Is my VLAN configuration correct?

Peter Tselios
Peter Tselios Posts: 22  Freshman Member
First Comment Friend Collector Third Anniversary
edited December 2023 in Switch

Hello,

This is my first attempt to configure VLANs on my home office network.

I have a GS1900-8HP as my primary switch and a couple of Ubiquiti mini (that will be configured later)

I need to setup 4 VLANs on the network:

  1. VLAN 1 is the untagged, PVID that will be used for all network traffic from Wifi and other PCs on the network
  2. VLAN 10 is a network that will be used from the Guest network
  3. VLAN 120 is a network that will be used from the home lab servers/devices
  4. VLAN 121 is the storage network

What I need is:
Port 1,5,8 on the switch should allow traffic from all the above networks/VLANs. Port 1 is connected to the main router.

All other ports should only allow traffic from VLAN/PVID 1.

My current configuration is:

image.png

And:

image.png

And (the following is identical for VLANs 10, 120, 121:

image.png

My questions are:

1. Is this configuration the correct one?

2. Is traffic isolated? I am asking because I don't fully understand the meaning of the "Ingress Check" and VLAN Trunk options on the first picture. Do I have to enable them for all ports, or just the ports that have the VLANs assigned?

3. Do I need to enable VLAN Trunk on ports 1,5,8? I have it enabled, but I think it's not needed since those ports are not used as an uplink to another switch.

4. Regarding the isolation, will my current setup ensure that if I setup a machine that will send tagged traffic (let's say 121) on port 3, the traffic will be blocked?

Best Answers

  • Zyxel_Melen
    Zyxel_Melen Posts: 2,409  Zyxel Employee
    Zyxel Certified Network Engineer Level 1 - Switch Zyxel Certified Network Administrator - Switch Zyxel Certified Network Administrator - Nebula Zyxel Certified Sales Associate
    edited January 3 Answer ✓

    Hi @Peter Tselios,

    1. Is this configuration the correct one?

    The configuration is correct if ports 5 and 8 are connecting to other switches. If not, what device are you going to connect? In addition, you may reference this FAQ to set up VLANs.

    2. Is traffic isolated? I am asking because I don't fully understand the meaning of the "Ingress Check" and VLAN Trunk options on the first picture. Do I have to enable them for all ports, or just the ports that have the VLANs assigned?

    VLAN is used to separate the different broadcast domains, so the traffic is isolated. But if you have a router/firewall, different VLANs can communicate with each other via routing. (When you have set VLAN interfaces on it.) You need to set policy rules on the router/firewall to isolate different VLANs.

    "Ingress Check" and "VLAN trunk" are not used to isolate traffic.

    "Ingress Check" is used to check the VLAN tags of incoming packets that are the VLAN members of the port. If not, the packet will be dropped.

    "VLAN trunk" is used to forward unknown VLAN packets. Since you have designed your VLANs, you don't need to enable the VLAN trunk. By the way, you may reference this FAQ for the VLAN trunk.

    3. Do I need to enable VLAN Trunk on ports 1,5,8? I have it enabled, but I think it's not needed since those ports are not used as an uplink to another switch.

    Please reference the above reply.

    4. Regarding the isolation, will my current setup ensure that if I setup a machine that will send tagged traffic (let's say 121) on port 3, the traffic will be blocked?

    If you mean the TCP traffic, the traffic will be blocked since port 3 is not VLAN 121's member. Additionally, if you want to be more secure, you can enable the ingress check. This will drop all packets, like the broadcast packets and the UDP packets, from this machine.

    Zyxel Melen

    Share your feedback through our survey, make your voice heard, and win a WiFi 7 AP!


