Is my VLAN configuration correct?
Freshman Member
Hello,
This is my first attempt to configure VLANs on my home office network.
I have a GS1900-8HP as my primary switch and a couple of Ubiquiti mini (that will be configured later)
I need to setup 4 VLANs on the network:
- VLAN 1 is the untagged, PVID that will be used for all network traffic from Wifi and other PCs on the network
- VLAN 10 is a network that will be used from the Guest network
- VLAN 120 is a network that will be used from the home lab servers/devices
- VLAN 121 is the storage network
What I need is:
Port 1,5,8 on the switch should allow traffic from all the above networks/VLANs. Port 1 is connected to the main router.
All other ports should only allow traffic from VLAN/PVID 1.
My current configuration is:
And:
And (the following is identical for VLANs 10, 120, 121:
My questions are:
1. Is this configuration the correct one?
2. Is traffic isolated? I am asking because I don't fully understand the meaning of the "Ingress Check" and VLAN Trunk options on the first picture. Do I have to enable them for all ports, or just the ports that have the VLANs assigned?
3. Do I need to enable VLAN Trunk on ports 1,5,8? I have it enabled, but I think it's not needed since those ports are not used as an uplink to another switch.
4. Regarding the isolation, will my current setup ensure that if I setup a machine that will send tagged traffic (let's say 121) on port 3, the traffic will be blocked?
Best Answers
-
Hi @Peter Tselios,
1. Is this configuration the correct one?
The configuration is correct if ports 5 and 8 are connecting to other switches. If not, what device are you going to connect? In addition, you may reference this FAQ to set up VLANs.
2. Is traffic isolated? I am asking because I don't fully understand the meaning of the "Ingress Check" and VLAN Trunk options on the first picture. Do I have to enable them for all ports, or just the ports that have the VLANs assigned?
VLAN is used to separate the different broadcast domains, so the traffic is isolated. But if you have a router/firewall, different VLANs can communicate with each other via routing. (When you have set VLAN interfaces on it.) You need to set policy rules on the router/firewall to isolate different VLANs.
"Ingress Check" and "VLAN trunk" are not used to isolate traffic.
"Ingress Check" is used to check the VLAN tags of incoming packets that are the VLAN members of the port. If not, the packet will be dropped.
"VLAN trunk" is used to forward unknown VLAN packets. Since you have designed your VLANs, you don't need to enable the VLAN trunk. By the way, you may reference this FAQ for the VLAN trunk.
3. Do I need to enable VLAN Trunk on ports 1,5,8? I have it enabled, but I think it's not needed since those ports are not used as an uplink to another switch.
Please reference the above reply.
4. Regarding the isolation, will my current setup ensure that if I setup a machine that will send tagged traffic (let's say 121) on port 3, the traffic will be blocked?
If you mean the TCP traffic, the traffic will be blocked since port 3 is not VLAN 121's member. Additionally, if you want to be more secure, you can enable the ingress check. This will drop all packets, like the broadcast packets and the UDP packets, from this machine.
Zyxel Melen
1 -
Ok here is a setup to isolate to LAN
Port 1 is uplink VLAN3
Port 2 PC A VLAN1
Port 3 PC B VLAN2
To add another isolation say port4 make a new VLAN say 10 untag 1 and 4 with PVID 10 on port 4 all others Forbidden and on VLAN3 fixed (untag) on port 4
0
Zyxel Employee
Guru MemberAll Replies
-
VLANs work when you have a router that supports VLANs by subnets
Right now VLAN 1 is used for everything no isolation a port based VLAN (which your switch don't support) might be what you need if you don't look at getting a router
here is what I port based VLAN would look like
port 8 is uplink to router
ports 1,9 and 10 are isolated from other ports
ports 2-4 can see each other but not ports 5-7
ports 5-7 can see each other but not ports 2-4
0 -
I don't need port-based VLANs, or at least I haven't planned to segregate the swutch ports like this.
I still don't understand points 2,3.
0 -
What router do you have? how is it setup?
0 -
Hi @Peter Tselios,
1. Is this configuration the correct one?
The configuration is correct if ports 5 and 8 are connecting to other switches. If not, what device are you going to connect? In addition, you may reference this FAQ to set up VLANs.
2. Is traffic isolated? I am asking because I don't fully understand the meaning of the "Ingress Check" and VLAN Trunk options on the first picture. Do I have to enable them for all ports, or just the ports that have the VLANs assigned?
VLAN is used to separate the different broadcast domains, so the traffic is isolated. But if you have a router/firewall, different VLANs can communicate with each other via routing. (When you have set VLAN interfaces on it.) You need to set policy rules on the router/firewall to isolate different VLANs.
"Ingress Check" and "VLAN trunk" are not used to isolate traffic.
"Ingress Check" is used to check the VLAN tags of incoming packets that are the VLAN members of the port. If not, the packet will be dropped.
"VLAN trunk" is used to forward unknown VLAN packets. Since you have designed your VLANs, you don't need to enable the VLAN trunk. By the way, you may reference this FAQ for the VLAN trunk.
3. Do I need to enable VLAN Trunk on ports 1,5,8? I have it enabled, but I think it's not needed since those ports are not used as an uplink to another switch.
Please reference the above reply.
4. Regarding the isolation, will my current setup ensure that if I setup a machine that will send tagged traffic (let's say 121) on port 3, the traffic will be blocked?
If you mean the TCP traffic, the traffic will be blocked since port 3 is not VLAN 121's member. Additionally, if you want to be more secure, you can enable the ingress check. This will drop all packets, like the broadcast packets and the UDP packets, from this machine.
Zyxel Melen
1 -
Ok here is a setup to isolate to LAN
Port 1 is uplink VLAN3
Port 2 PC A VLAN1
Port 3 PC B VLAN2
To add another isolation say port4 make a new VLAN say 10 untag 1 and 4 with PVID 10 on port 4 all others Forbidden and on VLAN3 fixed (untag) on port 4
0 -
Many thanks to both of you.
If anyone is interested, ports 1,5 are connected to the main router and another openwrt-based AP and they are VLAN aware.
PoPort 8 is another switch I plan to integrate that's why I asked about the storage VLAN.
0 -
Since ports 5 and 8 are connected with VLAN-aware devices, your configuration is correct.
Zyxel Melen
0
Categories
- All Categories
- 384 Beta Program
- 2.1K Nebula
- 117 Nebula Ideas
- 80 Nebula Status and Incidents
- 5.1K Security
- 79 USG FLEX H Series
- 247 Security Ideas
- 1.3K Switch
- 69 Switch Ideas
- 910 WirelessLAN
- 34 WLAN Ideas
- 5.9K Consumer Product
- 209 Service & License
- 335 News and Release
- 71 Security Advisories
- 21 Education Center
- 5 [Campaign] Zyxel Network Detective
- 1.9K FAQ
- 898 Nebula FAQ
- 415 Security FAQ
- 234 Switch FAQ
- 205 WirelessLAN FAQ
- 46 Consumer Product FAQ
- 137 Service & License FAQ
- 34 Documents
- 34 Nebula Monthly Express
- 73 About Community
- 62 Security Highlight
