Reply

Re: VLAN available without having been added to the list in the switch

rumorconsumerr
Luminary

VLAN available without having been added to the list in the switch

Hello.

 

I just enabled a new VLAN -12 on my network with a variety of other switches, the router is a Cisco Meraki device and the GS110TPV3 is downstream after a few other switches.

 

So I enabled VLAN 12 on a bunch of them and there is one device - a NAS - on VLAN 12 that I can hit via IP from the other spots on the network where VLAN 12 is tagged.

 

The GS110TPV3 is hanging off one of those other switches. I have not added VLAN 12 to that switch. However, clients can hit the IP of the device on VLAN 12 from ports on that switch. Does this make sense? I thought I would need to at least add the VLAN and set the member ports and tagged/untagged. How could it be that traffic from VLAN12 travels to the clients on the GS110TPV3? Puzzling. 

 

Just confirmed again, its not in the list of VLANs for that switch. So as far as I know it shouldnt pass any traffic. 

Message 1 of 14
schumaku
Guru

Re: VLAN available without having been added to the list in the switch

However this VLAN12 does reach theGS110TPV3 - just defining a VLAN alone does not do much. The question is on how the upstream switches and port are delivering that VLAN 12 to the GS110TPV3, e.g. as an untagged network for example.

 

If oyu don't want to become the VLAN 12 ever reaching the Netgear switch (in whatever way), don't configure it on the upstream port where you connect this switch.

Message 2 of 14
rumorconsumerr
Luminary

Re: VLAN available without having been added to the list in the switch

Thanks for your reply. 

 

VLAN 12 is not the default VLAN (1 is) and its being tagged all the way over. Otherwise I would be having horrendous issues with two untagged VLANs at once, no? 

Message 3 of 14
schumaku
Guru

Re: VLAN available without having been added to the list in the switch

So why does this VLAN 12 ever reach the Netgear switch, e.g. tagged? Not defining the VLAN on a switch does not imply other tagged VLAN can pass a switch.

 

The VLAN 12 can be accessed if you connect a system configured as tagged for the VLAN 12. 

Message 4 of 14
rumorconsumerr
Luminary

Re: VLAN available without having been added to the list in the switch

It goes like this

 

Router with VLAN 12 allowed ----> Switch with VLAN 12 tagged on all ports ----> GS110TPV3 switch with VLAN 12 never tagged or even entered at all on any ports ---> device wired to GS110TPV3 that can hit an IP on VLAN 12.

 

I am trying to understand how, without the GS110TPV3 having any idea VLAN12 exists this works. Are you suggesting that the device on GS110TPV3 has access because the uplink port GS110TPV3 is connected to passes VLAN12 tagged? 

Message 5 of 14
schumaku
Guru

Re: VLAN available without having been added to the list in the switch

Again: If you expose any tagged VLAN on a port there is nothing prohibiting a connected device, or a switch, to access that VLAN. If you don't want that VLAN 12 ever accessible, do not make it available on a port, a LAG. So do not configue the connecting upstream port to grant acess to that VLAN. 

Message 6 of 14
rumorconsumerr
Luminary

Re: VLAN available without having been added to the list in the switch

its not strange to you though that the switch would arbitrarily decide to pass a tagged VLAN that it has no information about? Is that normal? 

Message 7 of 14
schumaku
Guru

Re: VLAN available without having been added to the list in the switch


@rumorconsumerr wrote:

Router with VLAN 12 allowed ----> Switch with VLAN 12 tagged on all ports ----> GS110TPV3 switch with VLAN 12 never tagged or even entered at all on any ports ---> device wired to GS110TPV3 that can hit an IP on VLAN 12.


The mistake is having all VLANs on that upstream device exposed.  

 


@rumorconsumerr wrote:

I am trying to understand how, without the GS110TPV3 having any idea VLAN12 exists this works. Are you suggesting that the device on GS110TPV3 has access because the uplink port GS110TPV3 is connected to passes VLAN12 tagged? 


A switch can and will handle ANY VLAN, regardless if it's defined or not. Typical risk of exposing tagged VLANs - intentionally or by error - on a trunk port.

 

Defining the VLAN does allow the switch admin to configure e.g. an access port for that VLAN. It does not imply undefined VLANs - technically just Ethernet frames with a tag. The purpose of the tag is to identify the association of the frame only.   

 

 

Message 8 of 14
rumorconsumerr
Luminary

Re: VLAN available without having been added to the list in the switch

This has been helpful and educational.

 

Dont expose VLANs you dont want accessed, defined or not,  has been my lesson. 

 

thank you very much

Message 9 of 14
schumaku
Guru

Re: VLAN available without having been added to the list in the switch

You can continue this a little bit in two directions.

 

When connecting a "dumb" unmanaged switch, most will process untagged -and- tagged frames.

 

In some environments, you don't even need to configure the VLANs explicitly on the switch - they can learn about the VLANs on a trust base, and you can use and configure these VLANs for whatever purpose (to another trunk port, to an access port). 

Message 10 of 14
rumorconsumerr
Luminary

Re: VLAN available without having been added to the list in the switch

Re dumb switches - yes this is why i don’t use any of them - presumably to avoid this kind of thing.

I thought maybe this switch was “learning” from the upstream ones but there is no mention of it anywhere in the config
Message 11 of 14
schumaku
Guru

Re: VLAN available without having been added to the list in the switch

To avoid abuse managed and smart managed switches allow to limit e.g. on an access port (where we connect a single device) to untagged frames only. This will prohibit the "injection" of tagged frames, or the unintended access to tagged VLANs.

Message 12 of 14
rumorconsumerr
Luminary

Re: VLAN available without having been added to the list in the switch

Right. So set desired vlan to untagged and set all others to null, correct?
Message 13 of 14
schumaku
Guru

Re: VLAN available without having been added to the list in the switch


@rumorconsumerr wrote:
Right. So set desired vlan to untagged and set all others to null, correct?

For an access port, for a port connecting to a non-managed switch serving one network only - yes. Don't forget to allow untegged frames only, too.  

Message 14 of 14
Top Contributors
Discussion stats
  • 13 replies
  • 812 views
  • 1 kudo
  • 2 in conversation
Announcements