Port Based VLAN is not working.
Guru Member
I'm guessing its the same
for all ZYXEL switches with this option but I have tried to get the
GS2200 to work with a Proxy ARP setup so far the only way is to use a
Netgear GS105E that does Port Based VLAN correctly.
You might be thinking
why not use 802.1Q VLAN and the reason for this is double packets
happen with the Proxy ARP setup but not if I use Netgear GS105E Port
Based VLAN.
So what do I think is wrong with the GS2200 Port Based VLAN? ARP seems to cross ports it should not cross that and the setup is not that easy to work with.
This is how the GS105E is setup with port 5 to the Proxy ARP setup ZyWALL 110 with PC1 on port 4 and PC2 on port 3. So PC1 can't get to PC2 directly and goes by the Proxy ARP ZyWALL 110.
So how can a make the GS2200 do what the GS105E does.
Comments
-
Hi Peter,you describe how you configured the Netgear device, but not the configuration of the Zyxel switch. If the Zyxel switch is configured as described in this thread https://businessforum.zyxel.com/discussion/comment/4305, then it is not in the same mode as the Netgear, but in 802.1q mode.You can change the operating mode of the Zyxel under "Basic Setting -> Switch Setup".Regards,sk0
-
Yes I tried 802.1q mode with the config in the link above and get this on PC1.
I then trying doing GS2200 Port Based VLAN and could not get it to work like the Netgear GS105E with no double packets with proxy ARP.
I understand that by Wireshark of the ZyWALL 110 WAN there is a request going in and a request going out by 1 TTL down but I'm taking about Wireshark from the PC with double packet where the Netgear GS105E does not.
If you know of a config in 802.1q mode for port 1,2,and 3 for the setup I can give that a go.
0 -
Hi @PeterUK,Based on the description, I assume that your LAB topology is like the Figure 1 below.In this condition, you will capture a double packet due to PCA is the one who sends ICMP packet and the mirror port at the same time.Figure 1.
Solution:I recommend separating the mirror port and the one who send ICMP packet lke the Figure 2 below.
Hope it helps.Zyxel_Jonas
https://us.v-cdn.net/6029482/uploads/78HOOSV0BUBI/240828-nebula-27s-intentcommunity-homepage-1920-x-400.jpgDon't miss this great chance to upgrade your Nebula org. for free! https://bit.ly/4g2pS9L
0 -
Thats not the topology there is no mirror port and your missing proxy ARP by ZyWALL 110
Here it is in detail by 802.1Q VLAN
VLAN 13
Port 1 fixed untagged
port 2 forbidden
port 3 fixed tagged
VLAN 14
Port 1 fixed untagged
port 2 fixed tagged
port 3 forbidden
VLAN 15
Port 1 fixed tagged
port 2 fixed untagged
port 3 fixed untagged
PVID 15 port 1
PVID 14 port 2
PVID 13 port 3
0 -
Hi Peter,
I'm sorry to have to say that, but this VLAN configuration is pretty nonsense in my opinion.
Get rid of it and first of all describe which result you would like to achieve. Then we can work out a solution together.
greeting
Steffen
0 -
Hi @PeterUK,Thanks for the specific information.Based on the topology, due to PC1 & PC2 PVIDs are configured with different VLAN which is VLAN 13 & 14. In this situation, the incoming packets from ZyWALL110 (VLAN 15) don't know where the destination is so it will flood the packet. Therefore you will see a double packet which is normal.Please refer to the information below for the test I made using port-based VLAN.Topology:
Configuration:1. ZyWALL110 enabled proxy ARP on P1 (WAN port) then configured IP 192.168.10.111 (PC_A) & 192.168.10.222 (PC_B).
2. GS2200 configure port-based VLAN, P1 can communicate to P2 & P3. And P2 & P3 are isolated.Advanced Application > VLAN
3. PC_A could communicate with PC_B and without double packet.Wireshark result:
Best Regards,Zyxel_Jonas
https://us.v-cdn.net/6029482/uploads/78HOOSV0BUBI/240828-nebula-27s-intentcommunity-homepage-1920-x-400.jpgDon't miss this great chance to upgrade your Nebula org. for free! https://bit.ly/4g2pS9L
1 -
Yes I tried that GS2200 Port Based VLAN setup and it does not isolate the ARP from PC2 and PC1 it ARP who has 192.168.255.53 tell 192.168.255.55 and get the MAC of PC2 and not the Proxy ARP it then try to ping PC2 MAC and fails.
What switch did you test on?
0 -
Solved by doing a Factory Default it seems the config I had with 802.1Q VLAN and Default Management IP Address on a different VLAN seems to stop Port Based VLAN when you change from working correctly.
And on another note if you have Telnet or SSH disabled you can't do a Factory Default!
0 -
Hi @PeterUK,For confirmation, Port-Based VLAN is working properly.May I know your specific procedure when you are processing factory default?I've made a local LAB test and it works fine, please refer to the result below.Test result using GS2200:Disable Telnet & SSH > Access via Web-GUI ( Management > Maintenance > Load Factory Default) = Passed.Disable telnet > Access via SSH (CLI command: erase running-config) = Passed.Disable SSH > Access via Telnet (CLI command: erase running-config) = Passed.Zyxel_Jonas
https://us.v-cdn.net/6029482/uploads/78HOOSV0BUBI/240828-nebula-27s-intentcommunity-homepage-1920-x-400.jpgDon't miss this great chance to upgrade your Nebula org. for free! https://bit.ly/4g2pS9L
0 -
Yes it works now.
Telnet & SSH was disabled and the Management > Maintenance > Load Factory Default didn't do anything not sure why you could without Telnet & SSH enabled.
I have a old config file for the GS2200 you can load if needed for testing.
0
Freshman Member
Zyxel Employee
Categories
- All Categories
- 415 Beta Program
- 2.4K Nebula
- 144 Nebula Ideas
- 94 Nebula Status and Incidents
- 5.6K Security
- 237 USG FLEX H Series
- 267 Security Ideas
- 1.4K Switch
- 71 Switch Ideas
- 1.1K Wireless
- 40 Wireless Ideas
- 6.3K Consumer Product
- 247 Service & License
- 384 News and Release
- 83 Security Advisories
- 29 Education Center
- 10 [Campaign] Zyxel Network Detective
- 3.2K FAQ
- 34 Documents
- 34 Nebula Monthly Express
- 83 About Community
- 71 Security Highlight
