At this moment in my company i have two gigabit switches (zyxel dimension gs1116) and one 24 port 100M linksys switch . None of them is managed. In server room are 2 switches. One gigabit switch and linksys. Second gigabit switch is located on buildings 4th floor. Also somewhere is basic 8 port edimax switches (2 or 3).
Now we bought HP V1910-48G witch is 48 port gigabit switch. Now i remove two switches in server room and place HP there. New switch is placed, because we need to separate public wifi from company's network. And also move cash registers into separate network.
I created two VLANs. VLAN with id 2 is company network and vlan with id 3 is for guest wireless access.
VLAN 2 and 3 have assigned port range from 1 to 32. Booth VLANs port membership is tagged.
And question is: if i connect all cables to new switch, all stuff works? Or i can get in trouble.
Of course i will replace switches after working hours and test connectivity. I am asking, because to be know if i need made some changes to router too. And does basic switches can handle VLANs ? Or they don't care that?
Firewall: Firewall is basic computer running iptables (shorewall). I know that i must reconfigure firewall, to forward wifi guest packets to gateway interface only.
VLAN with id 1 (default) i leave unchanged (all ports is assigned as untagged).
I imagined second scenario: company network uses untagged ports and only mark public wifi traffic?
Public wifi is planned to mark via separate SSID
Best Answer
If you assign switch ports to specific VLANs, the switch treats them as if they were all in their own little Ethernet network, and the end stations are usually unaware that they're connected to a VLAN-based switch.
If a switch port is tagged, that means that all of the frames that aren't in the default VLAN (usually 1, which you're right to leave alone) have a 4-byte 802.1q header attached that says what VLAN they go with (as well as basic QoS information). A device attached to a tagged port needs to be aware of the VLAN setup if it's going to properly process such packets, but these are typically other switches (either traditional switches or software switches inside a VM hypervisor).
You should usually force end-user ports to untagged to ensure that someone can't insert a custom VLAN tag and get access to a different VLAN (known as VLAN hopping). On your switch, all of the ports should be untagged unless the WiFi APs are capable of talking on multiple VLANs so that they can have a management address on a different VLAN from the one they're sending client traffic over, or so that single APs can connect multiple SSIDs to different VLANs.
Whether a "basic" switch "handles" VLANs depends on what each term means. Most unmanaged switches will simply pass 802.1q-tagged frames along as-is, with no attempt to direct them anywhere in particular, so plugging an unmanaged switch into an untagged port is simply the same as not using VLANs at all, while plugging one into a tagged port is like having a shared tagged segment among the different equipment that knows about the VLANs.