To separate guest and production networks, administrators need to segment a network and create two Layer 3 networks to achieve complete separation between them, while both networks have full access to the Internet.
As the administrator, when you create VLANs, be sure to use numbers and names that clearly identify each VLAN and its purpose. The scenario described throughout this example uses these VLAN names and network IPs:
- Existing default VLAN 1: 192.168.1.1/255.255.255.0
- Example VLAN5 as Guest: 192.168.5.1/255.255.255.0
To set up multiple VLANs, follow these high-level steps:
- Gather the required equipment.
- Set up the ProSAFE firewall.
- Set up the Smart Managed Switch.
- Assign the ports and set the port VLAN IDs.
- Test that the VLANS are online and segregated.
These high-level steps are explained in detail in the following sections.
Required Equipment
Gather the required equipment before you attempt to configure your VLANs. Ensure that the equipment is in factory default mode to prevent configuration conflicts. For more information, visit the related link at the end of this article.
- Router that supports VLANs
- Layer 2 switch that supports VLANs
- Modem with an Internet connection
- Four Ethernet patch cables
- Two computers
To set up the ProSAFE firewall:
This example uses NETGEAR router SRX5308, but you can use any router that supports VLANs. The web interface might differ slightly for different models. If you are not using a NETGEAR product, check the documentation for that device for instructions.
- Log in to your NETGEAR ProSAFE firewall as admin.
The LAN Setup screen displays the VLAN ID 1 subnet IP as: 192.168.1.1/255.255.255.0, the ProSAFE Firewall’s default IP.
- Create a new VLAN.
In the LAN Setup section, click the Add button and enter your settings.
Note: This scenario creates one VLAN but you can create more.
Example settings to create VLAN 5:
- Profile Name. Guest
- VLAN ID. 5
- Port 1. Select the check box.
- IP Address. 168.5.1
- Subnet Mask. 255.255.0
- Start IP. 168.5.20
- End IP. 168.5.100
- Enable Inter VLAN Routing. Clear the check box to disable inter VLAN routing.
Important: If inter VLAN routing is enabled, the VLAN is accessible from other existing VLANs. When you create additional VLANS, enable and disable inter VLAN routing according to the purpose of each VLAN.
- Click Apply to save.
To set up the smart managed switch:
This example uses NETGEAR model M4100-D12G, but you can use any NETGEAR switch that supports VLAN configuration. The NETGEAR web interface might differ slightly for different models. If you are not using a NETGEAR switch, check the documentation for that device for instructions.
- Connect the switch to the router and plug the computer into a spare port, such as port 6.
- Log in to your switch’s configuration utility.
- Click Discover to discover the Switch Management IP. In this example, it is 192.168.1.110.
- Enter the IP address in to your web browser.
The login page displays.
- Log in to the switch.
- Select Switching > VLAN > Basic > VLAN Configuration.
The VLAN Membership window displays.
- In the VLAN Configuration section, enter the VLAN 5 settings and click Add to save.
- VLAN ID. VLAN 5.
- VLAN Name. Guest.
- Make Static. Disable.

To assign the ports and set the port VLAN IDs:
This example assigns port 11 to the guest VLAN. Ports 1-10 and port 12 remain on the existing default VLAN 1.
- Connect router port 1 to switch port 1 with an Ethernet cable.
Port 1 on the switch is labeled as the trunk port (T) because it carries traffic for more than one VLAN.
- From the switch web interface, select Switching > VLANS > Advanced > VLAN Membership.
The VLAN Membership window displays.
- In the VLAN Membership section, assign port 11 as an untagged (U) member of VLAN 5 by clicking the grey box under port 11, as shown in this image:

- In the VLAN Membership section, confirm that default VLAN 1 now displays that ports 1-10 and port 12 are untagged (U), as shown in this image:

To test that the both VLANS are on line and segregated:
- Connect the Ethernet patch cables as described here:
- Cable 1. From switch port 6 to the PC that will manage the switch in VLAN 1.
- Cable 2. From switch port 11 to the PC in Guest VLAN 5.
- Cable 3. From the firewall (router) WAN port to your modem.
- Confirm that the computers are connected to the Internet by navigating to any website or pinging the two remote computers. If they are not connected, double-check that each step was followed correctly and that the cables are in the correct ports.
- Confirm that the VLANS are segregated by using a command prompt or terminal to send a ping packet from the computer connected to ports in default VLAN 1 to the PC connected to port 11 in the guest VLAN. From the computer on default VLAN 1 connected to port 6, ping the IP address of the PC in Guest VLAN 5 that received the 192.168.5.20 IP address from the ProSAFE firewall as shown in this image:

For more information, visit:
How do I reset a smart switch to factory default settings?
Last Updated:11/28/2016
|
Article ID: 8898