NETGEAR is aware of a growing number of phone and online scams. To learn how to stay safe click here.
Forum Discussion
Solved
GS305E Trunking tagged and untagged vlans
Hi there. I recently purchased a GS308EPP. In basic 802.1Q mode, I temporarily used it to connect: - (V)lan 1 (default Lan): still a few controlling/managing devices; - Vlan 20 : Data; and - Vla...
to add: I just tried using Basic 802.1Q based mode, as this is the mode used successfully with the other switch.
And I have just noticed that Gs305e doesn't keep in memory the ports set-up when power's unplugged. So at first I had IP attributed wrongly amongst wired devices.
After setting up again and rebooting connected devices:
- IPs are correctly attributed as per lan DHCP server. So I have 1 IP in default lan (switch), 2 IP in IoT vlan (30) and 1 IP in Data vlan (20).
- Lan (wifi and ethernet) access Data.
- IoT access internet.
- IoT has no access to Data despite the firewall rule (that works with the other switch).
Time for a break.
Further test back to Advanced 802.1Q base mode: same non connectivity issues between Vlan-IoT and Vlan-Data devices whilst my firewall tracks their communications.
Port 1 and 5 of switch to trunk
Port 2 : Vlan-20 (Data)
Ports 3 & 4: Vlan-30 (IoT)
Here is the setup:
barreaudb wrote:
Further test back to Advanced 802.1Q base mode: same non connectivity issues between Vlan-IoT and Vlan-Data devices whilst my firewall tracks their communications.
Port 1 and 5 of switch to trunk
Only port 5 is configured as a trunk carrying VLAN 1 [U]ntagged, VLAN 30 [T]agged, VLAN 20 [T]agged.
Port 1 is configured as an access port for VLAN 1 only
Port 2 is an Access port for VLAN 20
Port 3 and 4 are Access ports for VLAN 30
What is connected on Port 5 - the AP or the router/firewall?
Hi schumaku, again thanks so much to look to correct me.
Taking all the questions from the last 3 different posts:
- my Forti firewall allows to define ethernet ports as a trunk - with -one- [U]ntagged VLAN, plus multiple [T]agged. The 2 ports in use have exactly same settings and are configured as a Vlan-Zone (no communication between subnets except as otherwise provided by fw policy).
- With AP, Default Lan and IoT are broadcasted and IPs delivered thru bridge by firewall DHCP. Data has no wifi. A specific Management Vlan (different from the Default Lan) has been tested but not deployed yet because I have no managed switch to connect Admin PC yet. Admin devices are directly on ethernet/wifi Default Lan.
- I think I understand what you explained to be asymetric lan, and sort of nightmarish-can't-be-right-thing. Would this be addressed with ending Default Lan and moving admin devices on the dedicated Management-Vlan ?
If yes, then I need to define which switch model I will use in complement to the Gs308epp; so at least in the interim till that moment, I just need to have this *working* so can continue to develop my network mix of home and professional needs.
- config re ports/pvid in Gs305e: good catch, this is now corrected. And I confirm that port 5 connects to firewall.
- Here is a diagram of my current network. Place of managed switch is definitive. There are a few other Vlans that have not link to this problem and are segregated, so to keep view as simple as possible, they not mentioned.
barreaudb wrote:
- I think I understand what you explained to be asymetric lan, and sort of nightmarish-can't-be-right-thing. Would this be addressed with ending Default Lan and moving admin devices on the dedicated Management-Vlan ?
Nothing to change on the PVID side (more on this below).
Some decades ago, major vendors like the big C brand among other manufacturers, had something like a "native VLAN" which was often flying below the horizon of the network admins and the security people - when doing security audits, this was a big hole in the infrastructure. No matter if that was a big bank, finance, insurance, ... there were many.
As you are operating your own LAN, there is not much added value in changing the default VLAN 1 to any other random number. It will just add confusion, problems, unintended complexity.
barreaudb wrote:
- config re ports/pvid in Gs305e: good catch, this is now corrected. And I confirm that port 5 connects to firewall.
Nothing to change on the PVID side, as the PVID A setting of the [U]tagged VLAN n (which must be unique on that port) plus the PVID does define (by port) the VLAN incoming untagged frames are associated to - in networking terms it's an access port for that specific VLAN.
I assume you operate your network for business and home usage, but have no hard physical access controls to patch panels, switches, firewall, ... So please K.I.S.S. and don't overdesign things!
NETGEAR Academy
Boost your skills with the Netgear Academy - Get trained, certified and stay ahead with the latest Netgear technology!
Join Us!
