Is my VLAN configuration correct?
Hello,
This is my first attempt to configure VLANs on my home office network.
I have a GS1900-8HP as my primary switch and a couple of Ubiquiti mini (that will be configured later)
I need to setup 4 VLANs on the network:
- VLAN 1 is the untagged, PVID that will be used for all network traffic from Wifi and other PCs on the network
- VLAN 10 is a network that will be used from the Guest network
- VLAN 120 is a network that will be used from the home lab servers/devices
- VLAN 121 is the storage network
What I need is:
Port 1,5,8 on the switch should allow traffic from all the above networks/VLANs. Port 1 is connected to the main router.
All other ports should only allow traffic from VLAN/PVID 1.
My current configuration is:
And:
And (the following is identical for VLANs 10, 120, 121:
My questions are:
1. Is this configuration the correct one?
2. Is traffic isolated? I am asking because I don't fully understand the meaning of the "Ingress Check" and VLAN Trunk options on the first picture. Do I have to enable them for all ports, or just the ports that have the VLANs assigned?
3. Do I need to enable VLAN Trunk on ports 1,5,8? I have it enabled, but I think it's not needed since those ports are not used as an uplink to another switch.
4. Regarding the isolation, will my current setup ensure that if I setup a machine that will send tagged traffic (let's say 121) on port 3, the traffic will be blocked?
Best Answers
-
Hi @Peter Tselios,
1. Is this configuration the correct one?
The configuration is correct if ports 5 and 8 are connecting to other switches. If not, what device are you going to connect? In addition, you may reference this FAQ to set up VLANs.
2. Is traffic isolated? I am asking because I don't fully understand the meaning of the "Ingress Check" and VLAN Trunk options on the first picture. Do I have to enable them for all ports, or just the ports that have the VLANs assigned?
VLAN is used to separate the different broadcast domains, so the traffic is isolated. But if you have a router/firewall, different VLANs can communicate with each other via routing. (When you have set VLAN interfaces on it.) You need to set policy rules on the router/firewall to isolate different VLANs.
"Ingress Check" and "VLAN trunk" are not used to isolate traffic.
"Ingress Check" is used to check the VLAN tags of incoming packets that are the VLAN members of the port. If not, the packet will be dropped.
"VLAN trunk" is used to forward unknown VLAN packets. Since you have designed your VLANs, you don't need to enable the VLAN trunk. By the way, you may reference this FAQ for the VLAN trunk.
3. Do I need to enable VLAN Trunk on ports 1,5,8? I have it enabled, but I think it's not needed since those ports are not used as an uplink to another switch.
Please reference the above reply.
4. Regarding the isolation, will my current setup ensure that if I setup a machine that will send tagged traffic (let's say 121) on port 3, the traffic will be blocked?
If you mean the TCP traffic, the traffic will be blocked since port 3 is not VLAN 121's member. Additionally, if you want to be more secure, you can enable the ingress check. This will drop all packets, like the broadcast packets and the UDP packets, from this machine.
1 -
Ok here is a setup to isolate to LAN
Port 1 is uplink VLAN3
Port 2 PC A VLAN1
Port 3 PC B VLAN2
To add another isolation say port4 make a new VLAN say 10 untag 1 and 4 with PVID 10 on port 4 all others Forbidden and on VLAN3 fixed (untag) on port 4
0
All Replies
-
VLANs work when you have a router that supports VLANs by subnets
Right now VLAN 1 is used for everything no isolation a port based VLAN (which your switch don't support) might be what you need if you don't look at getting a router
here is what I port based VLAN would look like
port 8 is uplink to router
ports 1,9 and 10 are isolated from other ports
ports 2-4 can see each other but not ports 5-7
ports 5-7 can see each other but not ports 2-4
0 -
I don't need port-based VLANs, or at least I haven't planned to segregate the swutch ports like this.
I still don't understand points 2,3.
0 -
What router do you have? how is it setup?
0 -
Hi @Peter Tselios,
1. Is this configuration the correct one?
The configuration is correct if ports 5 and 8 are connecting to other switches. If not, what device are you going to connect? In addition, you may reference this FAQ to set up VLANs.
2. Is traffic isolated? I am asking because I don't fully understand the meaning of the "Ingress Check" and VLAN Trunk options on the first picture. Do I have to enable them for all ports, or just the ports that have the VLANs assigned?
VLAN is used to separate the different broadcast domains, so the traffic is isolated. But if you have a router/firewall, different VLANs can communicate with each other via routing. (When you have set VLAN interfaces on it.) You need to set policy rules on the router/firewall to isolate different VLANs.
