Problem with Tagged VLANs on GS1900-10HP Switch

Options
RonAllen
RonAllen Posts: 9
First Anniversary Friend Collector First Comment
edited August 2022 in Switch

I am having a problem with tagged VLANs between a Zyxel GS1900-10HP switch and a Zyxel USG20W-VPN firewall/router.  Appreciate any advice on how to resolve this.

Hardware Information
Zyxel USG20W-VPN, Firmware v5.30(AVAR.0) / 2022-04-20 / 2022-04-20 01:43:59
Zyxel GS1900-10HP, Firmware v2.70(AAZI.1) | 01/11/2022

Firewall/Router Configuration – Zyxel USG20W-VPN
On the firewall side I have created a VLAN 10 with following settings

·        Interface:  LAN1
·        Zone:  VLAN_10
·        VLAN type:  Internal
·        VLAN ID:  10
·        VLAN Address:  192.168.10.10
·        VLAN Mask:  255.255.255.0
·        VLAN DHCP Server Address Pool:  192.168.10.101-199
·        VLAN Gateway Address:  vlan ip

Tagged VLAN Setup – Zyxel GS1900-HP
The following was configured for a “tagged” setup on the switch where port 8 is the trunk between the router/switch and port 7 is connected to a PC with VLAN ID 10:

·        VLAN:  10
·        Port:  Port 8, PVID 1, Ingress Disabled, Trunk enabled
·        VLAN Port:  VLAN 10, Ports 7/8 tagged

With the above configuration, the PC connected on port 7 and configured with VLAN 10, I am able to obtain a DHCP address but unable to ping the default gateway or another address besides itself.

Untagged VLAN Setup – Zyxel GS1900-HP
The following was configured for a “untagged” setup on the switch where port 8 is the trunk between the router/switch and port 7 is connected to a PC with no VLAN specified:

·        VLAN:  10
·        Port:  Port 8, PVID 10, Ingress Disabled, Trunk enabled
·        VLAN Port:  VLAN 10, Ports 7/8 untagged

With the above configuration, the PC connected on port 7 and no VLAN specifed, I am able to obtain a DHCP address and able to ping the default gateway and other addresses addresses defined on the router (including the router address).

My question is why does the “tagged” configuration above not working.  I have tried different combinations and unable to get this to work.

Thank you!


«1

All Replies

  • PeterUK
    PeterUK Posts: 2,763  Guru Member
    First Anniversary 10 Comments Friend Collector First Answer
    Options
    Have you made a firewall rule from VLAN_10 to WAN ?
  • RonAllen
    RonAllen Posts: 9
    First Anniversary Friend Collector First Comment
    Options

    Thanks for your reply.

    Here's what i have done on the firewall side:
    • Created a Zone called VLAN10_ZONE with the VLAN10 as a member
    • On the VLAN config, I specified VLAN10_ZONE for the Zone parameter.
    • Created a Security Policy rule as follows:
      From:  VLAN_ZONE to Zywall
      Source:  Any
      Dest:  Any
    The fact that everything works fine when I have the ports "untagged" and the PVID set to 10 on the switch indicates to me the issue is not on the firewall side.

    Here are images of my "tagged" port config on the switch:


    Here is the result of connecting my PC with VLAN ID of 10.  Able to get DHCP address from firewall but unable to ping gateway or any other address on firewall side.


  • PeterUK
    PeterUK Posts: 2,763  Guru Member
    First Anniversary 10 Comments Friend Collector First Answer
    Options

    Its odd your able to DHCP so the VLAN must be working what does:

    arp -a

    show


  • RonAllen
    RonAllen Posts: 9
    First Anniversary Friend Collector First Comment
    Options
    @PeterUK, unfortunately this switch does not have CLI.
  • PeterUK
    PeterUK Posts: 2,763  Guru Member
    First Anniversary 10 Comments Friend Collector First Answer
    edited July 2022
    Options
    I mean in windows by CMD after DHCP 
  • RonAllen
    RonAllen Posts: 9
    First Anniversary Friend Collector First Comment
    Options
    Ahhh, sorry.  Here's the screenshot.  Does my tagging look okay to you on the switch side?  The other weird thing about this switch is that it keeps losing it's config after powering off/on.  Maybe it's defective?


  • PeterUK
    PeterUK Posts: 2,763  Guru Member
    First Anniversary 10 Comments Friend Collector First Answer
    edited July 2022
    Options
    RonAllen said:
    The other weird thing about this switch is that it keeps losing it's config after powering off/on.  Maybe it's defective?

    You need to click the save button

    So no ARP entry for 192.168.10.10...

    do you have other interfaces not overlaping the same subnet?

    Try without the trunk enabled and vlan 1 ports 7,8 to forbidden


  • Zyxel_Chris
    Zyxel_Chris Posts: 662  Zyxel Employee
    First Anniversary 10 Comments Friend Collector First Answer
    Options
    @RonAllen
    May I know if the issue still persists after deactivate the trunk port?
    On the other hand, I would like to make sure if your PC's NIC is VLAN aware?

    Chris
  • RonAllen
    RonAllen Posts: 9
    First Anniversary Friend Collector First Comment
    Options

    Same result after changing trunk to disabled and vlan1 ports 7/8 to forbidden.  The network adapter I am using on my PC allows me to specify the VLAN ID in the adapter configuration.
  • PeterUK
    PeterUK Posts: 2,763  Guru Member
    First Anniversary 10 Comments Friend Collector First Answer
    edited July 2022
    Options

    Maybe update the NIC driver?

    I know making VLAN by Hyper-V (Intel's new driver breaks it) works so give that a try set NIC VLAN back to default.

    Control Panel\All Control Panel Items\Programs and Features

    click turn windows features on or off check enable Hyper-V but uncheck Hyper-V Hypervisor

    run Windows PowerShell in admin

    New-VMSwitch -Name "External_network" -NetAdapterName "Ethernet"

    Add-VMNetworkAdapter -ManagementOS -Name VLAN10 -SwitchName External_network

    Set-VMNetworkAdapterVlan -ManagementOS -VMNetworkAdapterName VLAN10 -Access -VlanID 10


Categories

Switch Help Center

EnglishTiếng ViệtРусскийไทย中文(台灣)