NETGEAR is aware of a growing number of phone and online scams. To learn how to stay safe click here.
Forum Discussion
Solved
GS305E Trunking tagged and untagged vlans
Hi there. I recently purchased a GS308EPP. In basic 802.1Q mode, I temporarily used it to connect: - (V)lan 1 (default Lan): still a few controlling/managing devices; - Vlan 20 : Data; and - Vla...
Hi fzmuhammad and thanks! that's my fear tbh, but I think I have missed a setup parameter and perhaps someone will catch it here.
barreaudb two things I don't understand:
- You talk of a firewall and an AP, but only one port seems to be configured as a correct trunk config - for your use case, I tend to suspect at least two ports with proper trunks.
- What is the idea of overloading the config with more than one VLAN ID as tagged? This is a guarantee for a nightmare. Sure, on a few switch platforms, the so called Asymmetric Switching was sometimes possible (with an additional control, as the switch must support that) - but most decent switches don't support this feature anymore. What does partially work in your case (on both switches when I get you right) is some kind of that.
Since no Netgear Plus Switches (new naming Easy Smart Managed Essential Switches) are supporting IPv4 "routing" - and I doubt you are keen to deal with complex ACL to create some firewall functionality - better handle the IP routing and firewall handling on some more sophisticated firewall system with some fancy customer friendlier controls.
Keep us posted how this works out.
Regards,
-Kurt.
Hi Kurt, wow thanks so much for looking at this.
To give more background:
- AP is not at issue here. It's currently powered directly and wired by ethernet to my firewall. It will be powered by the Gs308epp once I have ensured Gs305e to properly work.
- You're right: plan is to have Gs308epp with 3 proper trunks: firewall, AP and wired switchs (perhaps Gs305e's) in 2 other locations. In the future, a camera will be added to Gs308epp.
- Unsure I get the question right on overloading config with more than one Vlan. Do you mean on the switch ? I simply tried to duplicate something that has been working on the Gs308epp as I find Gs305e manual a bit less clear that the latter one
- Just to try to move on, am I correct in understanding yello strips in picture mean that setting has to be duplicated ?
Thanks again schumaku đ
to add: I just tried using Basic 802.1Q based mode, as this is the mode used successfully with the other switch.
And I have just noticed that Gs305e doesn't keep in memory the ports set-up when power's unplugged. So at first I had IP attributed wrongly amongst wired devices.
After setting up again and rebooting connected devices:
- IPs are correctly attributed as per lan DHCP server. So I have 1 IP in default lan (switch), 2 IP in IoT vlan (30) and 1 IP in Data vlan (20).
- Lan (wifi and ethernet) access Data.
- IoT access internet.
- IoT has no access to Data despite the firewall rule (that works with the other switch).
Time for a break.
Further test back to Advanced 802.1Q base mode: same non connectivity issues between Vlan-IoT and Vlan-Data devices whilst my firewall tracks their communications.
Port 1 and 5 of switch to trunk
Port 2 : Vlan-20 (Data)
Ports 3 & 4: Vlan-30 (IoT)
Here is the setup:
barreaudb wrote:
- Just to try to move on, am I correct in understanding yello strips in picture mean that setting has to be duplicated?
No, the yellow marked areas reflect other VLAN IDs "overloaded" with [U]ntagged - thus causing issues.
You have defined three VLANs, and set some ports with the PVIDs 1 , 20, and 30. The PVID setting does define the VLAN where the untagged frames are associated to.
Of course, also the AP and the router (supporting multiple [V]LANs and IP subnetworks, so at least three in your environment) are involved, _and_ need to be configured just like the trunk connections - with VLAN 1 [U]ntagged, and VLAN 20 and 30 as [T]agged.
barreaudb wrote:
- You're right: plan is to have Gs308epp with 3 proper trunks: firewall, AP and wired switchs (perhaps Gs305e's) in 2 other locations. In the future, a camera will be added to Gs308epp.
Does your router or security appliance (brand, and model please) offer the different networks in dedicated untagged physical ports (just like the what the GS30xE[PP] has in the Port Based mode, or does it allow to define these Ethernet ports as a trunk - with -one- [U]ntagged VLAN, plus multiple [T]agged? From what I understand, your AP is already connected, configured and working accordingly. So when testing, a wireless device can be associated to the Main, Data, and IOT network, getting IP addresses from the correct subnet?
Can you define one more port on the router to the same config like the port where you have the AP connected? This is where I would suggest to start, and then connect the accordingly configured switch like the GS308Exx with one or more trunk ports. Then the same VLAN anbd trunk config on the GS305Exx.
-Kurt.
NETGEAR Academy
Boost your skills with the Netgear Academy - Get trained, certified and stay ahead with the latest Netgear technology!
Join Us!
