VLAN tagged frame handling on the XGS1210-12
With the XGS1210-12, you can create VLANs and select them as either tagged or untagged for egress on a particular port. It's a bit weird to have multiple VLANs coming out a port as untagged traffic, but OK, just Don't Do That Then. You can also create a VLAN that is to be associated with incoming untagged frames.
All good so far.
However, there appears to be no ingress filtering of tagged traffic! If I create a VLAN2 and set it as untagged on port 2, a non-member everywhere else, and then send VLAN2 tagged broadcast frames into port 1, they'll come out of port 2. This is really not what you want to happen. There's not even any way as far as I can tell to disable this behavior - every port is a full trunking port on the ingress side with no limitations.
So while there's technically isolation between VLANs, you're only one client misconfiguration away from a mess. Is there really no way to have VLAN ingress filtering, or at the very least be able to drop VLAN-tagged frames on a particular port?
Accepted Solution
-
The latest firmware includes the ingress VLAN filtering feature (VLAN ingress checking).
Please download it via this link.
0
All Replies
-
Hi @John128,
Welcome to Zyxel community!
Thanks for bringing our attention to this scenario.
I will help to check this scenario and update you once I get further information.
0 -
Hi @John128,
Thanks for sharing this idea with us.
The feature of ingress filtering/checking which is mostly used in business network to isolate traffic between different VLAN.
For SOHO/home users, most scenario are that switch is directly connected with end-device, and most likely they do not use VLAN tag for IPCAM/PC/NAC/AP.
Can you share your scenario with us so we can further evaluate the needs for this feature? As to our understanding now, ingress filter fits better for business Switch.
0 -
Sorry melen, but this feature lack on XGS-1210-12 tell me "don't buy this switch if you're willing to use VLANs"If i cannot use vLANs for "splitting" the switch in many parts as I wish, what's the use of VLAN?0
-
Hi @mMontana,
Thanks for sharing your professional input.
Indeed for pro-users that needs to set tagged VLAN, we do recommend to set ports to the same VLAN member in order to achieve traffic segmentation for tagged traffic.
However, for SOHO/home users with AP/PC that uses untagged VLAN traffic mostly, XGS1210-12 still handles VLAN segmentation quite well.
@John128 , for the scenario you mentioned, we recommend VLAN configuration by adding port 1 to VLAN 2 member, this will solve this problem.
0 -
@Zyxel_Melen you were very kind to define my input "professional". :-)
What reported is my personal opinion and the way I use vLANS. May not fill all the other ways available, which are so many, and may not reflect a big enough part of current/potential zyxel customers.
Anyway I hope that your suggestion will fulfill @John128 needs.
0 -
The whole point is that port 1 is not supposed to participate in VLAN2.
If I have a bunch of untrusted devices (e.g. guests, IoT devices) plugged into ports 1 through 4, and the rest of my network on ports 5 through 12, I don't want any packets from ports 1 through 4 to leak into ports 5 through 12. This is not possible to achieve with the switch as it is: if I set ports 1 through 4 as untagged VLAN2, and ports 5 through 12 as untagged VLAN3, then a hostile (or misconfigured) device plugged into port 1 can trivially send data to ports 5 through 12 by adding a dot1q tag for VLAN3.
VLANs are supposed to provide isolation - that's not really happening at the moment.
From looking at various code/docs (eg: https://github.com/openwrt/openwrt/blob/master/target/linux/realtek/files-5.10/drivers/net/dsa/rtl83xx/dsa.c), it appears that the RTL9302B is quite capable of ingress filtering - it should just be a case of setting VLAN_PORT_IGR_FILTER to "enabled" instead of "always forward" on each port.0 -
Hi @John128,
Indeed there are versatile VLAN application out there. As XGS1210 is our entry-level desktop switch for home networks, the features offer on the switch address basic network environment that are presumably be more secured with less untrusted device attached. Though with proper configuration, it can still provide VLAN segmentation for basic network setup. For network that requires more advanced features, we also offers ranges of GS1900 series product to support ingress filtering check to fully secured network with untrusted devices.
Back to the multi-G products, we appreciate your sharing on potential network usages. We will enhance it in the next firmware release of XGS1210.
We apologize for the inconvenience that lack of ingress filtering has caused you.
0 -
The XGS1210 is really the perfect hardware for my home office - range of ports (1G for old stuff, 2.5G for a couple of desktop machines, 10G SFP+ for uplink to my home lab), nice and small, and, importantly, fanless. I tried to love the XS1930-10, but in a near-silent office (everything either fanless or watercooled with slow-moving and very quiet 140mm fans) it just didn't fit. If the ingress filtering can be made to work, the software side will be sorted. Openwrt looks like a possibility in the future, though isn't quite there yet.
0 -
Hi @John128,
Glad to hear that you like ZYXEL products, it encourages us to keep providing good products to meet users’ expectations. : ) Before the next XGS1210 firmware for VLAN ingress filtering releasing, we also prepare the date firmware, feel free to PM us if needed.
0 -
+1: encountering this ingress filtering issue as well.0
Categories
- All Categories
- 415 Beta Program
- 2.4K Nebula
- 145 Nebula Ideas
- 94 Nebula Status and Incidents
- 5.6K Security
- 239 USG FLEX H Series
- 267 Security Ideas
- 1.4K Switch
- 71 Switch Ideas
- 1.1K Wireless
- 40 Wireless Ideas
- 6.3K Consumer Product
- 247 Service & License
- 384 News and Release
- 83 Security Advisories
- 29 Education Center
- 10 [Campaign] Zyxel Network Detective
- 3.2K FAQ
- 34 Documents
- 34 Nebula Monthly Express
- 83 About Community
- 71 Security Highlight