Vlan1 On Primary LAN Interface

PeterUK

There is no such thing as a packet that identifies as being untag under a given VLAN thats just not a thing.

There is nothing Zyxel can do to change that they could give you a fake option to say this interface is untag VLAN 10 but really its just how its always been.

dcgtechnologies

https://community.zyxel.com/en/discussion/comment/81091#Comment_81091

Yes there is such a thing. I guess you lack the knowledge of the the fake interface in the world of switching. The fake thing you are referring to is called "Unmanaged / Untagged Traffic". There is tagged and untagged traffic and Zyxel requires you tag any interface on the physical device. Talk to your counterparts in America. That is what they told me. Your argument is NOT valid. Where is your test data? Zyxel America has the test data to prove it. Bottom line you are having an issue accepting it.

What I find so interesting is I have explained my points and provided articles along with evidence and you still challenge it. I guess you are perfect in every sense of the manner.

dcgtechnologies

@PeterUK Since you know everything. Read this article below:

VLAN Configuration Guide, Cisco IOS XE 17.16.x (Catalyst 9200 Switches) - Configuring VLAN Trunks [Cisco Catalyst 9200 Series Switches] - Cisco

This is the excerpt from the article. See below:

Yes

Does Cisco Support sending tagged and untagged traffic through a Vlan?

Yes, Cisco devices support sending both tagged and untagged traffic through a VLAN. VLAN tagging allows for the segregation of network traffic, which is crucial for network segmentation and security. Trunk ports are used to carry multiple VLANs, while access ports are used for a single VLAN. When untagged traffic is sent through a trunk, it is treated as untagged traffic on the receiving switch unless the native VLAN is explicitly configured. This ensures that the traffic is correctly routed to its intended destination within the VLAN.

PeterUK

Maybe Cisco are doing there own protocol thing that only there stuff will work with.

So if you knew you should of gone all Cisco

dcgtechnologies

https://community.zyxel.com/en/discussion/comment/81094#Comment_81094

@PeterUK The problem is not me or Cisco it is how Zyxel handles the traffic. It is not good, bad, or indifferent, but given the security recommendations along with the flexibility I would think Zyxel would want to evolve and grow. This device is limited on what it can do in that case.

All I wanted to do was make a case for maybe enabling the feature and give customers like me the flexibility instead of your response of "You should have gone all Cisco". All I am trying to do is help the community and not make it more difficult like you have made this whole experience. You could have replied in a humble manner. So Thanks, no Thanks!

PeterUK

Well I'm being to think your a AI personally on a wild goose chase.

dcgtechnologies

https://community.zyxel.com/en/discussion/comment/81096#Comment_81096

Well I also think you are unreasonable too, but that is based on my experience and you just like tormenting and egging situations on. This is the reason why I will NOT buy anymore Zyxel products. So way to be a good salesman too and treating your customers like dirt.

Zyxel_Melen

Hi @dcgtechnologies

https://community.zyxel.com/en/discussion/comment/81068#Comment_81068

The firewall, not only Zyxel but also other vendors, does not have a concept similar to a switch's native VLAN. 

If we create a VLAN interface on the firewall; for example, VLAN 99 on ge3, that vlan interface will only carry or recognize tagged traffic. If you capture packets on the VLAN 99 interface, you will only see tagged frames coming into the firewall. 

As you may know, the VLAN interface is based on a physical Ethernet (GE) interface. If the downstream switch sends untagged traffic to our firewall, that traffic will land directly on the GE3 interface.

That's the difference between firewall and switch.

dcgtechnologies

https://community.zyxel.com/en/discussion/comment/81275#Comment_81275

@Zyxel_Melen I completely understand the difference between a firewall / router vs. the switch. The switch separates the virtual networks and providing the tagging based on the VLAN it is set too and the firewall performs all the routing based on the traffic untagged or tagged and what subnet that VLAN is on. I do not think the firewall's VLAN no matter what it is set to should make any difference as the switch is doing the tagging based on the port configs and if the packet it is untagged the firewall should just forward the packet to the destination and not just drop it if that is the case. So the firewall should route that traffic based on that rule set and the router should compliment the switch and not limit it as I feel I am limited now. I understand the VLAN interface and it is based on a physical port, but it has multiple logical networks passing traffic through it.

Now how it pertains to me. I use the Zyxel firewall for all my routing needs and only routing between each vlan that contains a different subnet in each VLAN for all tagged and untagged traffic. All my devices need internet access as well. The four concerns I have are below:

1. You say that the Flex 500H has a VLAN1 as the default. I see no reference to that in the CLI so there is no way to manage it. Where is it in the CLI?
2. VLAN1 is a security vulnerability and is not recommended to use it and that is documented all over the internet and well Cisco recommends not using it either and use a different VLAN (Example VLAN10). All hackers know about VLAN1 and that is a gateway for them to exploit the network quicker.
3. I want to eliminate the use of VLAN1 in my environment and with the current limitations of this firewall I am stuck using an interface that IMO is unmanaged and in order to perform routing functions for tagged and untagged traffic. I understand the firewall needs to be aware of the VLAN it is on for that network as in my opinion should care based on the subnet it is set too, but it should just be aware not totally reject the switch config and the traffic that it is trying to pass.
4. I just think more flexibility should be built into the firewall to give engineers / users more options when they setup their network or evolve and grow their network and as of today the capability is not there.

These are just my concerns and my experiences in trying to secure my network. Thank you.

dcgtechnologies

This post can be officially closed out now. The issue lies within the limitation of the Zyxel Firewall not supporting a Native VLAN / PVID on a trunked interface port. Once I removed the the native vlan switchport from the trunked interface I then can move to the VLAN10 Interface / profile within the configuration on the firewall. Now it is working as expected. Thank you @Zyxel_Cooldia for all your support and assistance with this.