GS1900-24E and have a question about VLANs

itpp21
itpp21 Posts: 8
Hello, I've got a GS1900-24E and have a question about VLANs
On port 2 and 3 I am aggregating as LAN (coming from pfsense LAN aggregated)
port 4 and 5 run hypervisors with dhcp for ports 7 to 24
ports 7 to 24 (except 6) need to see and use port 2+3+4+5
The (web) management interface must work on all ports except port 6
Port 6 (fixed ip) needs to be in his own VLAN but be able to use port 2+3

Is this possible? do I need PVID?
Do I need to to configure the aggregated port 2+3 as upstream anywhere?
Can I assign more then one VLAN for port 2+3?

Assumptions:
Port 2-3 VLAN 10+20 and PVID 10+20
Port 6 VLAN 10 and PVID 10
Port 4-24 (except 6) VLAN 20 and PVID 20

Or am I missing something?


All Replies

  • Zyxel_Adam
    Zyxel_Adam Posts: 137  Zyxel Employee
    Hi @itpp21,

    Welcome to Zyxel Community.
    I will answer your question one by one.
    port 4 and 5 run hypervisors with dhcp for ports 7 to 24

    Do port 4 and 5 connect to the same device? if so, it should configure link-aggression as well.

    Port 2-3 VLAN 10+20 and PVID 10+20
    It's doable, but a port is only to allow one PVID. You may only tagged VLAN 10&20 for port 2-3(LAG) and 
    pfsense LAN ports should also tagged VLAN 10&20 on LAG.

    Port 6 VLAN 10 and PVID 10 
    (Port 6 (fixed ip) needs to be in his own VLAN but be able to use port 2+3)
    It's doable, you may use guest vlan for VLAN 6 to fulfill this demand.

    Port 4-24 (except 6) VLAN 20 and PVID 20
    yes, doable.

    Please let us know if you have any concern.
    Adam
  • itpp21
    itpp21 Posts: 8
    Hi Adam,

    > Do port 4 and 5 connect to the same device? if so, it should configure link-aggression as well.

    No, port 4 and 5 service different purposes.

    > but a port is only to allow one PVID

    Using PVID next to VLAN assignments is based on a remark that vlan(tagged) unaware devices need a PVID set on the port.
    If such devices can not brake out of a VLAN the PVID is not needed.

    It would then become;
    Port 2+3 (LAG) tagged VLAN 10+20 (mirrored on pfsense LAG side)
    Port 6 tagged VLAN 10 (can see and use port 2+3 via VLAN 10)
    Port 4-24 (except 6) tagged VLAN 20 (can see and use port 4-24 except 6 via VLAN 20)

    Some questions remain;
    > The (web) management interface must work on all ports except port 6
    I am assuming this is the case, if not please inform how this can be done (I have read the manual but can't find this).

    > Do I need to configure the aggregated port 2+3 as upstream anywhere?
    I am assuming if the gateway configured is presented on 2+3(LAG) the switch will mark these LAG ports as upstream.
  • Zyxel_Adam
    Zyxel_Adam Posts: 137  Zyxel Employee
    @itpp21,

    Thanks for your update.

    Regarding your question:
    > The (web) management interface must work on all ports except port 6
    I am assuming this is the case, if not please inform how this can be done (I have read the manual but can't find this).
    Since you will configure VLAN 20 for port 2-24(except 6), configure a management IP in VLAN 20 should be no problem for your need.

    > Do I need to configure the aggregated port 2+3 as upstream anywhere?
    I am assuming if the gateway configured is presented on 2+3(LAG) the switch will mark these LAG ports as upstream.
    You may need to configure default-gateway of GS1900 switch to the IP address of pfsense.
    Adam
  • itpp21
    itpp21 Posts: 8
    This works, though might not be as it should be configured, here it does the job (isolation port 6)

    Vlan config ->
    Goto ports ->
    Set port 6 to a different vlan

    (port 2 and 3 are LAG1)

    Goto Vlan Port ->

    Untag LAG1 for Vlan 10 (allow port 6 on vlan 10 to access LAN2WAN gateway)

    This works but I am open for improvements.
  • Zyxel_Adam
    Zyxel_Adam Posts: 137  Zyxel Employee
    @itpp21,

    Port 2+3 (LAG) tagged VLAN 10+20 (mirrored on pfsense LAG side)
    If you would like to reach this, you should change LAG1(port 2&3) to tagged VLAN 10 and VLAN 20.
    (You are using untagged for VLAN 10 only)

    Adam
  • itpp21
    itpp21 Posts: 8
    Thats because you can't en-mass change vlan 1 to anything else as there are two places that needs changing and when one or the other is changed you loose (web) access (they need to be changed at the same time) so in my case VLAN 1 remained 1 instead of 20. Other segments will use 20 and higher after the 1900 is put into production.
  • Zyxel_Adam
    Zyxel_Adam Posts: 137  Zyxel Employee
    @itpp21

    Thanks for the update.

    May I know is there any question regarding the VLAN settings?
    Adam
  • itpp21
    itpp21 Posts: 8
    The way I've done it sounds like untag multiple vlans to multiple ports instead of assigning multiple tagged vlans to a port, which seems to work as intended (block traffic between vlans and allow one vlan to be shared), where one question remains: does this make sense?
  • Zyxel_Adam
    Zyxel_Adam Posts: 137  Zyxel Employee
    @itpp21

    I would say there is no reason to determine if your configuration or topology is making sense or not when settings are workable for you. It all depends on how you gonna configure devices to fulfill your demands. 

    My question for you is does your pfsence a firewall? If so, I suggest you to change LAG1 to tagged and also allow vlan 10 on pfsence. Your LAG1 (port2&3) is untagged now, so it only allows VLAN 10 to your pfsence. However, if you are not planing to put other switch behinds this GS1900-24E, which other switch may assign different VLAN such as 20 or 30, you will not have to change it. 

    Let me know if you have any concern.

    Adam
  • itpp21
    itpp21 Posts: 8
    pfSense is indeed a firewall.
    I've taken the 1900 in to production yesterday early and so far all good.

    For LAG1 it defaults to VLAN 1 and has 10 added so serving 2 vlans.

    The are no other switches in use, services are clustered to a port on the 1900 and then assigned a vlan when required, this vlan is then added as allow on LAG1 if internet is needed, if not it is added as allow on a port for inter-service communication, this works fine from an isolation point of view.

    Next month I'll switch on (plug in second cable) LA on LAG1 and the sg-5100, in testing this worked as designed.