GS1200-8 - Brilliant! But can ZyXEL make it perfect?
I just received my GS1200-8 Managed Gigabit Switch today and I am very happy with its capabilities.
I ordered this switch after ordering a NETGEAR GS108E, which has been promptly returned because it was missing key security and separation features with VLANs, most notably the management interface VLAN configuration. This feature is a basic, minimum requirement for a 802.11q capable switch, yet NETGEAR employees say on their forums that it is reserved for a higher end line of switches, which is just completely unacceptable.
I also looked at the TP-Link TL-SG108E, however looking at the reviews and comments for it, it suffers from the exact same problem as the GS108E.
The ZyXEL GS1200-8 appears to be the only switch at this pricepoint which correctly supports this minimum requirement feature for an 802.11q switch.
This switch will suit my homelab workbench very well, and I would almost say it is perfect, but there are a few little annoyances which prevent that from being the case, some are picky but some are important.
- Important - Passwords are really limited at 15 characters with no special characters.
- I do not expect there to be UTF-8 support, because I understand there will be ROM restrictions and multibyte characters are hard to manage in that restriction
- I do expect full ASCII support
- I do expect a minimum of 15 characters realistically
- Inconvenient - Web interface timeout is very annoying because it times out too quickly
- When doing large configuration tasks, a timeout of 30 minutes would be better
- If this could be configurable in minutes, that would be awesome, even if thats only 1-255!
- Preferrably, logging in from another client should log out the other session rather than complaining and preventing
- Picky - The LEDs are unclear for 10 megabit connections
- NETGEAR do this really well, with the right LED being 10, left being 100, and both being 1000. With the GS1200-8, 10 and 100 look the same, and can only be differentiated from the web interface
- Having an option to switch the LEDs to this mode would be great, especially for testing equiment on a workbench
- Picky - VLAN ports marked Egress are technically both Egress and Ingress
- I have verified this with testing
- A simple change which could just add some clarity to the UI
I really hope this list will be helpful to ZyXEL, and I would love to at minimum see the password and timeout fixed if possible! This is a great little switch and with a few tweaks here and there would be well rounded for a perfect enthusiast/prosumer level switch.
Thank you for your feedback on the GS1200-8 switch. We appreciate your suggestions for improving our product and service that we would like to clarify as following:
Regarding the password requirement on the GS1200-8 switch, we would like to clarify that the GS1200-8 is a desktop switch that is normally deployed behind a router/firewall. As such, we believe that the current password policy is appropriate for this product and that further enhancements are not necessary.
For the web interface timeout, you are automatically logged out of web GUI after 5 minutes of inactivity, please see page 23 of User Guide.
Regarding your comment about logging in from another client, we understand that you expected that logging in from another client should log out the other session rather than preventing it.
However, we would like to clarify that this behavior is designed with security in mind. By preventing another client from logging into the web GUI while the first client is doing configuration, we ensure that the network settings are not modified by multiple users simultaneously. This can prevent unintended changes and ensure that the configuration is consistent and reliable.
Regarding the 10M Link's LED, we would like to clarify that this switch is currently designed to show the same color (Amber) for both 10/100 Mbps connections. We appreciate your suggestion about the LED display, however this function is related to hardware and software limitation, thus, we would like to create the post on Switch Idea section to evaluate in our future roadmap.
In terms of VLAN configuration, there are two parts to configure here which are:
- PVID => this setting is related to Ingress rule, which adds the specified PVID on incoming untagged packets.
- Maximum number of IEEE 802.1Q VLANs: 32 => this setting is related to Egress rule, which determines whether outgoing frames should carry VLAN tags or not.
We hope this information helps. If you have any further questions or concerns, please don't hesitate to ask. Thank you for being a valued member of our community.
I appreciate the expectation of the device being placed behind a firewall. I suppose that if the device is placed on a WAN for any reason, the ability to change the management interfave VID would be enough to prevent web UI access from the WAN side, so this is fair enough.
