Hello Netgear Gurus, I am trying to understand how the Private VLANs on the GC728X and GC752X switches operate. I have a Terminal Server that only negotiates to 100 Mbps Full. So we constantly see bandwidth utilization surpassing 80 to 90 percent. I decided to do a packet capture by placing a sniffer between the Netgear switch and the Terminal Server. Unfortunately, I am seeing traffic that is not destined for the Terminal Server on the wire. For instance, this packet:10.116.80.100 =>> 10.43.79.197MAC ADD IP ADD NAME SRC/DST Switch Port PVID Participating VLANsd0:67:26:d6:55:88 10.116.80.100 srv1 Source R1SW1 g14 111 111,112,114,116,117,120,156,158,159,161,163,164,501,505,1111,211198:90:96:e0:8b:ab 10.43.79.197 sim7 Destination R1SW2 g18 158 111,116,156,158,1111,2112 And this packet:10.43.79.171 =>> 10.43.79.197MAC ADD IP ADD NAME SRC/DST Switch Port PVID Participating VLANs00:a0:69:0b:cc:c4 10.43.79.171 Time Svr Source R1SW2 g35 111 111,158,16198:90:96:e0:8b:ab 10.43.79.197 sim7 Destination R1SW2 g18 158 111,116,156,158,1111,2112 I have the sniffer on port g15 on R1SW2 with the following configuration:Switch Port PVID Participating VLANsR1SW2 g15 159 111,159 Now, I can understand that since each source is in PVID 111 it is allowed to talk to g18 on R1SW2 since g18 is participating in VLAN 111. However, when the switch receives the packet and sees that the destination MAC address in its Address Table, shouldn't it be directing the packet to R1SW2 port g18? Why is the traffic being seen on R1SW2 g15? There is no mirroring going on. The Admin Mode is False and the Destination Port is None. Thank you.

akio63 wrote: Okay you gave me two options. Please keep in mind I'm just another community member, not a Netgear support or the like. I would prefer to go to the Security > Traffic Control > Private VLAN > Private Vlan Port Mode Configuration config. Because this is what the documentation does request. At that point again, I would expect a different config pushed in place than a classic dot1q This compares well to similar configurations on different switch models to support the asymmetrical VLAN configurations. And this is again a feature not supported on general dot1q configs. And this is in my understanding not a generic dot1q config - so thus I was talking about that before Afraid again, have no test horse available. The related answers could come from Netgear switch engineering (via support), some insight could come from comparing the configs generated by the two variants. -Kurt

Forum Discussion

akio63

Aspirant

Aug 08, 2022

Solved

Private VLANs on the GC728X and GC752X Switches

Hello Netgear Gurus,

I am trying to understand how the Private VLANs on the GC728X and GC752X switches operate. I have a Terminal Server that only negotiates to 100 Mbps Full. So we constantly see bandwidth utilization surpassing 80 to 90 percent. I decided to do a packet capture by placing a sniffer between the Netgear switch and the Terminal Server. Unfortunately, I am seeing traffic that is not destined for the Terminal Server on the wire.

For instance, this packet:

10.116.80.100 =>> 10.43.79.197

MAC ADD IP ADD NAME SRC/DST Switch Port PVID Participating VLANs
d0:67:26:d6:55:88 10.116.80.100 srv1 Source R1SW1 g14 111 111,112,114,116,117,120,156,158,159,161,163,164,501,505,1111,2111
98:90:96:e0:8b:ab 10.43.79.197 sim7 Destination R1SW2 g18 158 111,116,156,158,1111,2112

And this packet:

10.43.79.171 =>> 10.43.79.197

MAC ADD IP ADD NAME SRC/DST Switch Port PVID Participating VLANs
00:a0:69:0b:cc:c4 10.43.79.171 Time Svr Source R1SW2 g35 111 111,158,161
98:90:96:e0:8b:ab 10.43.79.197 sim7 Destination R1SW2 g18 158 111,116,156,158,1111,2112

I have the sniffer on port g15 on R1SW2 with the following configuration:

Switch Port PVID Participating VLANs

R1SW2 g15 159 111,159

Now, I can understand that since each source is in PVID 111 it is allowed to talk to g18 on R1SW2 since g18 is participating in VLAN 111. However, when the switch receives the packet and sees that the destination MAC address in its Address Table, shouldn't it be directing the packet to R1SW2 port g18? Why is the traffic being seen on R1SW2 g15?

