3

My scenario: I have many endpoints currently connected to an unmanaged switch. I want to add Layer 3 switch and segment the network into VLANs, but I'd like to avoid the manual work of tracing which endpoint connects to which port. Is there a way to do this without rewiring everything?

Example: ADMIN VLAN10 SVI:192.168.10.1

GUEST VLAN20 SVI:192.168.20.1

GOAL is i'll be able toping the other VLAN from VLAN 10 to VLAN 20 in this example if its doable.

What I've figured out so far: I've been digging into this for days now, and from what I can tell, this just isn't gonna work unless I either:

  • Swap out the L2 switch for a managed one that can actually handle VLANs, OR
  • Run multiple cables from the L3 switch to the unmanaged switch - basically one cable per VLAN

I'm pretty new to networking and definitely not an expert here. I just need someone to confirm I'm not crazy and that I'm understanding this right, so I don't keep stuck to make something impossible happen. Am I on the right track?"

enter image description here

I did some more testing and figured out a way to get inter-VLAN routing working even with an L2 unmanaged switch. I don't know if this is the best but it works.

I also tested it on the actual hardware and in Packet tracer which worked.

Any thoughts on this? is much appreciated.

enter image description here

PACKET tracer enter image description here

Improve this question

2 Answers 2

Reset to default
5

Can I perform inter-VLAN routing on a Layer 3 switch using a single trunk cable ...

Yes.

... connected to an unmanaged Layer 2 switch?

No. An unmanaged switch doesn't know about VLANs. Port-based VLANs are impossible and tagged VLANs are not limited by membership - any device connected to the switch can join and leave tagged VLANs as it pleases.

Practically, running tagged VLANs across an unmanaged switch does work most often, but there is no security added by doing so, and each end node needs to use tagging as desired. Also, there is only a single broadcast domain.

I'd like to avoid the manual work of tracing which endpoint connects to which port.

On a managed switch, just check the MAC/VLAN table. On an unmanaged switch, each end node controls its VLAN connectivity itself. I fail to see the point for VLANs in that setup.

Is there a way to do this without rewiring everything?

Use a managed switch and set up VLANs on it. There's no need to rewire anything.

Run multiple cables from the L3 switch to the unmanaged switch - basically one cable per VLAN

That won't work since the unmanaged switch just bridges all VLANs together.

The only alternative to a managed switch is using one unmanaged switch per VLAN and uplink each to an access port (a single untagged VLAN) on the L3 switch.

To your added diagram: of course that setup works in that both IP subnets can talk to each other. The point is that the VLANs are entirely useless since you bridge them together on the unmanaged switch. You'd get the exact same result with a single VLAN and binding of both IP addresses to that on the L3 switch. The problem is that any end node can change its IP address to the other subnet and simply use that. Or use both at the same time, bypassing the L3 switch and any ACLs you might have set up there. Any security added by VLAN separation is just an illusion.

In a nutshell: you need a managed access switch for VLANs to make sense here, or alternatively two unmanaged switches, one for each VLAN.

Improve this answer
5
  • And the frames will be too large - by 4 bytes. Commented Nov 19 at 19:00
  • 2
    @Ricky many unmanaged switches don't care and are happy with a slightly oversized frame. Commented Nov 19 at 19:04
  • I added my discoveries on what should i do, what are your thoughts on this Commented Nov 21 at 12:00
  • If the unmanaged switch doesn't drop the VLAN tags from the frames it forwards, the VLANs would still be separate as far as the devices actually supporting VLAN tags see them, so it wouldn't exactly be the same as just using one VLAN. The devices would still get garbage traffic from VLANs they're not interested in, but that's not usually very visible if they filter based on VLAN tags on ingress. And of course the switch itself wouldn't help in filtering of which VLAN tags are allowed on which ports, so any device connected to it could choose to send whatever tags it desires. Commented Nov 21 at 14:56
  • @ilkkachu It very much depends on why you'd want VLAN separation. Security segregation/zoning? Split broadcast domain? Address-based access control? None of the above works with an unmanaged switch. Commented Nov 21 at 15:08
2

I suppose it's plausible that an unmanaged switch would forward frames based on just the MAC addresses, without regard for the VLAN tags any more than switches usually care about Ethertypes.

That is, a broadcast frame tagged for VLAN A would be flooded to every port with a tag for VLAN A. Similarly for unknown unicast. Regular unicast traffic should still work normally. The switch should keep each VLAN "intact", so to say, and not mix frames from VLAN A to VLAN B, but of course it wouldn't provide any control for which VLAN goes where, and any VLAN pruning would need to be done downstream.

In effect, it should be quite similar to taking a managed VLAN-aware switch and configuring all VLANs to all ports(*). Doable, for a sort of a hub switch where all connected devices are other switches under your control, so they can do VLAN pruning, and put each end-user device in the VLAN it belongs in. Not the prettiest thing to do since the downstream switches would receive stray frames from VLANs they won't need, but at least you have one place less to configure...

(* Well except that a proper VLAN aware switch should give separate MAC tables for each VLAN, which matters in case some particular MAC address appears in different ports in different VLANs, but that should be rare.)

Then again, it's also plausible that a dumb switch would just drop VLAN-tagged frames. (Perhaps if the switch chip is actually VLAN-aware, just configured with a static single-VLAN all-untagged configuration.) But even a dumb switch would seem quite unlikely to go swapping VLAN tags for other VLAN tags. Not that you can be sure without testing, and you likely won't have any guarantees.

But, in your image, you have what seems to be workstations, with labels like "admin" and "guest", no less. Here, using an all-VLANs-open configuration (with a managed or an unmanaged switch) would be an extremely bad idea, as there wouldn't be anything to prevent the "guest" workstation from sending and receiving frames on the "admin" VLAN.

If this was a homelab where the workstations are also only used by you, you could play with this, but NE.SE is supposed to be for "professionally managed networks" so just go get proper hardware. Switches aren't that expensive, and figuring out what goes and needs to go where in the network is pretty much part of the job description anyway.

Improve this answer

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.