I set up two VLANS on a GS1900-24, the first 16 ports on the 1st and the last 8 ports on the 2nd. Each VLAN has all member ports set to untagged and all others set to forbidden.

I have two separate subnets that communicate via routers. What I was hoping is that the two VLANS would act like two separate switches, so I could not have to use unmanaged switches.

Instead it acts more like one big switch, because with both subnets plugged in, I am pulling an IP address from the wrong router. If I put all the devices from VLAN2 in a separate 8-port switch everything works fine.

I suspect this is because I really dont know how to properly configure VLANS to isolate these two sets of ports. How do I get the two VLANS to not pass DHCP traffic across them?

    PeterUK Posts: 1,403  Guru Member
    Forbidden 17-24 for VLAN 1

    17-24 Set VLAN Port PVID to 172

    PeterUK Posts: 1,403  Guru Member
    So your router is setup with two VLAN subnets?

    Can you post your VLAN setup? likely you have VLAN1 allowing all over all ports and not setup the VLAN Port Setting for given VLAN?

    What router do you have or do you have two routers each with its own subnet?
    mikekusa Posts: 5

    The Microtik is not configured for any VLANs.  

    On GS1900, VLAN1 is default (all ports untagged), VLAN172 is ports 17-24 untagged, all other ports forbidden. VLAN192 is ports 1-16 untagged, all other ports forbidden.

    I thought this would work - it would be like VLAN192 and VLAN172 are physically separate switches. 

    The DHCP request from the phone is evidently showing up on port 24, and going to the microtik on the 172 network. 

    Does the Microtik need to be configured for VLAN on the interface that goes to port 24 on the GS1900?

    mikekusa Posts: 5
    Main router is Zyxel EMG3425.
    Zyxel_Melen Posts: 281  Zyxel Employee
    Hi @mikekusa,

    Welcome to Zyxel community!
    According to your description, more likely  your wifi AP is in VLAN 1 or didn't have VLAN setting, making the DHCP discovery packets from IPhone be sent to port 24 since the VLAN 1 setting of GS1900-24 didn't forbid port 24.
    Just like @PeterUK said, set port 17-24 as forbidden on VLAN 1 will solve your problem.

    mikekusa Posts: 5
    This absolutely worked. Thanks - I see where taking 17-24 off VLAN1 word work; what does the PVID 172 do?
    PeterUK Posts: 1,403  Guru Member

    Currently 17-24 is Set to 1 for PVID? So does 17-24 work like that? You want to set the PVID to the untagged ports for given VLAN.