Management VLAN for Zyxel Switches

NEP

Hello,

I'm looking into adding a management VLAN to our setup. At the moment, all of our networking hardware is on the same subnet (VLAN1) as our user devices. From what I've read, making the change from VLAN1 is a bit complicated.

Other networks have already been moved to separate VLANs such as Wi-Fi (both guest and internal), security cameras, and various equipment used in-house. The Wi-Fi was quite easy. There is an option per access point to set the management VLAN. I made sure that each trunk port and applicable access port was tagged for the VLAN and then toggled the setting.

For switches, I've read that some devices can't be moved from VLAN1. I've also read that not being on VLAN1 can cause issues with STP/RSTP. The recommendations seem to be quite varied but nothing with a lot of detail.

We mainly have a bunch of XGS2210-52HP switches. After some research, I added the management VLAN to "IP Setup", however, it's not working as expected. Only devices on the management VLAN can access the switch. The docs says, "with the 'Management IP addresses' option you can give the switch an IP address for every configured VLAN." This appears to be the issue. The plan was to limit access to the devices with routing rules in our Zyxel ATP firewall. With the Wi-Fi, I can access the APs (VLAN120) from my PC (VLAN1). However, like the docs mentioned above, I am unable to access the switches (VLAN120) from my PC. Not sure that I understand why that is. I thought that traffic from my PC would be tagged once it hits the firewall. This is how it seems to work for Wi-Fi, why not the switch?

Anyway, I'm wondering if anyone knows of some good resources or other posts on the matter? Tried looking around here a bit but didn't find anything that really helped with my question. Maybe I'm going about this all wrong, in which case I'd appreciate the correction.

Thanks!

Zyxel_Melen

Hi @NEP,

This problem is related to each VLAN interface of your switch having its IP address, and your PC's default gateway is ATP. When your PC tries to access the VLAN 120 web GUI of your switch, the switch will directly reply TCP to your PC since it knows the PC's MAC address. This is also known as the asymmetrical route.

To solve the asymmetrical route problem, please remove the VLAN 1's IP address of your switches.

Zyxel_Melen

Hi @NEP

I can access the APs (VLAN120) from my PC (VLAN1). However, like the docs mentioned above, I am unable to access the switches (VLAN120) from my PC (VLAN1).

» Can you ping the switch IP address on VLAN 120 but cannot access the web GUI from your PC (VLAN1)?

NEP

Didn't think to check that before, but to answer your question yes. I can ping the switch from my PC but can't access the web interface via the same IP. Only one entry is Active in "Remote Management" and the value is "0.0.0.0". Seems like you're onto something, what do you think is causing the block? Also, since there is a block, do you think that I shouldn't be trying to circumvent it?

Zyxel_Melen

Hi @NEP,

This problem is related to each VLAN interface of your switch having its IP address, and your PC's default gateway is ATP. When your PC tries to access the VLAN 120 web GUI of your switch, the switch will directly reply TCP to your PC since it knows the PC's MAC address. This is also known as the asymmetrical route.

To solve the asymmetrical route problem, please remove the VLAN 1's IP address of your switches.