  • PeterUK
    PeterUK Posts: 3,389  Guru Member
    100 Answers 2500 Comments Friend Collector Seventh Anniversary
    edited January 2 Answer ✓

    Ok here is a setup to isolate to LAN

    Port 1 is uplink VLAN3

    Port 2 PC A VLAN1

    Port 3 PC B VLAN2

    To add another isolation say port4 make a new VLAN say 10 untag 1 and 4 with PVID 10 on port 4 all others Forbidden and on VLAN3 fixed (untag) on port 4

    VLAN1.png
    VLAN2.png
    VLAN3.png
    PVID.png

«1

All Replies

  • PeterUK
    PeterUK Posts: 3,389  Guru Member
    100 Answers 2500 Comments Friend Collector Seventh Anniversary
    edited January 1

    VLANs work when you have a router that supports VLANs by subnets

    Right now VLAN 1 is used for everything no isolation a port based VLAN (which your switch don't support) might be what you need if you don't look at getting a router

    here is what I port based VLAN would look like

    port vlan.png

    port 8 is uplink to router

    ports 1,9 and 10 are isolated from other ports

    ports 2-4 can see each other but not ports 5-7

    ports 5-7 can see each other but not ports 2-4

  • Peter Tselios
    Peter Tselios Posts: 22  Freshman Member
    First Comment Friend Collector Third Anniversary

    I don't need port-based VLANs, or at least I haven't planned to segregate the swutch ports like this.

    I still don't understand points 2,3.

  • PeterUK
    PeterUK Posts: 3,389  Guru Member
    100 Answers 2500 Comments Friend Collector Seventh Anniversary

    What router do you have? how is it setup?

  • Zyxel_Melen
    Zyxel_Melen Posts: 2,409  Zyxel Employee
    Zyxel Certified Network Engineer Level 1 - Switch Zyxel Certified Network Administrator - Switch Zyxel Certified Network Administrator - Nebula Zyxel Certified Sales Associate
    edited January 3 Answer ✓

    Hi @Peter Tselios,

    1. Is this configuration the correct one?

    The configuration is correct if ports 5 and 8 are connecting to other switches. If not, what device are you going to connect? In addition, you may reference this FAQ to set up VLANs.

    2. Is traffic isolated? I am asking because I don't fully understand the meaning of the "Ingress Check" and VLAN Trunk options on the first picture. Do I have to enable them for all ports, or just the ports that have the VLANs assigned?

    VLAN is used to separate the different broadcast domains, so the traffic is isolated. But if you have a router/firewall, different VLANs can communicate with each other via routing. (When you have set VLAN interfaces on it.) You need to set policy rules on the router/firewall to isolate different VLANs.

    "Ingress Check" and "VLAN trunk" are not used to isolate traffic.

    "Ingress Check" is used to check the VLAN tags of incoming packets that are the VLAN members of the port. If not, the packet will be dropped.

    "VLAN trunk" is used to forward unknown VLAN packets. Since you have designed your VLANs, you don't need to enable the VLAN trunk. By the way, you may reference this FAQ for the VLAN trunk.

    3. Do I need to enable VLAN Trunk on ports 1,5,8? I have it enabled, but I think it's not needed since those ports are not used as an uplink to another switch.

    Please reference the above reply.

    4. Regarding the isolation, will my current setup ensure that if I setup a machine that will send tagged traffic (let's say 121) on port 3, the traffic will be blocked?

    If you mean the TCP traffic, the traffic will be blocked since port 3 is not VLAN 121's member. Additionally, if you want to be more secure, you can enable the ingress check. This will drop all packets, like the broadcast packets and the UDP packets, from this machine.

    Zyxel Melen

    Share your feedback through our survey, make your voice heard, and win a WiFi 7 AP!


  • PeterUK
    PeterUK Posts: 3,389  Guru Member
    100 Answers 2500 Comments Friend Collector Seventh Anniversary
    edited January 2 Answer ✓

    Ok here is a setup to isolate to LAN

    Port 1 is uplink VLAN3

    Port 2 PC A VLAN1

    Port 3 PC B VLAN2

    To add another isolation say port4 make a new VLAN say 10 untag 1 and 4 with PVID 10 on port 4 all others Forbidden and on VLAN3 fixed (untag) on port 4

    VLAN1.png
    VLAN2.png
    VLAN3.png
    PVID.png

  • Peter Tselios
    Peter Tselios Posts: 22  Freshman Member
    First Comment Friend Collector Third Anniversary

    Many thanks to both of you.

