NETGEAR is aware of a growing number of phone and online scams. To learn how to stay safe click here.
Forum Discussion
akio63
Aug 08, 2022Aspirant
Private VLANs on the GC728X and GC752X Switches
Hello Netgear Gurus,
I am trying to understand how the Private VLANs on the GC728X and GC752X switches operate. I have a Terminal Server that only negotiates to 100 Mbps Full. So we constantly see bandwidth utilization surpassing 80 to 90 percent. I decided to do a packet capture by placing a sniffer between the Netgear switch and the Terminal Server. Unfortunately, I am seeing traffic that is not destined for the Terminal Server on the wire.
For instance, this packet:
10.116.80.100 =>> 10.43.79.197
MAC ADD IP ADD NAME SRC/DST Switch Port PVID Participating VLANs
d0:67:26:d6:55:88 10.116.80.100 srv1 Source R1SW1 g14 111 111,112,114,116,117,120,156,158,159,161,163,164,501,505,1111,2111
98:90:96:e0:8b:ab 10.43.79.197 sim7 Destination R1SW2 g18 158 111,116,156,158,1111,2112
And this packet:
10.43.79.171 =>> 10.43.79.197
MAC ADD IP ADD NAME SRC/DST Switch Port PVID Participating VLANs
00:a0:69:0b:cc:c4 10.43.79.171 Time Svr Source R1SW2 g35 111 111,158,161
98:90:96:e0:8b:ab 10.43.79.197 sim7 Destination R1SW2 g18 158 111,116,156,158,1111,2112
I have the sniffer on port g15 on R1SW2 with the following configuration:
Switch Port PVID Participating VLANs
R1SW2 g15 159 111,159
Now, I can understand that since each source is in PVID 111 it is allowed to talk to g18 on R1SW2 since g18 is participating in VLAN 111. However, when the switch receives the packet and sees that the destination MAC address in its Address Table, shouldn't it be directing the packet to R1SW2 port g18? Why is the traffic being seen on R1SW2 g15?
There is no mirroring going on. The Admin Mode is False and the Destination Port is None.
Thank you.
akio63 wrote:Okay you gave me two options.
Please keep in mind I'm just another community member, not a Netgear support or the like.
I would prefer to go to the Security > Traffic Control > Private VLAN > Private Vlan Port Mode Configuration config. Because this is what the documentation does request. At that point again, I would expect a different config pushed in place than a classic dot1q
This compares well to similar configurations on different switch models to support the asymmetrical VLAN configurations. And this is again a feature not supported on general dot1q configs. And this is in my understanding not a generic dot1q config - so thus I was talking about that before
Afraid again, have no test horse available. The related answers could come from Netgear switch engineering (via support), some insight could come from comparing the configs generated by the two variants.
-Kurt
9 Replies
- akio63Aspirant
UPDATE
I need to correct something. This is not about Private VLANs (although I do need to discuss this but we will leave that for another discussion). This is about VLANs in general.
- schumakuGuru - Experienced User
What does all these other participating VLAN lost on the VLAN 111 where you expect only the Terminal Server traffic for for the VLAN 111?
If you only want VLAN 111 (probably as an untagged access port), so configure the beast accordingly. And nothing else.
- akio63Aspirant
My apologies for not replying sooner, I have been busy.
No, I do not want only VLAN 111 traffic to reach the Terminal Server. I only want traffic from sim1 which is in VLAN 111 to reach the Terminal Server.
I want this traffic to reach the Terminal Server
10.43.79.208=>> 10.43.79.180
MAC ADD IP ADD NAME SRC/DST Switch Port PVID Participating VLANs
a4:bb:6d:5e:0e:35 10.43.79.208 sim1 Source R1SW1 g1 111 111,114,116,159,161,501,1111
00:80:d4:05:8a:30 10.43.79.180 TS1 Destination R1SW2 g15 159 111,159
Which it does. However, this additional traffic below, that I don't want is also reaching the Terminal Server
10.43.79.171 =>> 10.43.79.197
MAC ADD IP ADD NAME SRC/DST Switch Port PVID Participating VLANs
00:a0:69:0b:cc:c4 10.43.79.171 Time Svr Source R1SW2 g35 111 111,158,161
98:90:96:e0:8b:ab 10.43.79.197 sim7 Destination R1SW2 g18 158 111,116,156,158,1111,2112How can I prevent that traffic from reaching the Terminal Server? Neither the source nor the destination is participating in VLAN 159 so it shouldn't reach the Terminal Server which has a PVID of 159. Or do I not understand the significance of the PVID? Do I need to create a new VLAN for sim1, say VLAN 800, put sim1 into VLAN 800 and remove VLAN 111 from the Terminal Server's Participating VLANs, as well as add VLAN 800 to it?
I tried using MAC address filtering to filter out traffic other than VLAN 111, MAC address a4:bb:6d:5e:0e:35 from Switch R1SW2 Port g15 which is the Terminal Server port, however the switch would not let me do that because, I assume, outbound MAC address filtering is restricted to multicast traffic only.
Thank you
Related Content
NETGEAR Academy

Boost your skills with the Netgear Academy - Get trained, certified and stay ahead with the latest Netgear technology!
Join Us!