- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark
- Subscribe
- Printer Friendly Page
Re: VLAN available without having been added to the list in the switch
- Mark as New
- Bookmark
- Subscribe
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
VLAN available without having been added to the list in the switch
Hello.
I just enabled a new VLAN -12 on my network with a variety of other switches, the router is a Cisco Meraki device and the GS110TPV3 is downstream after a few other switches.
So I enabled VLAN 12 on a bunch of them and there is one device - a NAS - on VLAN 12 that I can hit via IP from the other spots on the network where VLAN 12 is tagged.
The GS110TPV3 is hanging off one of those other switches. I have not added VLAN 12 to that switch. However, clients can hit the IP of the device on VLAN 12 from ports on that switch. Does this make sense? I thought I would need to at least add the VLAN and set the member ports and tagged/untagged. How could it be that traffic from VLAN12 travels to the clients on the GS110TPV3? Puzzling.
Just confirmed again, its not in the list of VLANs for that switch. So as far as I know it shouldnt pass any traffic.
- Mark as New
- Bookmark
- Subscribe
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Re: VLAN available without having been added to the list in the switch
However this VLAN12 does reach theGS110TPV3 - just defining a VLAN alone does not do much. The question is on how the upstream switches and port are delivering that VLAN 12 to the GS110TPV3, e.g. as an untagged network for example.
If oyu don't want to become the VLAN 12 ever reaching the Netgear switch (in whatever way), don't configure it on the upstream port where you connect this switch.
- Mark as New
- Bookmark
- Subscribe
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Re: VLAN available without having been added to the list in the switch
Thanks for your reply.
VLAN 12 is not the default VLAN (1 is) and its being tagged all the way over. Otherwise I would be having horrendous issues with two untagged VLANs at once, no?
- Mark as New
- Bookmark
- Subscribe
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Re: VLAN available without having been added to the list in the switch
So why does this VLAN 12 ever reach the Netgear switch, e.g. tagged? Not defining the VLAN on a switch does not imply other tagged VLAN can pass a switch.
The VLAN 12 can be accessed if you connect a system configured as tagged for the VLAN 12.
- Mark as New
- Bookmark
- Subscribe
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Re: VLAN available without having been added to the list in the switch
It goes like this
Router with VLAN 12 allowed ----> Switch with VLAN 12 tagged on all ports ----> GS110TPV3 switch with VLAN 12 never tagged or even entered at all on any ports ---> device wired to GS110TPV3 that can hit an IP on VLAN 12.
I am trying to understand how, without the GS110TPV3 having any idea VLAN12 exists this works. Are you suggesting that the device on GS110TPV3 has access because the uplink port GS110TPV3 is connected to passes VLAN12 tagged?
- Mark as New
- Bookmark
- Subscribe
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Re: VLAN available without having been added to the list in the switch
Again: If you expose any tagged VLAN on a port there is nothing prohibiting a connected device, or a switch, to access that VLAN. If you don't want that VLAN 12 ever accessible, do not make it available on a port, a LAG. So do not configue the connecting upstream port to grant acess to that VLAN.
- Mark as New
- Bookmark
- Subscribe
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Re: VLAN available without having been added to the list in the switch
its not strange to you though that the switch would arbitrarily decide to pass a tagged VLAN that it has no information about? Is that normal?
- Mark as New
- Bookmark
- Subscribe
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Re: VLAN available without having been added to the list in the switch
@rumorconsumerr wrote:
Router with VLAN 12 allowed ----> Switch with VLAN 12 tagged on all ports ----> GS110TPV3 switch with VLAN 12 never tagged or even entered at all on any ports ---> device wired to GS110TPV3 that can hit an IP on VLAN 12.
The mistake is having all VLANs on that upstream device exposed.
@rumorconsumerr wrote:
I am trying to understand how, without the GS110TPV3 having any idea VLAN12 exists this works. Are you suggesting that the device on GS110TPV3 has access because the uplink port GS110TPV3 is connected to passes VLAN12 tagged?
A switch can and will handle ANY VLAN, regardless if it's defined or not. Typical risk of exposing tagged VLANs - intentionally or by error - on a trunk port.
Defining the VLAN does allow the switch admin to configure e.g. an access port for that VLAN. It does not imply undefined VLANs - technically just Ethernet frames with a tag. The purpose of the tag is to identify the association of the frame only.
- Mark as New
- Bookmark
- Subscribe
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Re: VLAN available without having been added to the list in the switch
This has been helpful and educational.
Dont expose VLANs you dont want accessed, defined or not, has been my lesson.
thank you very much
- Mark as New
- Bookmark
- Subscribe
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Re: VLAN available without having been added to the list in the switch
You can continue this a little bit in two directions.
When connecting a "dumb" unmanaged switch, most will process untagged -and- tagged frames.
In some environments, you don't even need to configure the VLANs explicitly on the switch - they can learn about the VLANs on a trust base, and you can use and configure these VLANs for whatever purpose (to another trunk port, to an access port).
- Mark as New
- Bookmark
- Subscribe
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Re: VLAN available without having been added to the list in the switch
I thought maybe this switch was “learning” from the upstream ones but there is no mention of it anywhere in the config
- Mark as New
- Bookmark
- Subscribe
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Re: VLAN available without having been added to the list in the switch
To avoid abuse managed and smart managed switches allow to limit e.g. on an access port (where we connect a single device) to untagged frames only. This will prohibit the "injection" of tagged frames, or the unintended access to tagged VLANs.
- Mark as New
- Bookmark
- Subscribe
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Re: VLAN available without having been added to the list in the switch
- Mark as New
- Bookmark
- Subscribe
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Re: VLAN available without having been added to the list in the switch
@rumorconsumerr wrote:
Right. So set desired vlan to untagged and set all others to null, correct?
For an access port, for a port connecting to a non-managed switch serving one network only - yes. Don't forget to allow untegged frames only, too.