VLAN trunking between GS1910-24 switches for a guest network...
This should be a relatively easy setup, but my attempts at getting this to work have failed.
I've got three GS1910-24 switches (v2 firmware). What I'm attempting to do is create a guest VLAN network across the switches using VLAN ID 20.
[SwitchA - Port 3]<------->[ Port 24 - SwitchB - Port ??]<-------->[ Port ?? - SwitchC]
(Switch C isn't part of this now, but might be in the future)
One of the switches (A) will have computers connected that will not be VLAN aware. I believe that means I can keep the default "Ingress Acceptance" of "Tagged and Untagged". It's not clear to me if I need to alter the default setting for Egress Tagging -- some of the documentation I've read suggests that these switches manage this automatically. "Allowed VLANs" for these ports were set to "20":
Switch A, Port 22: Port VLAN=20, Ingress Filtering=On, Ingress Acceptance=Tagged and Untagged, Egress Tagging=Untag Port VLAN, AllowedVLANs=20
The ports that link the switches have "Allowed VLANs" set to "1,20", and all other settings set to default:
Switch A, Port 3: Port VLAN=1, Ingress Filtering=On, Ingress Acceptance=Tagged and Untagged, Egress Tagging=Untag Port VLAN, Allowed VLANS=1,20
Switch B, Port 24: Port VLAN=1, Ingress Filtering=On, Ingress Acceptance=Tagged and Untagged, Egress Tagging=Untag Port VLAN, Allowed VLANS=1,20
On the other switch (B), I've got my gateway device on port 20. That gateway interface can be configured to tag VLAN if I want, or I could attempt to set it up similar to the computers on switch A and have the switch manage that, but trying either didn't work. This is the current setting:
Switch B, Port 20: Port VLAN=20, IngressFiltering=On, Ingress Acceptance=Tagged and Untagged, Egress Tagging=Untag Port VLAN, Allowed VLANS=20
No matter what combination I've tried, I cannot get any traffic to pass between the switches. I'm using tcpdump on the gateway and test computer. Either can see their own broadcast traffic plus their own switches STP and LLDP broadcast traffic.
What am I doing wrong?
I've got three GS1910-24 switches (v2 firmware). What I'm attempting to do is create a guest VLAN network across the switches using VLAN ID 20.
[SwitchA - Port 3]<------->[ Port 24 - SwitchB - Port ??]<-------->[ Port ?? - SwitchC]
(Switch C isn't part of this now, but might be in the future)
One of the switches (A) will have computers connected that will not be VLAN aware. I believe that means I can keep the default "Ingress Acceptance" of "Tagged and Untagged". It's not clear to me if I need to alter the default setting for Egress Tagging -- some of the documentation I've read suggests that these switches manage this automatically. "Allowed VLANs" for these ports were set to "20":
Switch A, Port 22: Port VLAN=20, Ingress Filtering=On, Ingress Acceptance=Tagged and Untagged, Egress Tagging=Untag Port VLAN, AllowedVLANs=20
The ports that link the switches have "Allowed VLANs" set to "1,20", and all other settings set to default:
Switch A, Port 3: Port VLAN=1, Ingress Filtering=On, Ingress Acceptance=Tagged and Untagged, Egress Tagging=Untag Port VLAN, Allowed VLANS=1,20
Switch B, Port 24: Port VLAN=1, Ingress Filtering=On, Ingress Acceptance=Tagged and Untagged, Egress Tagging=Untag Port VLAN, Allowed VLANS=1,20
On the other switch (B), I've got my gateway device on port 20. That gateway interface can be configured to tag VLAN if I want, or I could attempt to set it up similar to the computers on switch A and have the switch manage that, but trying either didn't work. This is the current setting:
Switch B, Port 20: Port VLAN=20, IngressFiltering=On, Ingress Acceptance=Tagged and Untagged, Egress Tagging=Untag Port VLAN, Allowed VLANS=20
No matter what combination I've tried, I cannot get any traffic to pass between the switches. I'm using tcpdump on the gateway and test computer. Either can see their own broadcast traffic plus their own switches STP and LLDP broadcast traffic.
What am I doing wrong?
0
All Replies
-
How about change the egress tagging to always tag for the trunk ports? in my opinion there's no need to use untagged traffic between switches.
