NETGEAR is aware of a growing number of phone and online scams. To learn how to stay safe click here.
Forum Discussion
VLAN available without having been added to the list in the switch
Hello. I just enabled a new VLAN -12 on my network with a variety of other switches, the router is a Cisco Meraki device and the GS110TPV3 is downstream after a few other switches. So I enabl...
Thanks for your reply.
VLAN 12 is not the default VLAN (1 is) and its being tagged all the way over. Otherwise I would be having horrendous issues with two untagged VLANs at once, no?
So why does this VLAN 12 ever reach the Netgear switch, e.g. tagged? Not defining the VLAN on a switch does not imply other tagged VLAN can pass a switch.
The VLAN 12 can be accessed if you connect a system configured as tagged for the VLAN 12.
It goes like this
Router with VLAN 12 allowed ----> Switch with VLAN 12 tagged on all ports ----> GS110TPV3 switch with VLAN 12 never tagged or even entered at all on any ports ---> device wired to GS110TPV3 that can hit an IP on VLAN 12.
I am trying to understand how, without the GS110TPV3 having any idea VLAN12 exists this works. Are you suggesting that the device on GS110TPV3 has access because the uplink port GS110TPV3 is connected to passes VLAN12 tagged?
Again: If you expose any tagged VLAN on a port there is nothing prohibiting a connected device, or a switch, to access that VLAN. If you don't want that VLAN 12 ever accessible, do not make it available on a port, a LAG. So do not configue the connecting upstream port to grant acess to that VLAN.
its not strange to you though that the switch would arbitrarily decide to pass a tagged VLAN that it has no information about? Is that normal?
rumorconsumerr wrote:
Router with VLAN 12 allowed ----> Switch with VLAN 12 tagged on all ports ----> GS110TPV3 switch with VLAN 12 never tagged or even entered at all on any ports ---> device wired to GS110TPV3 that can hit an IP on VLAN 12.
The mistake is having all VLANs on that upstream device exposed.
rumorconsumerr wrote:
I am trying to understand how, without the GS110TPV3 having any idea VLAN12 exists this works. Are you suggesting that the device on GS110TPV3 has access because the uplink port GS110TPV3 is connected to passes VLAN12 tagged?
A switch can and will handle ANY VLAN, regardless if it's defined or not. Typical risk of exposing tagged VLANs - intentionally or by error - on a trunk port.
Defining the VLAN does allow the switch admin to configure e.g. an access port for that VLAN. It does not imply undefined VLANs - technically just Ethernet frames with a tag. The purpose of the tag is to identify the association of the frame only.
This has been helpful and educational.
Dont expose VLANs you dont want accessed, defined or not, has been my lesson.
thank you very much
NETGEAR Academy
Boost your skills with the Netgear Academy - Get trained, certified and stay ahead with the latest Netgear technology!
Join Us!
