« Back to all recent discussions

GS1200-8 802.1Q VLAN: Must all ports be connected to VLAN 1?

Norbert3Norbert3 Posts: 3  Junior Member
edited March 26 in Questions
I wanted to separate a PC into VLAN2, but it should also be able to connect to the same internet router as for all other devices in VLAN1. I set the PVID to 2 for this PC/port and set untagged for VLAN2 and unconnected for VLAN1. Also I put the the internet router as untagged in both VLANs. But with this it cannot connect to the internet router. If I also set for this port VLAN1 untagged it works. With this config  I am still not able to ping the other  devices in VLAN1 as intended. It is now working, but I find it strange that the VLAN2 port must also be connected to VLAN1. Also I am not sure if I opened a backdoor that can be used by malware to reach my devices in VLAN1.
Is this the way how it should work or did I something wrong?


#Biz_Mar_2020

Answers

  • Norbert3Norbert3 Posts: 3  Junior Member
    I forgot to write that the Zyxel switch is the 2nd one in the row. The internet router is connected to another switch. The first switch does the tagging for the line to the Zyxel switch. So, only the the ports on both switches used for the connection between the two switches are tagged. All other ports are untagged.
  • Zyxel_DerrickZyxel_Derrick Posts: 20  Zyxel Moderator
    Hi

    Based on your description, I have tried to do a simple lab.
    The topology is as below:
    L3 device P2 -------------------P1 GS1200-------------- P3 PC A in VLAN2, P5 PC B in VLAN1
    (192.168.1.1)                              (192.168.1.3)                          (192.168.2.100)    (192.168.1.200)
    (192.168.2.1)

    On GS1200, I configured VLAN2 on port 1 and 3, port 1 is tagged and port 3 is untagged with PVID 2 and it is non-member of VLAN 1.

    I also configured the default gateway to 192.168.1.1
    For L3 device, the connected ports between devices are tagged for VLAN 2.
    On PC A, I configured the default gateway to 192.168.2.1
    On PC B, I configured the default gateway to 192.168.1.1
    After finishing these configurations, PC A can ping PC B
    So, I think you don't have to configure VLAN 1 member to port 3 on GS1200 and I think the ports between router and first switch can configure tagged for VLAN2.
    Thanks

    Best regards,
    Zyxel_Derrick
  • Norbert3Norbert3 Posts: 3  Junior Member
    Hi Derrick,

    Thank you for your reply. I implemented it as you suggested. I removed from my previous setup port 8 from VLAN 1 and set for port1 VLAN 1 untagged. This is the port that connects the firrst switch that is connected to the router. But the device on port 8 cannot access the router which is also the DHCP server.


    With the configuration below the device on port 8 can connect to the router. It cannot connect  to other devices in VLAN1 even on the GS1200 nor on the Netgear switch that is connect to router. This is what I intended. But it is still strange to me that I have to specify a "green" box also for port 8 on VLAN 1.



    There are two differences to your example I use the same IP range for VAN1 and VLAN 2 192.168.1.xxx and the first switch is also a L2 one.

    My configuration is:
    Fritzbox -> Netgear GS108e -> Zyxel GS1200-8

    Fritzbox -> Netgear switch port 8 untagged on both VLANs 1 and 2
    Netgear switch port1 tagged both VLANs -> GS1200 port 1 tagged for both VLANs





    I have a configuration that seems to work. But I am not sure if I have implemented with this a security risk by open a backdoor from VLAN 2 to VLAN1.


    Best regards
    Norbert








  • Zyxel_DerrickZyxel_Derrick Posts: 20  Zyxel Moderator
    edited 2:36AM
    Hi Norbert

    I think the problem is on the port setting between router and first switch.
    You should configure VLAN 2 with tag instead of configuring untag on both VLANs.
    Please try to configure the port to VLAN 2 tagged and try again
    Thanks

    Best regards,
    Zyxel_Derrick
Sign In or Register to comment.