    If anyone is interested, ports 1,5 are connected to the main router and another openwrt-based AP and they are VLAN aware.

    PoPort 8 is another switch I plan to integrate that's why I asked about the storage VLAN.

  • Zyxel_Melen
    Zyxel_Melen Posts: 2,409  Zyxel Employee
    Zyxel Certified Network Engineer Level 1 - Switch Zyxel Certified Network Administrator - Switch Zyxel Certified Network Administrator - Nebula Zyxel Certified Sales Associate

    Hi @Peter Tselios

    Since ports 5 and 8 are connected with VLAN-aware devices, your configuration is correct.

    Zyxel Melen

    Share your feedback through our survey, make your voice heard, and win a WiFi 7 AP!


  • Peter Tselios
    Peter Tselios Posts: 22  Freshman Member
    First Comment Friend Collector Third Anniversary

    I return to this topic since I have troubles with the setup.

    A brief summary:

    I use the following setup:

    OpenWrt router (VLAN aware/VLANs enabled & configured) —> Zyxel GS1900 8HP, port 1
    OpenWrt router, acting as AP, VLAN Aware, VLANs configured —> Zyxel GS1900 8HP, port 5

    All other ports in the Zyxel are connected to non-VLAN aware devices.

    The Zyxel setup is the following:

    image.png

    For ports 1 & 5 I have the following setup:

    image.png
    image.png

    (All VLANs are configured the same).

    Both OpenWrt routers have configured to use tugged VLANs for their upstream ports and they have untagged the rest of the ethernet ports with the PVID 1.

    My problem is that when I connect ethernet devices on the OpenWrt routers, they can communicate only with devices that are connected to the same router, nothing else. I thought that the openwrt configuration was wrong, but then I realized that PVID seems NOT to work on the Zyxel side!

    If I connect a PC on port 5, that PC cannot get an IP from the DHCP server, neither goes to the rest of the LAN (which is on VLAN 1). Which means that port 5 accepts only tagged traffic, which is not what the PVID should do, right?

    My expectation was that the switch would pass untagged traffic with the PVID 1, am I wrong?

  • Zyxel_Melen
    Zyxel_Melen Posts: 2,409  Zyxel Employee
    Zyxel Certified Network Engineer Level 1 - Switch Zyxel Certified Network Administrator - Switch Zyxel Certified Network Administrator - Nebula Zyxel Certified Sales Associate

    Hi @Peter Tselios,

    Could you share your VLAN port setting?

    In addition:

    1. Connecting a PC to port 5 is not a good test since port 5 is tagged out for VLAN 1 and 10. Most of PC do not accept VLAN-tagged packets, they usually discard them.
    2. Tagged/Untagged is the egress behavior of the switch port. It does not mean the port only accepts tagged packets.
    3. If you want to define the ingress behavior on the VLAN tag, you need to check the VLAN port setting > Acceptable frame type.

    Zyxel Melen

    Share your feedback through our survey, make your voice heard, and win a WiFi 7 AP!


  • Peter Tselios
    Peter Tselios Posts: 22  Freshman Member
    First Comment Friend Collector Third Anniversary
    1. Yes, but even if DHCP is not working, if I set a static IP on my PC, I expect it to reach the other end. Because of the PVID. No?
    2. Of course. But the port is configured to accept all types of packets:
      image.png
    3. As you see, Ingress is disabled. Also, I have enabled VLAN Trunk in an attempt to fix the issue.

    All in all, I need to understand how PVID works (at least on this switch). Because my understanding was that when we define a PVID, the switch will add the PVID VLAN to each packet before forwarding it to the next device. Is this assumption wrong?

Categories

Switch Help Center

EnglishTiếng ViệtРусскийไทย中文(台灣)