VLAN Configuration, Set-up and understanding.

[RodneyMcSnow]

Looking for some input/suggestions for project.
Two companies will be sharing a single Internet connection and two (2) 24-port dell 2824 switches. The computers from each Company (data, no voice) will connect to each switch, both switches will connect together via copper cat6 and share internet connection.

The following site layout/configuration.
Two companies will share office space and will have only data (computer traffic) running on the switches. No VOIP Phones, yet. Maybe in the future however, it is not important now.
Suite 100 is on West end of building and will have tenants from both companies A and B connected to it.
Suite 200 is on East end of building and will have tenants from both companies A and B connected to it. Switches connected via copper cat6.
A single Internet connection will exist in West end of Building and connect to the switch located in Suite 100.
I am able to setup the vlans in each of the dell switches. VLAN 1 for Company A and VLAN 2 for Company B.
My questions are as follows:
1) VLAN 1 is the default VLAN. Can ports be moved from VLAN 1?
2) Can I setup ports 1-8 to be vlan 1, ports 9-14 to be vlan 2?
3) What does tagged and untag represent?
4) What is PVID and why is it needed?
5) Can these vlans be restricted and unestriced at same time? In other words, vlans 1 & 2 share printers only and no other network shares, etc. are seen by each computer on each seperate vlan.
6) Are there any changes to be made in the clients computers/server?

I have listed below the printout of the switch programming.

VLAN PORT SETTINGS:
Interface PVID Frame Type Ingress Filtering
Port 1 1 Admit All Enable
Port 2 1 Admit All Enable
Port 3 1 Admit All Enable
Port 4 1 Admit All Enable
Port 5 1 Admit All Enable
Port 6 1 Admit All Enable
Port 7 1 Admit All Enable
Port 8 1 Admit All Enable
Port 9 1 Admit All Enable
Port 10 1 Admit All Enable
Port 11 1 Admit All Enable
Port 12 1 Admit All Enable
Port 13 1 Admit All Enable
Port 14 1 Admit All Enable
Port 15 1 Admit All Enable
Port 16 1 Admit All Enable
Port 17 1 Admit All Enable
Port 18 1 Admit All Enable
Port 19 1 Admit All Enable
Port 20 1 Admit All Enable
Port 21 1 Admit All Enable
Port 22 1 Admit All Enable
Port 23 1 Admit All Enable
Port 24 1 Admit All Enable
Lag 1 1 Admit All Enable
Lag 2 1 Admit All Enable
Lag 3 1 Admit All Enable
Lag 4 1 Admit All Enable
Lag 5 1 Admit All Enable
Lag 6 1 Admit All Enable


VLAN MEMBERSHIP:
Interface
Port 1 U = untagged (Only options are untagged/tagged)
Port 2 U
Port 3 U
Port 4 U
Port 5 U
Port 6 U
Port 7 U
Port 8 U
Port 9 U
Port 10 U
Port 11 U
Port 12 U
Port 13 U
Port 14 U
Port 15 U
Port 16 U
Port 17 U
Port 18 U
Port 19 U
Port 20 U
Port 21 U
Port 22 U
Port 23 U
Port 24 U

Any insight is appreciated.

 

[cajuntank]

My questions are as follows:
1) VLAN 1 is the default VLAN. Can ports be moved from VLAN 1?"
Yes this is what untagging ports do. All ports are by default untagged in VLAN 1. If you create another VLAN, say VLAN 2, then you can choose which ports to untagged for that VLAN.

"2) Can I setup ports 1-8 to be vlan 1, ports 9-14 to be vlan 2?"
Yes, this is normally how it's done. Also, VLANs operate at layer 2 which means they are logically separate from each other and until you introduce a layer 3 device to route between those VLANs, they will not talk to each other. A lot of switches today offer layer 3 functionaly which you can turn on by issuing a "ip routing" command at the switch which will then cause all VLANs to talk to each other (also called inter-vlan routing)

"3) What does tagged and untag represent?"
Tagged ports are those that you want to pass (in Cisco world it's known as a trunked port) VLANs down to other switches or devices that understand VLAN tags. So for example, if you had two switches that you wanted to to know about VLAN 1 and VLAN 2, then of course by default, they already know about VLAN 1. You will create VLAN 2 on both switches and the port that you connect both switches to each other by, you will have a statement under the VLAN 2 interface "tagged 24" (assuming your using port 24 as your uplink port to the other switch).
Untagged, again, are the ports yout specify under that VLAN interface that you want in that VLAN. So for example... under VLAN 1 you might untagged 1-10 and under VLAN 2 you might untagged
11-23.

"4) What is PVID and why is it needed?"
PVID just means Port VLAN ID. See link for discussion on this.

http://www.tek-tips.com/viewthread.cfm?qid=959402&page=72

"5) Can these vlans be restricted and unestriced at same time? In other words, vlans 1 & 2 share printers only and no other network shares, etc. are seen by each computer on each seperate vlan."
For VLANs to even talk to each other, there needs to be some layer 3 device that can route between them. See answer 2 for more info. If inter-vlan routing is turned on then there are no restrictions of them communicating with each other. If you need to restrict certain aspects of communication between the VLANs, you will need to implement what's call ACLs (Access Control Lists). I would suggest you google ACL examples as that can be a long discussion all on it's own as ACLs can permit or deny on several variables including tcp and udp ports, icmp, host ip address, ip address ranges, protocols, etc...

"6) Are there any changes to be made in the clients computers/server?"
Just depends on what port (and corresponding VLAN) on the switch you connect them to. Each VLAN will be on it's own subnet (ie... VLAN 1 might be on the 192.168.1.0/24 subnet while VLAN 2 might be on the 192.168.2.0/24 subnet). If you only have one DHCP server handing out addresses for both subnets, then you will have to have a command under the other VLAN interface called ip helper-address "the ip address of your DHCP server" (no, the ip address would not be in quotes, I just use those to show a general remark instead of an actual command).
So if the DHCP is on VLAN 1, then under VLAN 2 interface, you'll have to have the ip address-helper statement.

Hope that helps.