XMG1915-10E, Nebula and strange VLANs behavior
Freshman Member
Hi,
I'm experiencing an issue that is starting to drive me crazy…
Expectations: traffic within VLAN A should be totally isolated from traffic within VLAN B. VLAN B ports should not see broadcast or multicast traffic originating from VLAN A ports.
Experienced behavior: VLAN B ports see broadcast and multicast traffic originated from VLAN A ports.
To bring everything down to a practical (and real) example…
I configured Port 5 of my switch via Nebula as an ACCESS port with PVID 1234 (that VLAN is not used by anything in my network. Just configured that single port to be an untagged member of that VLAN for test scopes).
Started capturing packets via Wireshark using a PC connected to port 5.
Wireshark captures all broadcast/multicast packets originated from VLAN 1.
What am I missing?
Thanks in advance
Best Answers
-
Ok, I found explanation even for that. Or at least this is what I think was happening:
Since my management VLAN is VLAN 1, but VLAN 1 is also the default VLAN for all my untagged network traffic, I set "Management control" to "Disabled" to every port of my switches (knowing that all the ports needed for management were already part of VLAN 1 as per my configuration).
But doing so, I imagine, I triggered some sort of "anti lockout" feature of Nebula that, not seeing any port with "management control" "enabled", configured EVERY port of my switches as fixed member of VLAN 1 (tagged or untagged depending on the port type ACCESS or TRUNK).
With that in mind, I tried to set "management control" to "enabled" to one port of the switch and with that now if I set any other port as ACCESS with another VLAN ID, VLAN 1 get set as NORMAL instead of FIXED for that port.
Please let me know if my analysis is wrong. But, as far, it seems coherent with what I experienced.
I definitely would have appreciated some sort of warning from Nebula, though, if that was the case .0 -
Hi @Matwolf
I recently tested a similar setup on an XMG1915 switch port with management control disabled. With this setting, the port no longer receives management VLAN packets, which aligns with the behavior I mentioned earlier.
It seems that the issue you're experiencing could be due to an outdated switch configuration. Additionally, we do not recommend disabling management control for all ports. As noted in the iNote on this feature, "To keep the connection with Nebula Control Center, the uplink port should always be enabled.”
If you encounter this issue again, please check if your switch configuration is up to date. You can view the switch status by going to Site-wide > Devices > Switches.
0
Zyxel Employee
All Replies
-
Just after writing my question maybe I found the solution…
Given that I made all my configs via Nebula and, before now, I didn't touch any config via the web interface of the switches, I tried to connect via SSH to the switch to see if I could understand the behavior described above.
From a show running-config I noticed the "fixed 1-10" on vlan 1
Just to double check, I tried to reach the vlan 1 config on the web config of the switch finding correspondance:
An then I asked myself… why should I want VLAN 1 configured as "fixed" on Port 5, where on Nebula CC I configured Port 5 as an ACCESS port for VLAN 123?
By the way, VLAN 1234 configuration (made by Nebula) from the web interface is showed as following:
So I tried changing "manually" the config of VLAN 1 via the switch web interface (by-passing Nebula) as follows:
And that worked! I achieved my target of not having broadcast/multicast traffic from VLAN 1 forwarded to port 5!
That would be it, if not for the fact that changing any configuration on Nebula rollbacks that last change that I made, bringing back the issue…
What should I do to avoid having VLAN 1 set as fixed to every port (even the ones I specifically set as ACCESS port for other VLANs?) in Nebula?
Thanks
0 -
Ok, I found explanation even for that. Or at least this is what I think was happening:
Since my management VLAN is VLAN 1, but VLAN 1 is also the default VLAN for all my untagged network traffic, I set "Management control" to "Disabled" to every port of my switches (knowing that all the ports needed for management were already part of VLAN 1 as per my configuration).
But doing so, I imagine, I triggered some sort of "anti lockout" feature of Nebula that, not seeing any port with "management control" "enabled", configured EVERY port of my switches as fixed member of VLAN 1 (tagged or untagged depending on the port type ACCESS or TRUNK).
With that in mind, I tried to set "management control" to "enabled" to one port of the switch and with that now if I set any other port as ACCESS with another VLAN ID, VLAN 1 get set as NORMAL instead of FIXED for that port.
Please let me know if my analysis is wrong. But, as far, it seems coherent with what I experienced.
I definitely would have appreciated some sort of warning from Nebula, though, if that was the case .0 -
Hi @Matwolf
The reason port 5 is still receiving the management VLAN packets could be due to the configuration of the management control settings. If you prefer not to receive management VLAN packets on this port, you may set it to "Disabled."
For more details, please refer to this post:
0 -
Hi @Zyxel_Kay,
management control mode for port 5 was already disabled (as you can see from my screenshot in the first post).
I think the issue was due to the fact that I disabled management control on all ports. As explained in my last post here:
Could you please confirm that?
Thanks
0 -
Hi @Matwolf
I recently tested a similar setup on an XMG1915 switch port with management control disabled. With this setting, the port no longer receives management VLAN packets, which aligns with the behavior I mentioned earlier.
It seems that the issue you're experiencing could be due to an outdated switch configuration. Additionally, we do not recommend disabling management control for all ports. As noted in the iNote on this feature, "To keep the connection with Nebula Control Center, the uplink port should always be enabled.”
If you encounter this issue again, please check if your switch configuration is up to date. You can view the switch status by going to Site-wide > Devices > Switches.
0
Categories
- All Categories
- 415 Beta Program
- 2.3K Nebula
- 141 Nebula Ideas
- 94 Nebula Status and Incidents
- 5.5K Security
- 216 USG FLEX H Series
- 262 Security Ideas
- 1.4K Switch
- 71 Switch Ideas
- 1K Wireless
- 39 Wireless Ideas
- 6.3K Consumer Product
- 243 Service & License
- 382 News and Release
- 81 Security Advisories
- 27 Education Center
- 8 [Campaign] Zyxel Network Detective
- 3K FAQ
- 34 Documents
- 34 Nebula Monthly Express
- 83 About Community
- 71 Security Highlight
