Switch XMG1915 isolate port

switcher
switcher Posts: 8  Freshman Member
First Comment Friend Collector

I have a Zyxel XMG1915 8-port managed switch. I need to isolate one of the ports so that it cannot access the intranet but can still access the internet. How can I achieve this?

The switch is connected to a GT-AX11000 Pro router, which has two guest networks. One of these networks, VLAN51, does not allow intranet access.

«1

All Replies

  • PeterUK
    PeterUK Posts: 3,326  Guru Member
    100 Answers 2500 Comments Friend Collector Seventh Anniversary
    edited August 1

    The switch you have has no ACL

    What are you trying to do? not have this device access the LAN?

  • switcher
    switcher Posts: 8  Freshman Member
    First Comment Friend Collector

    Yes! I would like to prevent the device, or specific port, from accessing any device on the LAN while still allowing internet access for this device. So far, I have managed to block the device from accessing the LAN, but it loses internet connectivity. Here are screenshots of the configuration:

  • PeterUK
    PeterUK Posts: 3,326  Guru Member
    100 Answers 2500 Comments Friend Collector Seventh Anniversary
    edited August 1

    If your GT-AX11000 Pro router is doing the isolation for VLAN51 for this given device then

    set uplink port to router on the switch for VLAN51 to fixed tag set port to device fixed and untag set PVID port the device is on to 51

    on VLAN1 set the port the device is on to forbidden

  • switcher
    switcher Posts: 8  Freshman Member
    First Comment Friend Collector

    Thank you, Peter! I appreciate your help. However, I'm not familiar with the router configuration. Could you please specify where I can make these changes? I attempted to follow your instructions, but I ended up with a configuration nearly identical to the one in the screenshots, with the only difference being that port 3 on VLAN 1 is now set to "forbidden."

  • PeterUK
    PeterUK Posts: 3,326  Guru Member
    100 Answers 2500 Comments Friend Collector Seventh Anniversary
    edited August 1

    What port links the switch to your router?

    What port links the device you want to go on VLAN 51 on the switch?

    Your router is Asus looks to be setup correctly

  • switcher
    switcher Posts: 8  Freshman Member
    First Comment Friend Collector

    What port links the switch to your router?

    Port 2

    What port links the device you want to go on VLAN 51 on the switch?

    Port 3

  • PeterUK
    PeterUK Posts: 3,326  Guru Member
    100 Answers 2500 Comments Friend Collector Seventh Anniversary
    edited August 1

    So on the switch

    VLAN51 port 2 fixed and tag

    VLAN51 port 3 fixed and not tag with PVID for port 3 set to 51

    You can also for VLAN 51 set ports 1, 4-10 as forbidden

    Your device on port 3 likely has no tag will go to port 3 VLAN51 tag out port 2 to your router

  • switcher
    switcher Posts: 8  Freshman Member
    First Comment Friend Collector

    I applied the configuration you specified. The device is not on the LAN, but it still does not have internet access. Here are the screenshots. Please let me know if I missed anything:

  • PeterUK
    PeterUK Posts: 3,326  Guru Member
    100 Answers 2500 Comments Friend Collector Seventh Anniversary

    That should work but I'm not sure about the router GT-AX11000 doing VLAN as tag

    Does the device use a tag? if its a PC likely untag unless you set a tag

    You can test that the router accepts untag by PVID 51 on both ports 2 and 3 with port 2 untag but that not what you want. 

  • switcher
    switcher Posts: 8  Freshman Member
    First Comment Friend Collector
    edited August 2

    Do I have to relay on router's VLAN? can the switch create a new isolated subnet or VLAN but allow the port to reach to the internet?