The 5 minute timeout, I understand this is what is currently in place, but when using the switch for configuration (when deploying, or when using Port Mirroring, or when experimenting) this 5 minute timer is too short and I end up having to log back in 4 or 5 times to complete my work, which is very inconvenient.
In addition, it is a pain that you do not know that this timer has expired, because the page does not automatically log you out, but instead you could modify settings and click save, then you will be logged out without your settings being saved at all, they get completely lost.
The issue of another client not being allowed to ensure consistency seems to be completely invalidated by the fact this 5 minute log out timer with no warning leads to data loss. I would still like to suggest that allowing the timer to be modified is a good idea, and I would also like to still suggest that we should be able to log in from another location and have the other session log out, even if this is not enabled by default but instead an option.
I forgot in my original post to raise another really bad issue - The default 192.168.1.3 static IP is very inconvenient and requires a lot of effort to change. I have no 192.168.1.x network at home, but instead a 192.168.0.x network. I do not understand why ZyXEL decided to set a static IP instead of using DHCP. The type of person configuring a managed switch should be knowledgable enough to log into their router and find the switch DHCP address. This issue took me 30 minutes to resolve when I first got the switch.
I understand the hardware limitations could prevent the change to the LEDs. Do you need me to raise an idea post or are you going to do that?
Lastly, the point I was making about VLANs is if you have a port set to VLAN 1 untagged only, and it receives a packet for VLAN 11, that packet is ignored, unless you turn on Egress. So, in effect, egress also effects ingress too.
I hope this is helpful, and thank you very much for the reply!
Thanks for your significant feedback.
Regarding the 5-minute timeout, we would like to clarify that this setting is not adjustable on the GS1200-8 switch now. While it is possible to adjust this setting on other switches such as Smart Managed Switches, the GS1200-8 switch is designed to be a simple and easy-to-use desktop switch, and we assume that the configuration is not so complicated for anyone to deploy this switch. However, we agree that the 5-minute timeout would be annoyed if you need to observe the packet after configuration. It is a good idea to adjust the timeout by user, so we will consult our internal department whether this function should be added on desktop switches in the future.
For VLAN, you say that “if you have a port set to VLAN 1 untagged only, and it receives a packet for VLAN 11, that packet is ignored, unless you turn on Egress” are you referring that VLAN 11 is created but not configured Engress (Tag or Untag member) as the below image?
Or could you please describe more detailed about your expectation on this VLAN configuration page?
The ingress filter is set to default, which means that when a VLAN is not created and configured as a tagged or untagged egress member on the Maximum number of IEEE 802.1Q VLANs part, packets for that VLAN will be ignored.
We have just created the post of your idea about LED display you can take a look at Switch Idea section here.
Thank you for raising the LED suggestion, and for raising the timeout issue with your internal department,
I do not want to cause too much confusion with the VLAN configuration, but basically what I am saying is the following configuration:
In this configuration:
- Ports 1-8 will have untagged ingress and egress for VLAN 1
- Port 1 will have tagged egress for VLAN 11, and will also allow ingress for VLAN 11 too
- Port 2-8 will not have egress for VLAN 11, but will also not allow ingress for VLAN 11 either
Ports 2-8 ignore VLAN 11 ingress packets when egress is not enabled. This means the orange egress control also controls ingress too.
So, the current behaviour is 100% correct, but the labelling could be a bit clearer, especially because the switch is intended for ease of use,
Please let me know if this explanation can be clearer,
It is true that the egress setting of a port is also a VLAN member setting that effects ingress rule. If the port is not a member of a particular VLAN, then any packets that arrive on that port and belong to that VLAN will be dropped by the switch.
So, if a port is not configured as an egress member of VLAN 11 whatever it is orange or green, then any VLAN 11 packet that arrives on that port will be dropped by the switch.
Once a port is configured as a tagged or untagged egress member (orange or green) for a specific VLAN, the switch will forward the ingress packets for that VLAN. If a VLAN 11 tagged frame is forwarded into a port that is a member of VLAN 11, it will not be dropped.
