VLANs - Can I safely connect an unmanaged switch to a managed switch?

Captain Jack Sparrow

Anti-cryptominer
Joined
Jul 1, 2007
Messages
561
Reaction score
118
First of all, I'm not sure why we don't yet have a networking sub-forum. I don't know where else to post this, so I'm posting it here anyway.

I need to expand our home network as I am planning to wire more ethernet sockets, and install another Ubiquiti UAP (enterprise-grade wireless access point).
As Ubiquiti UAPs are expensive, I want to do this as quickly, cheaply and dirty as possible.

We have a managed 8 port gigabit switch. Ports 1-6 are configured for a PC only VLAN. I'll call this VLAN 1. Port 7 is configured for a hotspot VLAN. I'll call this VLAN 2. Port 8 is a tagged port which can send traffic to VLAN 2 if it's tagged, otherwise it'll send the traffic to VLAN 1. Here's a really bad diagram.

diagram1.png
(click to view full-size)

Now I have a problem, as I am about to run out of ports on this managed switch. I still have an old Cisco 8 port gigabit switch, but it's unmanaged. What I am thinking of doing is to downsize VLAN 1, and use the unmanaged switch to scale up VLAN 1. I don't know if this will work, but logic tells me that I should be able to plug an unmanaged switch into a port which has been assigned to VLAN 1. In this scenario, theoretically the entire unmanaged switch should only be able to communicate with VLAN 1. This is the behavior that I'm looking for. I can then move most of the devices consuming VLAN 1 ports to the unmanaged switch, and free up ports on the managed switch.

That means that I can make VLAN 2 bigger, and assign another port to an AP, just like how port 8 has been set up. Here's another really bad diagram of what I'm trying to achieve.

diagram2.png
(click to view full-size)

If I downsized VLAN 1 to ports 1-3, then I could connect the unmanaged switch to port 1, and a server to port 3. Port 2 will remain unused for now. Devices connected to the unmanaged switch should be able to reach the server on port 3, but they should not be able to reach VLAN 2. I can also add ethernet sockets to the unmanaged switch. These should remain on VLAN 1.

With VLAN 2 scaled up to ports 4-6, a pfSense box will be connected to port 4. This will be the only device on VLAN 2 so far. I may add more devices to VLAN 2, but this VLAN is primarily for tablets, smartphones and similar devices.
On ports 7 and 8, I should be able to connect these to Ubiquiti UAPs. Untagged traffic should go to VLAN 1, and tagged traffic should go to VLAN 2.

I have a couple of questions.
Firstly is it okay to use an unmanaged switch on a VLAN? Would this even work, and if so, would the two VLANs remain isolated from each other?

Secondly, is this an acceptable practice? Remember, this is only a home network, and we're not trying to be more secure than MI6 :lol:.

I hope someone here can help me, I actually have very little idea of what I'm doing, networking isn't my area of expertise.
I've tried my best to make this situation as easy to understand as possible. Please let me know if you'd like me to clarify anything further.

- Capt. Jack Sparrow.
 
Last edited:

Ian

Administrator
Joined
Feb 23, 2002
Messages
19,873
Reaction score
1,499
I think what you are suggesting will work, I have a very basic VLAN setup and do something similar with my managed switch leading to an unmanaged switch... However I've never tested my setup heavily, as it's just isolated for convenience rather than security. It does seem to work as I expect though.

Give it a whirl and see what happens :).

First of all, I'm not sure why we don't yet have a networking sub-forum. I don't know where else to post this, so I'm posting it here anyway.

We did have one until the forum re-arrangement a few weeks ago, there were so many sub-sections that we simplified them in to fewer areas (some had threads dating back from years ago on the first page, so needed a bit of a re-jig).
 

Captain Jack Sparrow

Anti-cryptominer
Joined
Jul 1, 2007
Messages
561
Reaction score
118
I think what you are suggesting will work, I have a very basic VLAN setup and do something similar with my managed switch leading to an unmanaged switch... However I've never tested my setup heavily, as it's just isolated for convenience rather than security. It does seem to work as I expect though.

Give it a whirl and see what happens :).



We did have one until the forum re-arrangement a few weeks ago, there were so many sub-sections that we simplified them in to fewer areas (some had threads dating back from years ago on the first page, so needed a bit of a re-jig).
Damn, I've just realized, the power supply for the unmanaged switch is missing! :wall:
Looks like I'll be spending today searching for it.

But thanks for your feedback, this sounds like it will work. As long as it can prevent communication between the two VLANs, it's good enough for me. The only way that VLAN 2 should be able to reach VLAN 1, is by going through the pfSense box. I can then use firewall rules to govern this.

With regards to a networking sub-forum, as networking is such a broad topic, I still think that this would be a good idea. If there were threads going back years on the front page of some sub-forums, then I think we might have a bigger problem: we simply don't have enough active members! :eek:

- Capt. Jack Sparrow.
 

Captain Jack Sparrow

Anti-cryptominer
Joined
Jul 1, 2007
Messages
561
Reaction score
118
Good luck finding it :D.
I just ended up using an old car battery to power it while I look for the AC adapter. This should keep the unmanaged switch going for a few days, and then we'll toss the car battery when it falls below 11 volts. It's knackered anyway. Hopefully I will have found the AC adapter (or an equivalent) by then.

But yes, I've made the changes to the managed switch and it seems to be working well. My existing Ubiquiti UAP-AC-Pro is working happily, regardless of whether it's plugged into port 7 or 8, and both VLANs are also working correctly on both ports.

I did have to fiddle with the 802.1Q PVID settings on the ports, to make this reliable. It now seems stable enough for production use. Here, I was relying on trial and error to make this work. :user:

I have not yet tested whether the two VLANs can directly communicate with eachother (this shouldn't be possible), but this is definitely something which I will look into within the next few days.

- Capt. Jack Sparrow.
 
Last edited:

Ask a Question

Want to reply to this thread or ask your own question?

You'll need to choose a username for the site, which only take a couple of moments. After that, you can post your question and our members will help you out.

Ask a Question

Top