GS1200-8 and vLAN configuration

Stexxe
Stexxe Posts: 2
Friend Collector
edited August 2022 in Switch
Hi all, I have a very classic home configuration but seems that there is something that I'm missing on the GS1200-8 vlan configuration. Here is the story...
I would like the separate and segregate two set of devices in order to avoid that the first set is not able to see the other and vice versa but both of them shall be able to reach internet.

The only working configuration that I was able to configure was the following with 2 vLANs 20 and 30 and the router (that do not support vlan tag) on port 1.



but I have the following questions:
1. Why shall I put ALL the devices on the VLAN ID 1 in order to reach internet even if I have, on vLAN 20 the port 1 configured with TAG EGRESS MEMBER?
2. What does it mean, exactly, TAG EGRESS MEMBER?  :)
3. Is there any better (or most secure) solution that could be implemented?

Thanks in advance,
Stefano


All Replies

  • PeterUK
    PeterUK Posts: 3,461  Guru Member
    100 Answers 2500 Comments Friend Collector Seventh Anniversary
    edited March 2022

    A port based VLAN is what you need really if you don't have a router that support VLAN's and tags for given subnets.

    You can see if the following works but it might not.

    Have VLAN1 for port 1 and PVID 1 for port 1 pots 2-8 Non-member as backup

    port 8 is the uplink

    VLAN40 for port 8 tag and PVID40 port 8 ports 2-7 untag port 1 Non-member

    VLAN20 for ports 2-4 tag and PVID 20 port 2-4 port 8 untag with ports 5-7 Non-member port 1 Non-member

    VLAN30 for ports 5-7 tag and PVID 30 ports 5-7 port 8 untag with ports 2-4 Non-member port 1 Non-member


  • D_Shadow
    D_Shadow Posts: 18  Freshman Member
    First Answer First Comment Friend Collector Fourth Anniversary
    @Stexxe,

    3. Is there any better (or most secure) solution that could be implemented?
    Port isolation might be an option on your requirement. However, this feature will block all ports of communication except for the uplink port.

    For "TAG EGRESS MEMBER", it means that this port will send out VLAN tag.

    D,
  • Stexxe
    Stexxe Posts: 2
    Friend Collector
    PeterUK said:

    A port based VLAN is what you need really if you don't have a router that support VLAN's and tags for given subnets.

    You can see if the following works but it might not.

    Have VLAN1 for port 1 and PVID 1 for port 1 pots 2-8 Non-member as backup

    port 8 is the uplink

    VLAN40 for port 8 tag and PVID40 port 8 ports 2-7 untag port 1 Non-member

    VLAN20 for ports 2-4 tag and PVID 20 port 2-4 port 8 untag with ports 5-7 Non-member port 1 Non-member

    VLAN30 for ports 5-7 tag and PVID 30 ports 5-7 port 8 untag with ports 2-4 Non-member port 1 Non-member


    @PeterUK and first of all thanks for your reply. I tried your configuration as depicted in the following image:


    Do I understand correctly your suggestion?
    If yes, the configuration seems not working... connecting a PC to the port 2, this is not able to reach internet (uplink configured on port 8).
    If no, may you please help me on what I missed?

    Thanks in advance,
    Stefano
  • PeterUK
    PeterUK Posts: 3,461  Guru Member
    100 Answers 2500 Comments Friend Collector Seventh Anniversary

    I tested here with another switch and it worked did you reboot the switch? was the PC untagged as the setup should work without tags



  • PeterUK
    PeterUK Posts: 3,461  Guru Member
    100 Answers 2500 Comments Friend Collector Seventh Anniversary
    edited March 2022

    After checking again the setup will work but in a unexpected way you could get internet but like port 2-4 can't connect to each other.

    So really for people who have a router that can do VLAN's you want the 802.1Q but if you have a simple router you want Port Based.

    Here is a Zyxel switch with Port Based.