The main difference between an orange tagged egress member and a green untagged egress member is that when a packet is transmitted from an orange tagged egress port, it carries the VLAN tag of that VLAN. However, when a packet is transmitted from a green untagged egress port, it does not carry the VLAN tag of that VLAN.
I hope this helps! Let me know if you have any further feedback.
Indeed, I do understand the implementation myself, it just might be good to note this in the web interface for additional clarity for those people who are less familiar with the concept of VLANs.
I hope you don't mind, but I do actually have a couple more things which I discovered only yesterday:
- It does not seem possible to easily link two switches together. There is no VLAN trunking available. Instead, I must configure my “trunk” port with all VLANs I would like to trunk as egress tagged manually.
- Additionally, I am able to configure the switch incorrectly like so:
In my testing, when configuring the switch incorrectly, it appears port 3's PVID takes priority for ingress and egress and ignores the other VLANs configured as untagged. Is this the expected behaviour, or is this coincidence and undefined behaviour?
Thank you very much for your continued assistance,
Thank you for your question. Unfortunately, the GS1200 series switches do not support VLAN trunking. If you need this feature, I would recommend looking into the GS1900 series switches, which do support VLAN trunking and have a variety of other advanced features that can help to improve network performance and security.
To clarify the second question, we assume that the port 3 is PVID 123, then incoming untagged packets will be assigned to VLAN 123 and forwarded to port 1. VLAN 124 on port 3 will be ignored in this situation as you mentioned.
However, if incoming packets are VLAN 124 tagged, they will not be dropped and will be forwarded to port 2, and then sent out of the switch untagged. When packets return from port 2 (PVID 124) to port 3, they will be untagged and assigned to the appropriate VLAN following the PVID of the other end switch connected to port 3.
It is possible to configure a port with multiple untagged VLANs, but this is not recommended as the switch will not know which VLAN the traffic belongs to. It's best to tag traffic to specify the VLAN it should be assigned to.
When configuring VLAN on switch, it's important to check whether the devices connected to the switch can send and receive VLAN tags. After that, you can decide how to configure the ingress and egress rules to ensure proper handling of traffic.
I hope this helps to answer your question.
It is a shame the 1200 will not support VLAN Trunk. Is it something the team would ever consider? Even the 8 port 1900 series is bigger than I need on my workbench as it has a bigger footprint than the 1200, and the only reason I would find trunking useful would be to get another 1200 and trunk all VLANs from my workbench over to my desk on the other side of the room.
Thank you for the more detailed explanation around the rules for the VLAN when more than one is set to untagged. It is of course not something that should be done, but it is good to know how the device would respond if it is done accidentally or intentionally,
Thank you for your feedback regarding the lack of VLAN trunking support on the Zyxel GS1200 switch. We understand your disappointment, and we appreciate your suggestion.
However, please note that the GS1200 switch is positioned for home users and is designed to meet the basic networking needs of home users, which typically involve connecting a few devices to the network. In home user scenarios, there are usually not many Switch devices, and there are not many VLANs configured.
We value your feedback and take it seriously in our future product development. Thank you for your understanding.
- 8.5K All Categories
- 1.6K Nebula
- 71 Nebula Ideas
- 57 Nebula Status and Incidents
- 4.5K Security
- 226 Security Ideas
- 983 Switch
- 46 Switch Ideas
- 876 WirelessLAN
- 22 WLAN Ideas
- 5.1K Consumer Product
- 157 Service & License
- 280 News and Release
- 98 Success Stories
- 59 Security Advisories
- 13 Education Center
- 580 FAQ
- 263 Nebula FAQ
- 160 Security FAQ
- 76 Switch FAQ
- 74 WirelessLAN FAQ
- 7 Consumer Product FAQ
- 34 Documents
- 34 Nebula Monthly Express
- 69 About Community
- 46 Security Highlight