How do I configure a new switch in Nebula with a management VLAN other than 1?
Freshman Member
I'm unable to configure a different management VLAN (other than default VLAN 1) on a new switch in Nebula (without a lot of pain).
Note that I first updated the firmware to the latest and then restored back to factory.
I configured the switch in Nebula as follows:
- Management VLAN as 41
- Uplink Port 48 configured as PVID 41 Trunk (and management VLAN access)
- For simplicity, let's say the rest of the ports 1-47 are Access PVID 11. (no ports are onVLAN1)
I then turn on the switch and plug in Port 48 into the uplink.
The switch comes online and connects briefly to Nebula, then goes offline. At this point the switch is operational with the correct VLAN port assignment but is unreachable on the network and Nebula. It never changed the management VLAN as configured. The management VLAN is still set to 1 and is now unreachable on the network with the uplink port at PVID41. It seems that Nebula first changes the VLAN of the ports before changing the management VLAN, resulting in the switch going offline. (I've confirmed that it's still on management VLAN1 in the switch event logs and on the uplink device MAC table.)
How do I configure a new switch in Nebula with a VLAN other than 1?
My workaround is to temporarily configure port 47 on VLAN 1 and plug the uplink in there until after Nebula initially configures the VLANs on the ports. I then notice that, even though I had configured management VLAN as 41, that Nebula reset it back to VLAN 1. I then change the management VLAN back to 41and plug the uplink into Port 48. Wait for it to come back online in Nebula and then I can reconfigure Port 47 back to the desired VLAN.
But now if we ever have an issue and need to reset back to factory then we have to repeat this whole process. I don't think it should be this complicated. It makes me wonder if I'm the only one with this issue? Am I the only one changing the management VLAN from the default? Or, more likely, maybe I'm doing something wrong?
All Replies
-
I too change the management VLAN but don't use Nebula their is no simple way when you reset back to factory to then apply the config from defaults.
0 -
Hi @JeffRyer,
As for the problems you just encountered, I have also reproduced the similar issue and my result shows that when my switch’s trunk port is set to be PVID 41, the switch would send an untagged traffic and occupies the firewall’s LAN1 interface. However, my switch does not go offline, it can still access the internet via the DHCP server in Lan 1. In addition, my switch also applies the settings. That is, the switch has changed the management setting and the trunk port setting. By the way, I am wondering how you verify the management VLAN of your offline switch?
However, I have some concerns regarding your trunk port’s PVID. I would recommend you to alter trunk port’s PVID setting from 41 to 1. I change my trunk port’s PVID from 41 to 1 and the result shows that my switch can successfully access the internet and occupies the VLAN 41 subnet in the firewall.
Let me know if this helps. Please feel free to update this post if you have any further concerns.
Sincerely,
Lynn
0 -
@Zyxel_Lynn , thanks for looking into this. I verified the uplink port's VLAN from the upstream switch's MAC table—it shows VLAN1 until I manage to get it working and then it shows VLAN 41. I also see this in the switch's event logs.
You recommend using VLAN1 as the management VLAN due to the complications involved in changing it?
I also opened a ticket with support. It seems there may not be a way to change the management VLAN from Nebula, that it has to be done by logging locally into the switch. Which is unfortunate for ZyXel, as I don't have any of these issues in Meraki.
0 -
Hi @JeffRyer, I need to clarify two important points about VLAN configuration:
First - PVID vs Management VLAN:
The PVID (Port VLAN ID) value of a trunk port is not the same as the switch's management VLAN. PVID defines the ingress rule for the switch - when a trunk or access port receives untagged traffic, that traffic is automatically assigned the PVID value as its VLAN tag.
Therefore, I recommend maintaining VLAN 41 as your management VLAN, while setting the PVID of the trunk port to 1 (which is typically the default VLAN).
Second - Router/Firewall Configuration:
Please ensure that your firewall or router (the device responsible for IP address assignment) also has a VLAN 41 interface configured. This management VLAN interface is necessary for proper communication with the switch's management plane.
If you have any problem, please let me know.
Best regard,
Lynn
0 -
Just to clarify. I should leave the uplink port on PVID 1, I'll change the management VLAN to 41 (in Nebula or on the switch console?). If no ports are set to PVID 41 on the switch I will still be able to access the switch? I thought I had to set a port to PVID 41 to get access?
0 -
Hi, @JeffRyer
Question (1)
I'll change the management VLAN to 41 (in Nebula or on the switch console?)
→ You can change the management VLAN to 41 in Nebula or on the switch console
Question (2)
If no ports are set to PVID 41 on the switch I will still be able to access the switch?
→ If you want to directly access the switch's web GUI from your PC, you must configure the PVID value of the access port (the port connecting your PC to the switch) to 41. This configuration will allow you to locally access the switch's web GUI interface.
Let’s have a clear understanding on how the traffic passes across the switch and arrives at which interface of the firewall from the switch based on the following picture.
Based on the following picture, if the switch’s management VLAN (41) matches the uplink port’s PVID (41), the traffic would exit the uplink port without a tag, and then occupy the LAN 1 interface on the firewall. If the switch’s management VLAN (41) does not match the trunk port’s PVID (1), the traffic would exit the uplink port with a tag, and occupy the VLAN 41 interface on the firewall.
Hope this would help you. Thanks!
Best regard,
Lynn
0
Guru Member
Zyxel Employee
Categories
- All Categories
- 435 Beta Program
- 2.7K Nebula
- 176 Nebula Ideas
- 118 Nebula Status and Incidents
- 6.1K Security
- 428 USG FLEX H Series
- 298 Security Ideas
- 1.6K Switch
- 78 Switch Ideas
- 1.2K Wireless
- 44 Wireless Ideas
- 6.7K Consumer Product
- 274 Service & License
- 419 News and Release
- 88 Security Advisories
- 31 Education Center
- 10 [Campaign] Zyxel Network Detective
- 4.2K FAQ
- 34 Documents
- 34 Nebula Monthly Express
- 83 About Community
- 89 Security Highlight
