Advanced 802.1Q VLAN Doesn't Block Untagged Traffic?

patreeek wrote:

Lower-end Netgear switches are not managed using VLAN traffic

 

Most Easy Smart Plus are indeed not built around a managed switch core. The management Web UI (or for the sake the legacy [known vulnerable] Netgear Switch Discovery protocol that can be enabled for discovery -and- for the administration does only accept untagged traffic. Said this: Any untagged frames coming to the switch on an untagged network can be "abused" to discover and access the admin - select NTGR Plus Switches (newly nicknamed  NTGR Easy Smart Managed Essentials Switch) might have a simple IP based filter to "protect" the simple controls.

 

patreeek wrote:

they allow all untagged traffic to pass through. Is this correct?

 

Yes, you can configure multiple logically isolated VLANs. The traffic on the port(s) can be both [U]ntagged (with the PVID set accordingly) and [T]agged. Yes, all these frames can pass the switch.

 

patreeek wrote:

For example, a port is configured with VLAN ID 10 for untagged traffic and its PVID is 10. It will tag the traffic correctly and all the traffic will go to the correct subnet

 

To the appropriate VLAN, yes. The switch does not care about the IP subnets.

 

patreeek wrote:

if I manually configure my IP, I can access any other device on the link that is not VLAN aware.

 

From a device connected to an [U]ntagged port on the switch, to another device on an [U]ntagged port. Correct.

 

patreeek wrote:

This could be another Netgear switch

 

Any switch.

 

patreeek wrote:

or a MoCA device

 

As loig as these frames are [U]ntagged, yes. 

Double and triple check the MoCA devices (or any other Ethernet bridge devices, like WiFi bridges, ...) you have in mind for passing  [T]agged traffic. Not all will pass 802.1q tagged frames. 

 

Confusion complete?

 

Regards,

-Kurt.

patreeek wrote:

For example, a port is configured with VLAN ID 10 for untagged traffic and its PVID is 10. It will tag the traffic correctly and all the traffic will go to the correct subnet. However, if I manually configure my IP, I can access any other device on the link that is not VLAN aware.

As schumaku​ says, these layer 2 switches don't care about subnets, which are layer 3.

 

The VLAN establishes a layer-2 broadcast domain.  Protocols like ARP will only find devices on the VLAN (no matter what subnet they are on).

 

No idea what you mean by "any other device on the link" - are these other devices on the same VLAN?  Or are they on a different VLAN?

 

If they are not on VLAN 10, then the router upstream of the switch is likely routing the traffic.