There is no mirroring going on. The Admin Mode is False and the Destination Port is None.

Thank you.

schumaku
Aug 21, 2022
akio63 wrote:
Okay you gave me two options.

Please keep in mind I'm just another community member, not a Netgear support or the like.

I would prefer to go to the Security > Traffic Control > Private VLAN > Private Vlan Port Mode Configuration config. Because this is what the documentation does request. At that point again, I would expect a different config pushed in place than a classic dot1q

This compares well to similar configurations on different switch models to support the asymmetrical VLAN configurations. And this is again a feature not supported on general dot1q configs. And this is in my understanding not a generic dot1q config - so thus I was talking about that before

Afraid again, have no test horse available. The related answers could come from Netgear switch engineering (via support), some insight could come from comparing the configs generated by the two variants.

-Kurt

9 Replies

akio63
Aspirant
Aug 08, 2022
UPDATE
I need to correct something. This is not about Private VLANs (although I do need to discuss this but we will leave that for another discussion). This is about VLANs in general.
- schumaku
  Guru - Experienced User
  Aug 09, 2022
  What does all these other participating VLAN lost on the VLAN 111 where you expect only the Terminal Server traffic for for the VLAN 111?
  
  If you only want VLAN 111 (probably as an untagged access port), so configure the beast accordingly. And nothing else.
  - akio63
    Aspirant
    Aug 12, 2022
    My apologies for not replying sooner, I have been busy.
    schumaku
    No, I do not want only VLAN 111 traffic to reach the Terminal Server. I only want traffic from sim1 which is in VLAN 111 to reach the Terminal Server.
    I want this traffic to reach the Terminal Server
    10.43.79.208=>> 10.43.79.180
    MAC ADD IP ADD NAME SRC/DST Switch Port PVID Participating VLANs
    a4:bb:6d:5e:0e:35 10.43.79.208 sim1 Source R1SW1 g1 111 111,114,116,159,161,501,1111
    00:80:d4:05:8a:30 10.43.79.180 TS1 Destination R1SW2 g15 159 111,159
    
    Which it does. However, this additional traffic below, that I don't want is also reaching the Terminal Server
    10.43.79.171 =>> 10.43.79.197
    MAC ADD IP ADD NAME SRC/DST Switch Port PVID Participating VLANs
    00:a0:69:0b:cc:c4 10.43.79.171 Time Svr Source R1SW2 g35 111 111,158,161
    98:90:96:e0:8b:ab 10.43.79.197 sim7 Destination R1SW2 g18 158 111,116,156,158,1111,2112
    
    How can I prevent that traffic from reaching the Terminal Server? Neither the source nor the destination is participating in VLAN 159 so it shouldn't reach the Terminal Server which has a PVID of 159. Or do I not understand the significance of the PVID? Do I need to create a new VLAN for sim1, say VLAN 800, put sim1 into VLAN 800 and remove VLAN 111 from the Terminal Server's Participating VLANs, as well as add VLAN 800 to it?
    
    I tried using MAC address filtering to filter out traffic other than VLAN 111, MAC address a4:bb:6d:5e:0e:35 from Switch R1SW2 Port g15 which is the Terminal Server port, however the switch would not let me do that because, I assume, outbound MAC address filtering is restricted to multicast traffic only.
    
    Thank you

NETGEAR Academy

Boost your skills with the Netgear Academy - Get trained, certified and stay ahead with the latest Netgear technology!

Join Us!

ProSupport for Business

Comprehensive support plans for maximum network uptime and business peace of mind.

Learn More

Forum Discussion

Private VLANs on the GC728X and GC752X Switches

9 Replies

Related Content

GC728X using RADIUS authentication

E switch range... does it support private / isolated ports?

28-port Insight Smart Cloud Switches Now Available GC728X & GC728XP

Wifi on VLAN GC728X

SFP/SFP+ Question (GC728X to AX6000)

NETGEAR Academy

ProSupport for Business