Vlan1 On Primary LAN Interface

@PeterUK The point your missing is you have to use VLAN1 for the outgoing tagged and untagged traffic under the LAN1 profile. I have VLAN1 on the switch as it is the default VLAN for CISCO, it is shutdown. All of my routing is being done through the firewall and the Zyxel firewall does NOT support untagged traffic through a VLAN profile only tagged traffic. In the Cisco world tagged and untagged traffic can be sent through an interface that is either configured as a trunk or an access port but cannot be both. For Zyxel that is why you need to have VLAN1 enabled and use the native default interface LAN1 profile. You can show me all you want, but it has been tested and proven to not work and according to zyxel that is the case. You might want to talk to your counterparts in America, because this is the answer I got and what was shown. Thank you.

@PeterUK I think it is you who does not get it. VLAN1 is the default VLAN for Cisco and Cisco recommends for security best pratices to not use VLAN1 for passing tagged or untagged traffic. I was told by your American counterparts that the LAN1 interface used VLAN1 as the default VLAN. Whether LAN1 profile is tied to another VLAN or not tied to anything the VLAN profiles work only if the physical devices are tagged with that VLAN profile period.

What is so hard for you to understand? I have been testing this backwards and forwards and DON'T you think I want this to work, but it does not.

For Zyxel the only devices that will work on a tagged VLAN profile HAS TO BE TAGGED with the number on that perspective VLAN in order to work and pass traffic. The VLAN profiles will NOT pass untagged traffic unless the physical device has a tagged number (Ex. VLAN10). Zyxel DOES NOT support tagging or untagged traffic through a VLAN profile unless the physical device is tagged.

I have two 48port switches. My first switch is configured with six trunk ports. One port is using a trunk for your device to allow the perspective VLANS access to the internet going out on the Zyxel untagged interface of LAN1, which is default profile that supports tagged and untagged traffic. I have four other ports trunked for ESXi for two VLAN's to route their perspective traffic and one port that is configured as an uplink port to my other 48 port switch to allowed traffic to pass back and fourth. So that leaves 90 ports left that are all configured as Access Ports to VLAN10. They work untagged or tagged as Cisco supports that configuration and Zyxel DOES NOT.

I would talk to your team in America. If you say that VLAN1 does not exist on the Zyxel firewall you better contact your support team in America, because they say it does exist.

@PeterUK By default you CAN NOT remove or delete VLAN1 on a Cisco switch. All you can do is shut the interface down. There are a bunch of articles out there on this topic about NOT using VLAN1 as your default VLAN and assign ports to a different VLAN. I opened up a Nebula case on this as a last resort, but IMO Zyxel needs to address this.

@PeterUK Peter you cannot delete remove or modify VLAN1 all you can do is use the command "Shutdown" to shutdown the interface. It is the default VLAN on the Cisco switch PERIOD. Why do you keep telling keep telling me to set something when YOU CAN NOT? Do you not get the issue? Why are you so fixated on VLAN1? I do not have an option to use Forbidden. I use the allow, deny, shutdown commands. What concepts are you not grasping??

The issue lies within the Zyxel LAN1 interface not being able to pass tagged or untagged traffic / unmanaged traffic. Unless the physical device is tagged with that VLAN PVID like you mention it will NOT pass traffic.

Read the article below:

disable vlan 1 - Cisco Community

I looked up your switch and it is a lower level managed switch and NOT a Catalyst Enterprise Grade Switch. They are two totally different switches. You can do a lot more with the Catalyst line and it relies heavy on CLI than a GUI..

@PeterUK The PVID is the same as the native VLAN in the Cisco world. Cisco allows the tagged and untagged traffic to pass whether or not the PVID / Native VLAN is set. In the VMWare world you can NOT set a native vlan on the trunk. So it will NOT work for me.

The bottom line is still that Zyxel does not support sending unmanaged / untagged traffic to a physical device that does not have the associated VLAN set on it. All physical devices will need to be VLAN capable. So in order for my network to function I need to keep that LAN1 interface in an unmanaged state PERIOD. It has been tested and tested again. It does not work setting it to any VLAN ID.