VLANs not working - GS1920-48HP and USG Flex 200.

Weazel

Hello

I've added some VLANs to a Flex 200 and GS1920-48HP switches. Unfortunately I cannot get the VLANs to work.

To explain, the VLANs (vlan20 and 21) have been added to the firewall, zones added and firewall rules made. I've used LAN1 as the base port and have set the downlink from the firewall (port 47) as a trunk port as per various guides I've read. The downlinks to the other three switches have been configured in the same way.

I have a port in vlan20 and another in vlan21 with the PVIDs to match. The ports do not get a DHCP IP address from the firewall, nor can I ping the firewall with a manual static IP config. I have tagged the traffic on the respective access ports and marked vlan1/native as forbidden. Setting them to untagged makes no difference.

I understand the uplink to the firewall and downlinks the other switches don't need tagged traffic, just trunk enabled.

I have 2 x Unifi APs on ports 25+26…same thing, no DHCP offerings or connectivity. They however need to see native VLAN, 20 and 30.

Some screenshots of the config are below. could you let me know what I need to do please? Any assistance would be appreciated! Thanks.

Zyxel_Melen

Hi @Weazel,

I understand the uplink to the firewall and downlinks the other switches don't need tagged traffic, just trunk enabled.
> Trunk enables mainly means the packet will be tagged out. So, the uplink to the firewall and downlinks to the other switches should be tagged. In addition, the port connected to end devices should be untagged.

Please reference the configure example below:
Static VLAN configuration:

VLAN port setup:

The VLAN status will be like:

You may also reference this FAQ for VLAN setup.

In addition, VLAN trunking means the switch will forward the packets without VLAN settings. In other words, the switch will forward unknown VLAN packets when enabling VLAN trunking.
For more information, please reference this FAQ.

PeterUK

Have VLAN1 untag on ports 1 and 47 all others forbidden you can access the switch by port 1

Have VLAN20 with PVID20 on port 23 tag and fixed on port 47 and untag on port 23 others forbidden

Have VLAN21 with PVID21 on port 24 tag and fixed on port 47 and untag on port 24 others forbidden

A PC in ports 23 and 24 should now connect to the USG VLANs

Weazel

Thanks Peter - i will give it a try. I still need to be able to access VLAN1 on all other ports, as well as VLANS 20 and 30 on the APs. Would the changes suggested to the trunk port (port 47) allow that?

Zyxel_Melen

Hi @Weazel,

I understand the uplink to the firewall and downlinks the other switches don't need tagged traffic, just trunk enabled.
> Trunk enables mainly means the packet will be tagged out. So, the uplink to the firewall and downlinks to the other switches should be tagged. In addition, the port connected to end devices should be untagged.

Please reference the configure example below:
Static VLAN configuration:

VLAN port setup:

The VLAN status will be like:

You may also reference this FAQ for VLAN setup.

In addition, VLAN trunking means the switch will forward the packets without VLAN settings. In other words, the switch will forward unknown VLAN packets when enabling VLAN trunking.
For more information, please reference this FAQ.

Weazel

Thanks for the info - it was the ‘fixed’ association to the port per VLAN that I was missing. Working fine now

interestingly enough, on the GS1900-10HP I haven’t had to do any more then enable the trunking for it to pass VLANs which is what initially confused me here. It seems different models do different things

thanks again!

Zyxel_Melen

Hi @Weazel,

May I know if you mean the "VLAN trunk" on GS1900? If yes, the "VLAN trunk" will allow the switch to forward unknown VLAN packets. But if you create a static VLAN, the switch will follow the VLAN table to forward the packets.