GS1920-48HP VLAN's and MAC Address binding

TuSFuh · May 24

Hello, i have a question. I have the case that I have multiple Access Points connected to a Switch and want to set up some kind of MAC Filtering of these. I want to make it that only the Access Point can connect to the Switch directly and if u want to put your Laptop for example on that Switch Port, it wont allow a pass through to the network. The Problem is, that I also want to allow all Clients connected over the AP to go through the Network and I dont know all the MAC-Addresses from these clients. And also these are all on different VLAN, like the AP is in VLAN 1 and all the Clients go VLAN 101, that works with no problems.

Zyxel_Melen · May 29

Hi @TuSFuh,

For this requirement, you need to change your access point to NAT mode, and then set port security on GS1920.

Here's the step to set port security for your reference:

Check your access point is connecting to which port and its MAC address. My is connecting to port 7.
Navigate to Menu > Security > Port Security page. Enter the port number in the MAC Freeze port list and click the "MAC Freeze" button.
You will find the Port Security has been enabled and the address learning of port 7 is disabled.
Check the Mac table. You will find the AP's MAC address has been changed to static.
You may edit the static MAC address in Menu > Switching > Statci MAC Forwarding page.

Zyxel_Melen · May 27

Hi @TuSFuh,

Your requirement "Allows the switch to pass the traffic from the access point and its clients, but blocks the traffic from the clients connect to the switch directly." can be achieved with two different methods. You can reference the below information and choose one to apply.

Enable port security and disable address learning on the ports not connecting with the access points. This makes the switch to not learn the MAC address on these ports, therefore, no traffic will be forwarded.
Create a non-used VLAN for these ports and change the port VLAN ID (PVID) to this VLAN. This keeps these clients in a VLAN which is isolated from your network.

In addition, other VLANs (like VLAN 1 & 101) are recommended to exclude these ports. (Change these ports from fixed to Normal/Forbidden.)

Hope it helps.

TuSFuh · May 27

https://community.zyxel.com/en/discussion/comment/66105#Comment_66105

Hi, thanks for the reply. I think you got my question wrong, it's not about the unused switch ports.

I will try to explain it again. Think of like a hotel where you have access points on the wall. Now if you disconnect the Access Point and connect your Laptop via LAN port with the port used to plug in the AP. If thats happening I want to disallow the connection of the Laptop to the managment VLAN (VID 1) and want it to not have a connection at all or to a differnt vlan. I hope this helps for declaration of my needs.

Zyxel_Melen · May 29

Hi @TuSFuh,

For this requirement, you need to change your access point to NAT mode, and then set port security on GS1920.

Here's the step to set port security for your reference:

Check your access point is connecting to which port and its MAC address. My is connecting to port 7.
Navigate to Menu > Security > Port Security page. Enter the port number in the MAC Freeze port list and click the "MAC Freeze" button.
You will find the Port Security has been enabled and the address learning of port 7 is disabled.
Check the Mac table. You will find the AP's MAC address has been changed to static.
You may edit the static MAC address in Menu > Switching > Statci MAC Forwarding page.

GS1920-48HP VLAN's and MAC Address binding

Accepted Solution

All Replies

Categories

Switch Help Center