Access lost to Switch following VLAN setup changes
Access lost to Switch following VLAN setup changes
Hello everyone, I recently got a Netgear GS108Ev3 Managed Switch and started exploring VLANs. After some research, I managed to set it up with two VLANs on my network—VLAN 1 and VLAN 3 in my OpenWRT Router. Ports 1, 2, and 3 are untagged for VLAN 1, which handles the main LAN using the 10.230.0.x range, while port 4 is tagged for VLAN 1, 3, and 4. Since port 4 connects to the switch, I tagged it in all VLANs. VLAN 1 and 3 are active, but I also included VLAN 4 for future flexibility.
On the switch side, I configured the ports similarly: port 1 (connected to the router) is tagged in all VLANs, and I used the same VLAN IDs as on the router. This setup helps the router identify traffic from each VLAN correctly.
My question is, why can’t I access the Switch web interface anymore? OpenWRT DHCP consistently assigns the same IP to all devices, and the switch’s IP hasn’t changed even after several resets during my setup process. I’m confident it shouldn’t change, but I’m having trouble getting there. Can you help clarify this?
Management traffic is usually not labeled by default. Vendors generally restrict access to the untagged VLAN, often setting it as the only accessible VLAN, typically ID 1. It would be logical to keep management traffic isolated from data traffic. Some providers let you tag specific traffic on ports. To enable management access, you may need to apply tags so untagged management packets are properly labeled before exiting the switch. A dedicated port for management is recommended and can remain untagged for better security.
I repeated the process, swapped VLANs 1 and 3 to 10 and 11, removed VLAN 4 since it wasn't needed, and then reset the switch. I kept VLAN 1 as the default with all ports untagged and set up VLANs 10 and 11. Everything functioned properly, but I still couldn’t connect to the switch after configuration. The only access method was through the LAN2 port of the router, which is now part of VLAN 10 and untagged.
Management traffic usually doesn't have tags on the native VLAN. You can assign it to a particular VLAN and enable that VLAN on the ports you need access for management. You'll need to verify if this is feasible by checking the documentation at the provided link.
Use port 1 for management. Tag port 2 to vlan 10. Tag port 3 to vlan 11. Keep port 2 for both vlan 10 and 11. Note that access to management is restricted on port 2 (or 3 if set). For more details, refer to the NetScaler guide or the Citrix support article.
It depends on how your access control lists are set up. Many devices come with a basic ACL that only lets traffic from specific networks, and without inter-vlan routing or DHCP scopes per subnet, things can get tricky. You'd likely need to configure each VLAN individually with proper gateways—usually a static address like .1—to connect to the internet and reach the correct subnet gateways.
In the router, I set LAN 4 untagged in VLAN 10 and kept the same port tagged in VLAN 11. On the switch, I cleared all ports from VLAN 1 that couldn’t be removed, and since both VLANs had Port 1 tagged (connected to the switch), I marked it untagged in VLAN 10. This seems to match your approach.
It's possible to achieve this by configuring the router and switch to use a shared interface. You can direct packets lacking a VLAN ID header into VLAN 10, while assigning VLAN 11 to other traffic. This approach is often called 'native VLAN' on a trunk, allowing untagged data to pass through without modification.