NETGEAR is aware of a growing number of phone and online scams. To learn how to stay safe click here.

Forum Discussion

akio63's avatar
akio63
Aspirant
Aug 08, 2022
Solved

Private VLANs on the GC728X and GC752X Switches

Hello Netgear Gurus,

 

I am trying to understand how the Private VLANs on the GC728X and GC752X switches operate.  I have a Terminal Server that only negotiates to 100 Mbps Full.  So we constantly see bandwidth utilization surpassing 80 to 90 percent.  I decided to do a packet capture by placing a sniffer between the Netgear switch and the Terminal Server.  Unfortunately, I am seeing traffic that is not destined for the Terminal Server on the wire.  

 

For instance, this packet:

10.116.80.100 =>> 10.43.79.197

MAC ADD                     IP ADD                  NAME           SRC/DST         Switch       Port        PVID           Participating VLANs
d0:67:26:d6:55:88        10.116.80.100       srv1               Source              R1SW1     g14            111             111,112,114,116,117,120,156,158,159,161,163,164,501,505,1111,2111
98:90:96:e0:8b:ab        10.43.79.197         sim7              Destination       R1SW2     g18             158             111,116,156,158,1111,2112

 

And this packet:

10.43.79.171 =>> 10.43.79.197

MAC ADD                     IP ADD                  NAME           SRC/DST         Switch       Port        PVID           Participating VLANs
00:a0:69:0b:cc:c4        10.43.79.171         Time Svr         Source             R1SW2      g35          111             111,158,161
98:90:96:e0:8b:ab       10.43.79.197          sim7               Destination      R1SW2       g18         158             111,116,156,158,1111,2112

 

I have the sniffer on port g15 on R1SW2 with the following configuration:

Switch       Port        PVID           Participating VLANs

R1SW2       g15         159             111,159

 

Now, I can understand that since each source is in PVID 111 it is allowed to talk to g18 on R1SW2 since g18 is participating in VLAN 111.  However, when the switch receives the packet and sees that the destination MAC address in its Address Table, shouldn't it be directing the packet to R1SW2 port g18?  Why is the traffic being seen on R1SW2 g15?

 

There is no mirroring going on.  The Admin Mode is False and the Destination Port is None.  

 

Thank you.


  • akio63 wrote: 

    Okay you gave me two options.


    Please keep in mind I'm just another community member, not a Netgear support or the like.

     

    I would prefer to go to the Security > Traffic Control > Private VLAN > Private Vlan Port Mode Configuration config. Because this is what the documentation does request. At that point again, I would expect a different config pushed in place than a classic dot1q

     

    This compares well to similar configurations on different switch models to support the asymmetrical VLAN configurations. And this is again a feature not supported on general dot1q configs. And this is in my understanding not a generic dot1q config  - so thus I was talking about that before

     

    Afraid again, have no test horse available. The related answers could come from Netgear switch engineering (via support), some insight could come from comparing the configs generated by the two variants.

     

    -Kurt

9 Replies

  • UPDATE

    I need to correct something.  This is not about Private VLANs (although I do need to discuss this but we will leave that for another discussion).  This is about VLANs in general.  

    • schumaku's avatar
      schumaku
      Guru - Experienced User

      What does all these other participating VLAN lost on the VLAN 111 where you expect only the Terminal Server traffic for for the VLAN 111?

       

      If you only want VLAN 111 (probably as an untagged access port), so configure the beast accordingly. And nothing else.

      • akio63's avatar
        akio63
        Aspirant

        My apologies for not replying sooner, I have been busy. 

        schumaku 

        No, I do not want only VLAN 111 traffic to reach the Terminal Server.  I only want traffic from sim1 which is in VLAN 111 to reach the Terminal Server.  

        I want this traffic to reach the Terminal Server

        10.43.79.208=>> 10.43.79.180

        MAC ADD                     IP ADD                  NAME           SRC/DST         Switch       Port        PVID           Participating VLANs

        a4:bb:6d:5e:0e:35        10.43.79.208         sim1               Source             R1SW1      g1           111              111,114,116,159,161,501,1111

        00:80:d4:05:8a:30        10.43.79.180          TS1               Destination      R1SW2      g15         159              111,159

         

        Which it does.  However, this additional traffic below, that I don't want is also reaching the Terminal Server

        10.43.79.171 =>> 10.43.79.197

        MAC ADD                     IP ADD                  NAME           SRC/DST         Switch       Port        PVID           Participating VLANs
        00:a0:69:0b:cc:c4        10.43.79.171         Time Svr         Source             R1SW2      g35          111             111,158,161
        98:90:96:e0:8b:ab       10.43.79.197          sim7               Destination      R1SW2       g18         158             111,116,156,158,1111,2112

         

        How can I prevent that traffic from reaching the Terminal Server?  Neither the source nor the destination is participating in VLAN 159 so it shouldn't reach the Terminal Server which has a PVID of 159.  Or do I not understand the significance of the PVID?  Do I need to create a new VLAN for sim1, say VLAN 800, put sim1 into VLAN 800 and remove VLAN 111 from the Terminal Server's Participating VLANs, as well as add VLAN 800 to it?  

         

        I tried using MAC address filtering to filter out traffic other than VLAN 111, MAC address a4:bb:6d:5e:0e:35 from Switch R1SW2 Port g15 which is the Terminal Server port, however the switch would not let me do that because, I assume, outbound MAC address filtering is restricted to multicast traffic only.  

         

        Thank you

         

NETGEAR Academy

Boost your skills with the Netgear Academy - Get trained, certified and stay ahead with the latest Netgear technology! 

Join Us!

ProSupport for Business

Comprehensive support plans for maximum network uptime and business peace of mind.

 

Learn More