Port Based VLAN is not working.

PeterUK
PeterUK Posts: 3,389  Guru Member
100 Answers 2500 Comments Friend Collector Seventh Anniversary
edited August 2022 in Switch

I'm guessing its the same for all ZYXEL switches with this option but I have tried to get the GS2200 to work with a Proxy ARP setup so far the only way is to use a Netgear GS105E that does Port Based VLAN correctly.

You might be thinking why not use 802.1Q VLAN and the reason for this is double packets happen with the Proxy ARP setup but not if I use Netgear GS105E Port Based VLAN.

So what do I think is wrong with the GS2200 Port Based VLAN? ARP seems to cross ports it should not cross that and the setup is not that easy to work with.

This is how the GS105E is setup with port 5 to the Proxy ARP setup ZyWALL 110 with PC1 on port 4 and PC2 on port 3. So PC1 can't get to PC2 directly and goes by the Proxy ARP ZyWALL 110.   

So how can a make the GS2200 do what the GS105E does. 

«1

Comments

  • s_k
    s_k Posts: 10  Freshman Member
    First Answer First Comment Fourth Anniversary
    edited September 2018
    Hi Peter,
    you describe how you configured the Netgear device, but not the configuration of the Zyxel switch. If the Zyxel switch is configured as described in this thread https://businessforum.zyxel.com/discussion/comment/4305, then it is not in the same mode as the Netgear, but in 802.1q mode.
    You can change the operating mode of the Zyxel under "Basic Setting -> Switch Setup".
    Regards,
    sk
  • PeterUK
    PeterUK Posts: 3,389  Guru Member
    100 Answers 2500 Comments Friend Collector Seventh Anniversary
    edited September 2018

    Yes I tried 802.1q mode with the config in the link above and get this on PC1.

    I then trying doing GS2200 Port Based VLAN and could not get it to work like the Netgear GS105E with no double packets with proxy ARP.

    I understand that by Wireshark of the ZyWALL 110 WAN there is a request going in and a request going out by 1 TTL down but I'm taking about Wireshark from the PC with double packet where the Netgear GS105E does not.

    If you know of a config in 802.1q mode for port 1,2,and 3 for the setup I can give that a go.

  • Zyxel_JonasTan
    Zyxel_JonasTan Posts: 98  Zyxel Employee
    5 Answers First Comment Friend Collector Seventh Anniversary

    Based on the description, I assume that your LAB topology is like the Figure 1 below.
    In this condition, you will capture a double packet due to PCA is the one who sends ICMP packet and the mirror port at the same time.

    Figure 1.


    Solution:
    I recommend separating the mirror port and the one who send ICMP packet lke the Figure 2 below.

    Hope it helps.
  • PeterUK
    PeterUK Posts: 3,389  Guru Member
    100 Answers 2500 Comments Friend Collector Seventh Anniversary

    Thats not the topology there is no mirror port and your missing proxy ARP by ZyWALL 110

    Here it is in detail by 802.1Q VLAN

    VLAN 13

    Port 1 fixed untagged

    port 2 forbidden

    port 3 fixed tagged

    VLAN 14

    Port 1 fixed untagged

    port 2 fixed tagged

    port 3 forbidden

    VLAN 15

    Port 1 fixed tagged

    port 2 fixed untagged

    port 3 fixed untagged

    PVID 15 port 1

    PVID 14 port 2

    PVID 13 port 3


  • s_k
    s_k Posts: 10  Freshman Member
    First Answer First Comment Fourth Anniversary
    Hi Peter,
    I'm sorry to have to say that, but this VLAN configuration is pretty nonsense in my opinion.
    Get rid of it and first of all describe which result you would like to achieve. Then we can work out a solution together.
    greeting
    Steffen

  • Zyxel_JonasTan
    Zyxel_JonasTan Posts: 98  Zyxel Employee
    5 Answers First Comment Friend Collector Seventh Anniversary

    Thanks for the specific information.
    Based on the topology, due to PC1 & PC2 PVIDs are configured with different VLAN which is VLAN 13 & 14. In this situation, the incoming packets from ZyWALL110 (VLAN 15) don't know where the destination is so it will flood the packet. Therefore you will see a double packet which is normal.

    Please refer to the information below for the test I made using port-based VLAN.

    Topology:

    Configuration:
    1. ZyWALL110 enabled proxy ARP on P1 (WAN port) then configured IP 192.168.10.111 (PC_A) & 192.168.10.222 (PC_B).

    2. GS2200 configure port-based VLAN, P1 can communicate to P2 & P3. And P2 & P3 are isolated.
    Advanced Application > VLAN


    3. PC_A could communicate with PC_B and without double packet.
    Wireshark result:


    Best Regards,
  • PeterUK
    PeterUK Posts: 3,389  Guru Member
    100 Answers 2500 Comments Friend Collector Seventh Anniversary
    edited September 2018

    Yes I tried that GS2200 Port Based VLAN setup and it does not isolate the ARP from PC2 and PC1 it ARP who has 192.168.255.53 tell 192.168.255.55 and get the MAC of PC2 and not the Proxy ARP it then try to ping PC2 MAC and fails.

    What switch did you test on? 


  • PeterUK
    PeterUK Posts: 3,389  Guru Member
    100 Answers 2500 Comments Friend Collector Seventh Anniversary
    edited September 2018

    Solved by doing a Factory Default it seems the config I had with 802.1Q VLAN and Default Management IP Address on a different VLAN seems to stop Port Based VLAN when you change from working correctly.

    And on another note if you have Telnet or SSH disabled you can't do a Factory Default!


  • Zyxel_JonasTan
    Zyxel_JonasTan Posts: 98  Zyxel Employee
    5 Answers First Comment Friend Collector Seventh Anniversary

    For confirmation, Port-Based VLAN is working properly.
    May I know your specific procedure when you are processing factory default?

    I've made a local LAB test and it works fine, please refer to the result below.

    Test result using GS2200:
    Disable Telnet & SSH > Access via Web-GUI ( Management > Maintenance > Load Factory Default) = Passed.
    Disable telnet > Access via SSH (CLI command: erase running-config) = Passed.
    Disable SSH > Access via Telnet (CLI command: erase running-config) = Passed.
  • PeterUK
    PeterUK Posts: 3,389  Guru Member
    100 Answers 2500 Comments Friend Collector Seventh Anniversary

    Yes it works now.

    Telnet & SSH was disabled and the Management > Maintenance > Load Factory Default didn't do anything not sure why you could without Telnet & SSH enabled.

    I have a old config file for the GS2200 you can load if needed for testing.