Btw, you can examine the MAC table on switches to check the VLAN of MAC entries.0 -
I typically don't mess with ingress / egress settings.I also tend to set my general-purpose ports witha PVID that matches my primary VLAN, and thenset those ports for untagged access to that VLAN,with all other VLANS set to "Forbidden".That way, anything that is plugged into them,whether it is VLAN-aware or not, will get dumpedonto my primary VLAN.Then, I set my more "tailored" ports up afterwards.I'll use my office setup as an example, paring it down a bit for clarity -We have multiple VLANs on our network, and a few managed switches.VLAN10 Printers, dedicated PCs, other in-house network gearVLAN20 IP phones with built-in ethernet port to support PCsVLAN30 Public / Guest internet accessPort settings for printers and dedicated PCs -Untagged access to VLAN10All other VLANs set to "Forbidden" for these portsPVID 10This essentially defines it as an "access port".Only VLAN10 is allowed on that port, and anything plugged into itthat isn't VLAN-aware will assumed to be (tagged as) VLAN10 traffic.Port settings for IP phones (with attached PCs) can be done two different ways -VLAN10 set to UNTAGGEDPVID 10VLAN20 set to TAGGEDAll other VLANs set to "Fobidden" for these ports- or -VLAN10 set to UNTAGGEDPVID 10VLAN20 set to "EXCLUDED"All other VLANs set to "Fobidden" for these portsAuto-voice VLAN configured for these ports.These are essentially "General" ports, which can have one or moreVLANs assigned to them either manually or dynamically.Either of these will allow every-day PC/Printer access on these ports,but, if there is an IP phone present, it can communicate on VLAN20.Ports that are used to link one or more VLAN-aware switches,ports that are used for wireless access points that support multiple SSID's,and ports that are connected to your router are all set up essentially the same -VLAN10 set to UNTAGGEDPVID 10All other VLANS set to TAGGEDThese are generally referred to as "Trunk" ports.Note that if you are connecting two switches together, then you must configurethe inter-link port(s) that you are using on each switch exactly the same.If they are set differently, then you'll probably start running into trouble.Let me know if you need clarification on anything,or if I made any glaring mistakes in my explanation. ;-)0
-
I typically don't mess with ingress / egress settings.I usually set up the majority of my ports as "access" ports.i.e., each port is set to VLAN10, PVID10, Untagged,with all other VLANS set to forbidden.Then, I go back in, and tailor other ports for my specific needs.
I'll use my office setup as an example, paring it down a bit for clarity -
We have multiple VLANs on our network, and a few managed switches.
VLAN10 PC's and printers
VLAN20 IP phones with attached PCs
VLAN30 Public internet access
Port settings for printers and dedicated PCs -
Untagged access to VLAN10
All other VLANs set to "Forbidden" for these ports
PVID 10
That essentially defines it as an "access port".
Only VLAN10 is allowed on that port, and anything plugged into it
that isn't VLAN-aware will move as tagged VLAN10 traffic.
Port settings for IP phones can be done two different ways -
VLAN10 set to UNTAGGED
PVID 10
VLAN20 set to TAGGED
All other VLANs set to "Fobidden" for these ports
- or -
VLAN10 set to UNTAGGED
PVID 10
VLAN20 set to "EXCLUDED"
All other VLANs set to "Fobidden" for these ports
Auto-voice VLAN configured for these ports.
These are essentially "General" ports, which can have one or more
VLANs assigned to them either manually or automatically.
Either of these will allow every-day PC/Printer access on these ports,
but, if there is an IP phone present, it can communicate on VLAN20.
Linking two switches together,
or, connecting an access point that supports multiple SSID's / VLANs,
or, connecting the switch to your router -
VLAN10 set to UNTAGGED
PVID 10
VLAN20 set to TAGGED
VLAN30 set to TAGGED
This is generally referred to as a "trunk" port.
When connecting two switches, the port(s) that you
are using to connect the switches together MUST be set identically.
Otherwise, you may start running into trouble.
Let me know if I can clarify anything further,
or if you noticed any glaring mistakes. ;-)
0
Categories
- All Categories
- 415 Beta Program
- 2.3K Nebula
- 141 Nebula Ideas
- 94 Nebula Status and Incidents
- 5.6K Security
- 218 USG FLEX H Series
- 262 Security Ideas
- 1.4K Switch
- 71 Switch Ideas
- 1K Wireless
- 39 Wireless Ideas
- 6.3K Consumer Product
- 245 Service & License
- 382 News and Release
- 81 Security Advisories
- 27 Education Center
- 8 [Campaign] Zyxel Network Detective
- 3.1K FAQ
- 34 Documents
- 34 Nebula Monthly Express
- 83 About Community
- 71 Security Highlight