"Ingress Check" and "VLAN trunk" are not used to isolate traffic.
"Ingress Check" is used to check the VLAN tags of incoming packets that are the VLAN members of the port. If not, the packet will be dropped.
"VLAN trunk" is used to forward unknown VLAN packets. Since you have designed your VLANs, you don't need to enable the VLAN trunk. By the way, you may reference this FAQ for the VLAN trunk.
3. Do I need to enable VLAN Trunk on ports 1,5,8? I have it enabled, but I think it's not needed since those ports are not used as an uplink to another switch.
Please reference the above reply.
4. Regarding the isolation, will my current setup ensure that if I setup a machine that will send tagged traffic (let's say 121) on port 3, the traffic will be blocked?
If you mean the TCP traffic, the traffic will be blocked since port 3 is not VLAN 121's member. Additionally, if you want to be more secure, you can enable the ingress check. This will drop all packets, like the broadcast packets and the UDP packets, from this machine.
1 -
Ok here is a setup to isolate to LAN
Port 1 is uplink VLAN3
Port 2 PC A VLAN1
Port 3 PC B VLAN2
To add another isolation say port4 make a new VLAN say 10 untag 1 and 4 with PVID 10 on port 4 all others Forbidden and on VLAN3 fixed (untag) on port 4
0 -
Many thanks to both of you.
If anyone is interested, ports 1,5 are connected to the main router and another openwrt-based AP and they are VLAN aware.
PoPort 8 is another switch I plan to integrate that's why I asked about the storage VLAN.
0 -
Since ports 5 and 8 are connected with VLAN-aware devices, your configuration is correct.
0 -
I return to this topic since I have troubles with the setup.
A brief summary:
I use the following setup:
OpenWrt router (VLAN aware/VLANs enabled & configured) —> Zyxel GS1900 8HP, port 1
OpenWrt router, acting as AP, VLAN Aware, VLANs configured —> Zyxel GS1900 8HP, port 5All other ports in the Zyxel are connected to non-VLAN aware devices.
The Zyxel setup is the following:For ports 1 & 5 I have the following setup:
(All VLANs are configured the same).
Both OpenWrt routers have configured to use tugged VLANs for their upstream ports and they have untagged the rest of the ethernet ports with the PVID 1.
My problem is that when I connect ethernet devices on the OpenWrt routers, they can communicate only with devices that are connected to the same router, nothing else. I thought that the openwrt configuration was wrong, but then I realized that PVID seems NOT to work on the Zyxel side!If I connect a PC on port 5, that PC cannot get an IP from the DHCP server, neither goes to the rest of the LAN (which is on VLAN 1). Which means that port 5 accepts only tagged traffic, which is not what the PVID should do, right?
My expectation was that the switch would pass untagged traffic with the PVID 1, am I wrong?
0 -
Hi @Peter Tselios,
Could you share your VLAN port setting?
In addition:
- Connecting a PC to port 5 is not a good test since port 5 is tagged out for VLAN 1 and 10. Most of PC do not accept VLAN-tagged packets, they usually discard them.
- Tagged/Untagged is the egress behavior of the switch port. It does not mean the port only accepts tagged packets.
- If you want to define the ingress behavior on the VLAN tag, you need to check the VLAN port setting > Acceptable frame type.
0 -
- Yes, but even if DHCP is not working, if I set a static IP on my PC, I expect it to reach the other end. Because of the PVID. No?
- Of course. But the port is configured to accept all types of packets:
- As you see, Ingress is disabled. Also, I have enabled VLAN Trunk in an attempt to fix the issue.
All in all, I need to understand how PVID works (at least on this switch). Because my understanding was that when we define a PVID, the switch will add the PVID VLAN to each packet before forwarding it to the next device. Is this assumption wrong?
0
Categories
- All Categories
- 415 Beta Program
- 2.4K Nebula
- 144 Nebula Ideas
- 94 Nebula Status and Incidents
- 5.6K Security
- 238 USG FLEX H Series
- 267 Security Ideas
- 1.4K Switch
- 71 Switch Ideas
- 1.1K Wireless
- 40 Wireless Ideas
- 6.3K Consumer Product
- 247 Service & License
- 384 News and Release
- 83 Security Advisories
- 29 Education Center
- 10 [Campaign] Zyxel Network Detective
- 3.2K FAQ
- 34 Documents
- 34 Nebula Monthly Express
- 83 About Community
- 71 Security Highlight