VLAN Seperation
Freshman Member
At this moment I have a GS1900 which I use between the router and the ISP (WAN).
Port 1 is connected to the WAN containing ethernet traffic as weel as VLAN 4 for IPTV. Port 2 is connected to my router.
What I want is the the ISP comes in on P1, distribute to P2 (router) and send all vlan 4 traffiic to port 2 till 8 .
Other ports 9 till 24 are in use for local lan (VLAN 100)
But somehow I see DHCP traffic comes in from a mac address (which is inside local LAN) what I'm not expecting.
Port 1 is from the ISP port 2 is going to the Router (WAN Side)
From router back to LAN segment on port 21:
VLAN 100 : Local LAN segment
What's is wrong. I would not expect to see any DHCP (broadcasts) from my local LAN devices.
As you can see in the wireshark. IP address 192.168.0.3 is my local LAN but still receives this on Port 1 (I mirrored port 1 and 2 to 10).
What I'm doing wrong?
Johan
Accepted Solution
-
I thanks the issue is solved as pvid 1 was stille connected to port 10 which causes local lan traffic also arrives at port 10.
0
All Replies
-
So what if you set Accept frame type on ports 1 and 2 to tag only?
Because VLAN 4 have ports 0-8 tag and untag you will see broadcasts traffic
If you can't do the above you need two more port in a VLAN to only allow a given MAC out to your ISP.
or maybe you need to set VLAN4 port 1 to forbidden? not sure what VLAN2 is doing or maybe you only need to untag port 1 and 2 and forbidden the rest?
.
a drawing of your setup might help
0 -
I want to have Routed IPTV as well as seperate port special for IPTV. IPTV uses VLAN ID =4 in my case.
So, ISP comes in on P1 (P2 should get everything form P1) P3 till P8 only VLAN ID 4 for IPTV setup BOX.
Port 9 till port 23 is for my local LAN.
So the router is hooked up twice to the switch but are in seperate VLANs so they should not interfere with each other. Now is the case that I see a DHCP request from PC (lets say Port 8) coming in on Port 1. Which should not be allowed. Vigor Is my router. Port 2 from the switch is connected to the WAN port of the router.
0 -
so is VLAN4 on the base port WAN of your router? is your ISP tag or untag
0 -
Sorry, forgot to mention.
From the ISP I'm getting untagged Internet and tagged VLAN ID 4 for IPTV (2 streams , 1 internet orther IPTV).
On my router I have configured a Virtual WAN with VLAN ID =4 :
If I look at the MAC table of Port 2, I do see 2 MAC addresses, which I would excpect, one for internet and the other for IPTV with VLAN ID = 4.
On Port 1 one I see 3, 2 for VLAN ID 4 what I also expect and one for the router.
What I do not understand is why I see a DHCP request coming from a MAC address which is a device on the LAN network (VLAN ID 100).
I hope it's clear what I how my setup works?
0 -
So does it happen on port 2 (not port 1) you see the DHCP requests from VLAN100 going out the WAN?
0 -
I see the request coming in on Port 2 (WAN side router). I would also expect to see a request being send out via port 1 (Internet) which would be a duplicate, right? . Because I mirror port 1 and 2.
The source mac is from the router.
I'm getting from the ISP the ack coming from port 1
All of this looks like okay, only on teh GS1900 I see that the LAN Segment uses vlan ID 1 and not 100 but stil. VLAN 1 and VLAN 100 are not part of port 1 till 8.
I'm using wireshark on an USB Gig Ethernet with a 169.254.168.254 IP address (default) and I see that a device on the LAN segment is sending a request and the router (192.168.0.1) send a offer (see the 2 below pictures). I would not expect this.
Any explaination?
0 -
From what I can tell the switch is not at fault looks to be the router you are using not sure why its doing this.
You could see if removing VLAN 4 on router stops it.
0 -
I have removed VLAN ID 4 on Port 2 (Forbidden) and rebooted the router after the change. But still see DHCP request coming from a LAN device which should not be possible.
0 -
Thats because its coming from your router
If you was to mirror port 2 for ingress only you see its from your router at least thats what I think is happening.
0 -
Hi @VCS,
All of this looks like okay, only on teh GS1900 I see that the LAN Segment uses vlan ID 1 and not 100 but stil. VLAN 1 and VLAN 100 are not part of port 1 till 8.
This is because the PVID you set is 1 but not 100. Since the clients' packets are untagged, the switch port VLAN ID is needed to classify the clients belonging to which VLAN.
Could you check the MAC table on GS1900 for this MAC address "70:26:05:67:d2:43" to locate which port this client belongs to?
0
Guru Member
Zyxel Employee
Categories
- All Categories
- 415 Beta Program
- 2.4K Nebula
- 144 Nebula Ideas
- 94 Nebula Status and Incidents
- 5.6K Security
- 237 USG FLEX H Series
- 267 Security Ideas
- 1.4K Switch
- 71 Switch Ideas
- 1.1K Wireless
- 40 Wireless Ideas
- 6.3K Consumer Product
- 247 Service & License
- 384 News and Release
- 83 Security Advisories
- 29 Education Center
- 10 [Campaign] Zyxel Network Detective
- 3.2K FAQ
- 34 Documents
- 34 Nebula Monthly Express
- 83 About Community
- 71 Security Highlight
