NETGEAR is aware of a growing number of phone and online scams. To learn how to stay safe click here.
Forum Discussion
Solved
GS305E Trunking tagged and untagged vlans
Hi there. I recently purchased a GS308EPP. In basic 802.1Q mode, I temporarily used it to connect: - (V)lan 1 (default Lan): still a few controlling/managing devices; - Vlan 20 : Data; and - Vla...
barreaudb wrote:
- I think I understand what you explained to be asymetric lan, and sort of nightmarish-can't-be-right-thing. Would this be addressed with ending Default Lan and moving admin devices on the dedicated Management-Vlan ?
Nothing to change on the PVID side (more on this below).
Some decades ago, major vendors like the big C brand among other manufacturers, had something like a "native VLAN" which was often flying below the horizon of the network admins and the security people - when doing security audits, this was a big hole in the infrastructure. No matter if that was a big bank, finance, insurance, ... there were many.
As you are operating your own LAN, there is not much added value in changing the default VLAN 1 to any other random number. It will just add confusion, problems, unintended complexity.
barreaudb wrote:
- config re ports/pvid in Gs305e: good catch, this is now corrected. And I confirm that port 5 connects to firewall.
Nothing to change on the PVID side, as the PVID A setting of the [U]tagged VLAN n (which must be unique on that port) plus the PVID does define (by port) the VLAN incoming untagged frames are associated to - in networking terms it's an access port for that specific VLAN.
I assume you operate your network for business and home usage, but have no hard physical access controls to patch panels, switches, firewall, ... So please K.I.S.S. and don't overdesign things!
Hi schumaku,
thanks !
schumaku a écrit :Some decades ago, major vendors like the big C brand among other manufacturers, had something like a "native VLAN" which was often flying below the horizon of the network admins and the security people - when doing security audits, this was a big hole in the infrastructure. No matter if that was a big bank, finance, insurance, ... there were many.
As you are operating your own LAN, there is not much added value in changing the default VLAN 1 to any other random number. It will just add confusion, problems, unintended complexity.
That's exactly this "hole" I thought of upon reading your comments - but thanks to our exchange, I realize now the problem may be elsewhere because the managed switch continues to block devices from 2 subnets despite the authorization provided by firewall/server rules.
So as fzmuhammad mentioned previously, I think I may have no other choice but to end up replacing the Gs305e, because I can't do it smaller and simpler than that.
Thanks again.
barreaudb wrote:
So as fzmuhammad mentioned previously, I think I may have no other choice but to end up replacing the Gs305e, because I can't do it smaller and simpler than that.
Configure things correct for what makes up a trunk, being on a single network link, being on a LAG, being on a firewall or security appliance Ethernet "LAN" ports.
VLAN 1 [U]ntagged, PVID 1
VLAN 200 [T]agged
VLAN 300 [T]agged
...
Nothing of all that is blocked by these simple, affordable switch models.
If it does not work, it's a user error, sorry.
Don't know if Netgear expected to much from the average user base changing these device WebUI from a generic nicely working to a more mobile device focussed switch Web UI. Believe me, it works either way.
I don't know from where the obviously AI generated, nicely formatted text from fzmuhammad is coming from - its simply wrong. Better ignore that...
Hi schumaku,
schumaku a écrit :Nothing of all that is blocked by these simple, affordable switch models.
If it does not work, it's a user error, sorry.
Am here because I have thought community could help me determine the exact problem and be able to move forward. And with my limited knowledge - have no specific IT bakcground - am conscious that I may have mixed up things with my first network deployment. So no need to be sorry. I just hope to read constructive lines.
So to recap, the inter-vlans communication problem can be seen when this GS305E is connected to firewall by trunk, and carries [U]vlan01 (default lan), [T]vlan20 (Data) and [T]vlan30 (IoT) (see topology below).
Symptoms are:
- vlan30 device cannot detect vlan20 device ("no servers found" message). Firewall policy authorizing IoT <-> Data is not triggered. No traffic, no log, no deny/block.
- vlan01 device thru AP pilots vlan30 device with proprietary app. Firewall policy authorizing Lan -> IoT logs. App accessed to vlan20 device folders. Firewall policy authorizing Lan->Data logs. But despite firewall policy between Data and IoT, app/vlan30 device cannot read files. No firewall triggered, no traffic/deny/block. Niente.
schumaku a écrit :
Configure things correct for what makes up a trunk, being on a single network link, being on a LAG, being on a firewall or security appliance Ethernet "LAN" ports.Here, am unsure to understand your proposal. But anyway: trunk is set correctly elsewhere: proof is that traffic has been carried correctly so far and orderly logged in firewall with GS308EPP. And the same with the other trunk to AP WAX628 in network.
And you know that LAG is not available for GS305E.
So, here are my further troubleshoot steps:
- using another vlan30 device thru AP: pings vlan20 device. Firewall policy triggered with log.
- using another vlan20 device thru AP: pings both vlan30 devices (the one behind AP, the other one behind GS305E). Firewall policy triggered with log.
- lan01 pc pings both vlan30 devices. Firewall policy triggered with log.
- vlan01 device thru AP connects in bluetooth with vlan30 device and reads vlan20 device. Firewall policy only for Lan -> Data, normal because bluetooth is not IP.- switching ports 3 and 4.
- checking firewall pings switch.Maybe not an expert, but clearly to me there are some sort of IP/VLAN routing issues with this GS305E. The GS308EPP in the exact same position has been carrying on traffic orderly and as expected, whatever the "errors" in this network construction.
So to me, the issue comes from this specific GS305E.
But again, if you think another troubleshoot could be done, I'll be happy to read your expert views before sending this switch back.NetGear power connectors as well
NETGEAR Academy
Boost your skills with the Netgear Academy - Get trained, certified and stay ahead with the latest Netgear technology!
Join Us!
