My first 802.1Q VLAN

The other day I had to create my first 802.1Q VLAN. Why? To stop 2 customers potentially seeing each other's networks!! At our radio mast site we have a Draytek Vigor 3300 router which our customers connect to via IPSEC VPNs. We have a VPN tunnel that we use ourselves to link our Nottingham radio trunk with our Mansfield radio triunk and we share the local IP subnet (192.168.1.x) with one customer which is fine.

However we don't want our next customer to also be on that subnet. This is where the VLAN comes into play! On the Draytek 3300, go to Advanced and then LAN VLAN setting. Select 802.1Q VLAN as in the picture below:

Make sure that all ports are ticked as active (you could lock yourself out otherwise!!!) and make sure all frames are 'untagged'.  Equally important is to make sure 'enable management port for P4' is still ticked our again you could lock yourself out (not good if you already have customer's VPNs setup on there!!!).

You will then have to reboot the router as you've re-configured the LAN subnet for the router.
When the router has rebooted, click on Network and then LAN and you will now be presented with the following window:

You can now assign each of the 4 LAN ports their own unique subnet; therefore keeping them seperate from the other ports!

You may need to adjust any existing VPN settings to include the new subnet created on the other LAN ports.





I've whipped up a couple of Visio diagrams as a before and after which I hope better illustrates what I wanted to and have achieved.

Before:

After:

If at all possible it's worth forward planning with the subnets of the other LAN ports. As I said earlier, making a change to the local LAN address requires a reboot of the router (the more customers you have on the less desirable this is!!!).