I have a router that doesn't support VLANs. I want to connect to one of its ports a managed switch and create 2 VLANs, will it work? Must I use untagged VLANs in order for it to work?
The router has other PCs connected to its other ports, I assume they will not be able to communicate with either VLAN, am I right?
|-->VLAN1
Internet->Rounter(VLAN unaware)->Managed switch->|
|-->VLAN2
VLAN 1 is usually the "default" VLAN that all ports are in before you configure them otherwise. So when you create two new VLANs, they would be e.g. VLAN 2 and VLAN 3.
Must I use untagged VLANs in order for it to work?
Yes... but that won't make it work.
If the device (router) doesn't support VLANs, that usually means it won't understand any 802.1Q tagged packets, therefore its switch port must have one untagged VLAN (and the port's PVID must match).
However, you cannot put multiple untagged VLANs on the same port. When the router sends untagged packets, the switch will not know which VLAN they should belong to. All it can do is tag all packets with the same VLAN (PVID), and you don't gain anything. (Some switches allow configuring this anyway, and it appears to work when only one VLAN is used in practice, but falls apart when you actually try to mix two.)
The router has other PCs connected to its other ports, I assume they will not be able to communicate with either VLAN, am I right?
Yes.
Devices in one VLAN – the one that you've set as "untagged" on the router-facing port – will be able to communicate with the router and will have Internet access.
(The router only sees what's on the packets themselves, it doesn't know what happens inside the switch. If it sees untagged packets, it doesn't know and doesn't care which VLAN number they were originally from.)
Devices in all other VLANs – the ones that you've set as "tagged" on the router port – will not be able to communicate with the router at all (and therefore will not be able to communicate with any other VLAN either), because as you've said, the router does not support (tagged) VLANs.
Devices within the same VLAN will be able to communicate, because that doesn't involve the router anyway.
Final note: Some switches have what they call "IP VLANs" or "subnet VLANs", where the switch can tag incoming packets based on their IPv4 header – so from the router's perspective you could have two subnets on the same LAN, but the switch would magically divide them into two VLANs. This might work in your situation (if your switch actually supports it), but it's just... dirty.
Several years later, and this question, and the answer, need more clarification.
Can you connect a vlan unaware router to a vlan aware switch?
YES. The router will belong to the untagged vlan at the port you connect it to.
Will it work out of the box?
Yes, the vlan aware switch will have a "default untagged vlan" assigned to all ports.
Will the router be able to talk to devices on both VLANs?
Not without a router. Out of the box, it will only talk to the devices that are on the default vlan. If you configure the port to be an access port to a different vlan.. then that would be the vlan that you have access to. You would need a vlan aware router on the vlan side of the equation to route traffic from the "internet's vlan" to the other vlan.
Can the PC's and the router be assigned to different vlans?
Yes, but with work. Their traffic will be assigned a default lan based on the access port (untagged vlan port) the router is connected to. However, There are ways to assign vlans based on your mac address. I know of the CISCO VMPS (vlan membership policy service), which VMPS compliant devices can use to ask the VMPS (server) for a VLAN based on the mac. Perhaps it has other ways such as based on the IP. Switches might have a setup were macs are explicitly setup via a table to be assigned to a vlan.
This setup can be configured to only accept one vlan (rejecting the others), accept multiple (if the mac is registered with a vlan, then there is no confusion as there is when there is no knowlege of the mac at all, accept unknown but have a default lan they'll be assigned to.. I think there's one more.
keep in mind that just because each machine is accepted to different vlans, they can only talk to each other when on the same vlan (the previous point).
"Thank you, so I understand there's no way around it and I must buy a new router. I didn't buy a switch yet, I was sure the switch divides the VLAN based on IP rather than ports"
The initial concept of a vlan allowed using multiple ports on a switch for different lans, creating virtual switches. The virtual switches switch virtual lans. But which particular port on a vlan can be decided by IP, or by Mac Address. As mentioned, a particular port on a switch can be assigned to a vlan by a lookup table or service.
