Set Up VLANs with Tomato and a Cisco Small Business Switch

Mark Berry January 6, 2017

I blogged five years ago about setting up guest wireless with Tomato. For that, I just plugged a separate switch into a router port dedicated to the wireless VLAN. Worked great. But now I need separate VLANs for access points, phones, and cameras connected one 24-port PoE switch, i.e. one router port must pass traffic for multiple VLANs. Here’s how I set that up.

I’m running a Shibby build, Tomato Firmware 1.28.0000 MIPSR2-132 K26 Max, on a Linksys E3000. This build allows up to 15 VLANs but only four LANs, and since I want a separate IP address range for each VLAN, four was the limit, exactly what I needed.

I’m using a Cisco SF200-24FP Smart Switch. Nice as a PoE switch since all ports support PoE for a total of 180 watts. I would think these instructions should work on any Cisco 200 Series Smart Switch, but I haven’t tried others.

I used this article and this one for reference.

Set Up Tomato for VLANs

Under Basic > Network, set up the LANs you need with a separate IP range for each (assuming you are using Tomato as your DHCP server):

Tomato Cisco VLAN 1

I’m going to use router port 3 for the “combined” VLANs. I had trouble with custom VLAN number and in the end, I put WAN on VLAN 15 then used VLANs 1-4 for my VLANs, with VLAN 1 as the default. Set this up under Advanced > VLAN:

Tomato Cisco VLAN 2

Apparently the “Cisco way” to create a trunk is for the default VLAN to be untagged. However the Tomato GUI will not let you do this, so you need to log in to your router using SSH and use these commands:

nvram show | grep vlan1ports
returns “vlan1ports=2t 3 4 8*”. Copy that line to a set command, removing the "t".
nvram set vlan1ports="2 3 4 8*"
nvram show | grep vlan1ports

returns vlan1ports=2 3 4 8*
nvram commit

After that, you should see that VLAN 1 is included in port 3 but not tagged:

Tomato Cisco VLAN 3

Note I this it was this article and its link back to this article that tipped me off about untagging the port.

By default VLANs can’t see each other. If you want to be able to access your PoE devices from your (trusted, secure) main LAN, you can go to Advanced > LAN Access to set that up:

Tomato Cisco VLAN 4

You can also set up access the other way, optionally restricting by IP address, e.g. if a DVR computer on the camera VLAN needs to be able send backups to a server on the main LAN.

Set Up the Cisco Switch

Under VLAN Management > VLAN Settings, define the three new VLANs:

Tomato Cisco VLAN 5

Plan out (write down) which ports should be on which VLAN. This switch has 24 10/100 ports and two gigabit ports. I want ports 1-7 on VLAN 2, ports 8-14 on VLAN 3, ports 15-24 and GE1 on VLAN 4 and port GE2 to be trunk to plug into the router. Note that I’m not using this switch for any access by VLAN 1 other than the trunk, but you could certainly set up a switch to also have some VLAN 1 ports. Also, as an aside, I’m using gigabit port GE1 on the camera VLAN for the DVR computer, since it received streams from several cameras at once.

Use the VLAN Management > Interface Settings screen to set VLAN Mode on ports 1-24 and GE1 to Access. Set port GE2 to Trunk. Use the Copy Settings button to copy settings from one port to a range of ports.

Use the VLAN Management > Port to VLAN screen to set up each VLAN one by one, identifying which ports are as Untagged, which are Tagged (only 2, 3, and 4 on the trunk in my case), and which are Excluded.

When you’re done, you can see a summary of all settings under VLAN Management > Port VLAN Membership. On this screen, U = Untagged, T = Tagged, P = Port VLAN ID (PVID):

Tomato Cisco VLAN 6

Note that the trunk setup matches the router:  default VLAN 1 is untagged; VLANs 2, 3, and 4 are tagged.

Plug port 3 of the router into port GE2 of the switch. You should now be able to plug a laptop into various ports on the switch and confirm that you are getting IPs in the correct range. Also test that access from the main LAN to the VLANs works but not vice-versa.

Leave a Reply