLAN 200, but the switch is allowing traffic from both VLAN 2 and 200?

Correct. The switch is adding tags to VLAN 2 packets.

So it's kinda like a VLAN within a VLAN, or a sub-VLAN?.. ugh idk why this is so hard to comprehend for me

Dashrender

@dave247 said in Trying to understand this particular VLAN configuration (Dell N3000 & SonicWall):

@dashrender said in Trying to understand this particular VLAN configuration (Dell N3000 & SonicWall):

@dave247 said in [Trying to understand this particular VLAN configuration (Dell N3000 & SonicWall)](/post/366783

My confusion:

• In the switch config, why does VLAN 200 have "tagged" added next to the command but 2 does not?

Not sure

• I thought VLANs were always tagged (except the default VLAN) and that's how traffic was differentiated

VLANs aren't always tagged. The port that traffic is on can dictate what VLAN that traffic is on, just the same as the default VLAN.

• I don't understand how VLAN 2 and the data VLAN could both be untagged and still separated as VLANs

In your case, you don't have two different pieces of traffic untagged. Untagged traffic from the connected device on those ports is tagged by the switch with VLAN 2 tags via the switchport general pvid 2 command.

• I do see that the PVID of each port is set to 2, and that each port allows traffic from 2 and 200. So based on this, I am assuming that VLAN 2 and 200 tagged from the perspective of the switch, but only 200 is tagged from the perspective of the SonicWall.

Correct. VLAN 2 is handled purely inside the switch.

• Does this mean that the switch is tagging only VLAN 2 and the SonicWall is tagging only VLAN 200, but the switch is allowing traffic from both VLAN 2 and 200?

Correct. The switch is adding tags to VLAN 2 packets.

So it's kinda like a VLAN within a VLAN, or a sub-VLAN?.. ugh idk why this is so hard to comprehend for me

No, there's no sub anything here.

The VLANing simply takes place 100% inside the switch instead of going all the way out to the end points.

dbeato

@dave247 said in Trying to understand this particular VLAN configuration (Dell N3000 & SonicWall):

In the switch config, why does VLAN 200 have "tagged" added next to the command but 2 does not?
I thought VLANs were always tagged (except the default VLAN) and that's how traffic was differentiated
I don't understand how VLAN 2 and the data VLAN could both be untagged and still separated as VLANs
I do see that the PVID of each port is set to 2, and that each port allows traffic from 2 and 200. So based on this, I am assuming that VLAN 2 and 200 tagged from the perspective of the switch, but only 200 is tagged from the perspective of the SonicWall.
Does this mean that the switch is tagging only VLAN 2 and the SonicWall is tagging only VLAN 200, but the switch is allowing traffic from both VLAN 2 and 200?

1- Because the VLAN 2 is setup as the default for that PORT and PVID is set to 2, so any device will use VLAN 2 connected to that port. VLAN 200 is just tagged.
2- VLANS are not always tagged. That is what the PVID is for if you want a different VLAN as default for a port untagged.
3- Nope, both VLANs are tagged on the Sonicwall, the switch is deciding to have VLAN 2 as the default on the switch port.
4- Nope, refer to above (3).

Dashrender

@dbeato

Would VLAN 2 fail if switchport general allowed vlan add 2 wasn't there? IE non tagged traffic would simply fail?

dbeato

@dashrender said in Trying to understand this particular VLAN configuration (Dell N3000 & SonicWall):

@dbeato

Would VLAN 2 fail if switchport general allowed vlan add 2 wasn't there? IE non tagged traffic would simply fail?

No, it will just be VLAN2 sending untagged on that port.
http://www.dell.com/support/article/us/en/19/how10261/how-to-use-general-switchport-mode-on-dell-networking-powerconnect-switches?lang=en