NETGEAR is aware of a growing number of phone and online scams. To learn how to stay safe click here.
Forum Discussion
akio63
Aug 08, 2022Aspirant
Private VLANs on the GC728X and GC752X Switches
Hello Netgear Gurus, I am trying to understand how the Private VLANs on the GC728X and GC752X switches operate. I have a Terminal Server that only negotiates to 100 Mbps Full. So we constantly ...
- Aug 21, 2022
akio63 wrote:Okay you gave me two options.
Please keep in mind I'm just another community member, not a Netgear support or the like.
I would prefer to go to the Security > Traffic Control > Private VLAN > Private Vlan Port Mode Configuration config. Because this is what the documentation does request. At that point again, I would expect a different config pushed in place than a classic dot1q
This compares well to similar configurations on different switch models to support the asymmetrical VLAN configurations. And this is again a feature not supported on general dot1q configs. And this is in my understanding not a generic dot1q config - so thus I was talking about that before
Afraid again, have no test horse available. The related answers could come from Netgear switch engineering (via support), some insight could come from comparing the configs generated by the two variants.
-Kurt
akio63
Aug 08, 2022Aspirant
UPDATE
I need to correct something. This is not about Private VLANs (although I do need to discuss this but we will leave that for another discussion). This is about VLANs in general.
- schumakuAug 09, 2022Guru - Experienced User
What does all these other participating VLAN lost on the VLAN 111 where you expect only the Terminal Server traffic for for the VLAN 111?
If you only want VLAN 111 (probably as an untagged access port), so configure the beast accordingly. And nothing else.
- akio63Aug 12, 2022Aspirant
My apologies for not replying sooner, I have been busy.
No, I do not want only VLAN 111 traffic to reach the Terminal Server. I only want traffic from sim1 which is in VLAN 111 to reach the Terminal Server.
I want this traffic to reach the Terminal Server
10.43.79.208=>> 10.43.79.180
MAC ADD IP ADD NAME SRC/DST Switch Port PVID Participating VLANs
a4:bb:6d:5e:0e:35 10.43.79.208 sim1 Source R1SW1 g1 111 111,114,116,159,161,501,1111
00:80:d4:05:8a:30 10.43.79.180 TS1 Destination R1SW2 g15 159 111,159
Which it does. However, this additional traffic below, that I don't want is also reaching the Terminal Server
10.43.79.171 =>> 10.43.79.197
MAC ADD IP ADD NAME SRC/DST Switch Port PVID Participating VLANs
00:a0:69:0b:cc:c4 10.43.79.171 Time Svr Source R1SW2 g35 111 111,158,161
98:90:96:e0:8b:ab 10.43.79.197 sim7 Destination R1SW2 g18 158 111,116,156,158,1111,2112How can I prevent that traffic from reaching the Terminal Server? Neither the source nor the destination is participating in VLAN 159 so it shouldn't reach the Terminal Server which has a PVID of 159. Or do I not understand the significance of the PVID? Do I need to create a new VLAN for sim1, say VLAN 800, put sim1 into VLAN 800 and remove VLAN 111 from the Terminal Server's Participating VLANs, as well as add VLAN 800 to it?
I tried using MAC address filtering to filter out traffic other than VLAN 111, MAC address a4:bb:6d:5e:0e:35 from Switch R1SW2 Port g15 which is the Terminal Server port, however the switch would not let me do that because, I assume, outbound MAC address filtering is restricted to multicast traffic only.
Thank you
- schumakuAug 13, 2022Guru - Experienced User
Still curious why these devices (MAC address) are participating on that many VLANs. Are these many other VLANs routed combining many different subnets?
akio63 wrote:
How can I prevent that traffic from reaching the Terminal Server?
Afraid, I can't understand this VLAN design on googles...
akio63 wrote:
Neither the source nor the destination is participating in VLAN 159 so it shouldn't reach the Terminal Server which has a PVID of 159. Or do I not understand the significance of the PVID? Do I need to create a new VLAN for sim1, say VLAN 800, put sim1 into VLAN 800 and remove VLAN 111 from the Terminal Server's Participating VLANs, as well as add VLAN 800 to it?
So there must be other reasons why this VLAN does show up on the terminal server port.
The PVID does define the VLAN incoming untagged frames on a port are sent to.
akio63 wrote:
I tried using MAC address filtering to filter out traffic other than VLAN 111, MAC address a4:bb:6d:5e:0e:35 from Switch R1SW2 Port g15 which is the Terminal Server port, however the switch would not let me do that because, I assume, outbound MAC address filtering is restricted to multicast traffic only.
As above - no idea on what magic you expect VLAN to be workable. In the typical use case, your define a VLAN xyz, configure for example two ports untagged for this VLAN xyz (and no other VLAN associations) and PVID xyz so all untagged frames on these two ports go to the VLAN xyz.
Are you trying to configure some asymmetric VLAN environment here?
In a clean VLAN environment, you have access ports configured to be in one VLAN xyz. The other simple config is a trunk connection, where you can carry more than one VLAN on a port, either all tagged, one untagged, and two or more untagged. Each VLAN does make up it's own network (and handle dedicated IP subnet each. Some special usages exist where you bring multiple networks to one port, e.g. a workstation untagged, and an IP phone tagged.
Related Content
NETGEAR Academy

Boost your skills with the Netgear Academy - Get trained, certified and stay ahead with the latest Netgear technology!
Join Us!