USG200 ethernet and vlan in same subnet


Could someone help please with an issue I am having with the USG200, I have never used Zyxel stuff before, having come from a Cisco background.
I have this working on a Cisco ASA5505 in the lab, trying to get it working on the USG200 but at the point of giving up.

I have configured the OPT interface with 3 vlans, vlan 10,200,204, the OPT port then connects to a Cisco C3560-G switch, all vlans work perfectly when devices are plugged into the switch ports mapped to specific vlans.

Now, on Vlan 10 ( I wish to plug an additional device into one of the other ports on the USG and it to be accesible from devices in VLAN10.
So, I configure a laptop with as its IP address, plug it into Lan2 port (IP  on the USG, it can ping the vlan ( as can devices on the switch in VLAN10.
But, I cannot ping from devices on the switch in VLAN 10 to the device plugged into the LAN 2 port on the USG.
It is as if the two 192.168.10.xx networks both exist, can both access the USG, but not each other.
I have disabled the firewall, but that made no difference.
Reason for wanting to do this, is the USG is located in a fairly inhospitable place, with only a single CAT 5 running from it through a building to the Cisco switch, and I need to put a device (currently for testing using a laptop, but will eventually be a Raspberry Pi) next to it without having to run a long cable back from the switch.
The Pi needs to be on the same subnet as VLAN 10, that is the important thing.
The ASA does this perfectly, but for the life of me I cannot get it to work with the USG200, if anyone can confirm it is or isn't possible I would be grateful.

Accepted Solution

  • PeterUK
    PeterUK Posts: 1,591
    50 Answers 1000 Comments Friend Collector Fifth Anniversary
     Guru Member
    edited August 2021 Answer ✓

    Looking at this but not fully tested at my end this may not be possible and the USG 200 ( unless FLEX) is old and no longer updated.

    The way this might of worked is if the port role option allowed a OPT with another port this way you have only one subnet. With the way you have done two of the same subnets makes them isolated.

    The way round this is to get a VLAN switch connect the OPT port to it and switch to Cisco C3560-G with the VLAN's and the laptop to an untagged port to VLAN 10 on the switch so that the laptop sees all of subnet

All Replies

  • gb5102
    gb5102 Posts: 25
    First Comment Friend Collector Third Anniversary
     Freshman Member
    You should be able to create a bridge interface on USG200 to bridge lan2 and vlan10 interfaces.
    You would remove the IP( 'layer 3' settings from lan2 and bridge interfaces. Then you should be able to access vlan10 devices/subnet via any ports assigned to lan2 interface.
  • PeterUK
    PeterUK Posts: 1,591
    50 Answers 1000 Comments Friend Collector Fifth Anniversary
     Guru Member
    ^...As long as the laptop is VLAN tag to 10 yes

  • tsteele
    tsteele Posts: 2
    Thank you for coming back to me, I also raised a case with Zyxel support, they have also just replied.
    It seems that you are correct, it isn't possible to do what I want with the USG.
    Unfortunately, putting another switch in the cabinet next to the USG is not really possible, there is no 240v power, nor any physical space really.

    I guess my only real option is to ditch the Zyxel, and replace it with the ASA5505, which I have several 'spares', and already have the identical setup in several other locations which works perfectly.

    I was just trying to make life easier by re-using the existing Zyxel USG200 (customer provided).

    Thanks again,
    Kind Regards

Security Highlight