GS1200-8 802.1Q VLAN: Must all ports be connected to VLAN 1?

Norbert3
Norbert3 Posts: 3  Freshman Member
edited August 2022 in Switch
I wanted to separate a PC into VLAN2, but it should also be able to connect to the same internet router as for all other devices in VLAN1. I set the PVID to 2 for this PC/port and set untagged for VLAN2 and unconnected for VLAN1. Also I put the the internet router as untagged in both VLANs. But with this it cannot connect to the internet router. If I also set for this port VLAN1 untagged it works. With this config  I am still not able to ping the other  devices in VLAN1 as intended. It is now working, but I find it strange that the VLAN2 port must also be connected to VLAN1. Also I am not sure if I opened a backdoor that can be used by malware to reach my devices in VLAN1.
Is this the way how it should work or did I something wrong?


#Biz_Mar_2020

All Replies

  • Norbert3
    Norbert3 Posts: 3  Freshman Member
    I forgot to write that the Zyxel switch is the 2nd one in the row. The internet router is connected to another switch. The first switch does the tagging for the line to the Zyxel switch. So, only the the ports on both switches used for the connection between the two switches are tagged. All other ports are untagged.
  • Zyxel_Derrick
    Zyxel_Derrick Posts: 126  Zyxel Employee
    First Anniversary Friend Collector First Answer First Comment
    Hi

    Based on your description, I have tried to do a simple lab.
    The topology is as below:
    L3 device P2 -------------------P1 GS1200-------------- P3 PC A in VLAN2, P5 PC B in VLAN1
    (192.168.1.1)                              (192.168.1.3)                          (192.168.2.100)    (192.168.1.200)
    (192.168.2.1)

    On GS1200, I configured VLAN2 on port 1 and 3, port 1 is tagged and port 3 is untagged with PVID 2 and it is non-member of VLAN 1.

    I also configured the default gateway to 192.168.1.1
    For L3 device, the connected ports between devices are tagged for VLAN 2.
    On PC A, I configured the default gateway to 192.168.2.1
    On PC B, I configured the default gateway to 192.168.1.1
    After finishing these configurations, PC A can ping PC B
    So, I think you don't have to configure VLAN 1 member to port 3 on GS1200 and I think the ports between router and first switch can configure tagged for VLAN2.
    Thanks

    Best regards,
    Zyxel_Derrick
  • Norbert3
    Norbert3 Posts: 3  Freshman Member
    Hi Derrick,

    Thank you for your reply. I implemented it as you suggested. I removed from my previous setup port 8 from VLAN 1 and set for port1 VLAN 1 untagged. This is the port that connects the firrst switch that is connected to the router. But the device on port 8 cannot access the router which is also the DHCP server.


    With the configuration below the device on port 8 can connect to the router. It cannot connect  to other devices in VLAN1 even on the GS1200 nor on the Netgear switch that is connect to router. This is what I intended. But it is still strange to me that I have to specify a "green" box also for port 8 on VLAN 1.



    There are two differences to your example I use the same IP range for VAN1 and VLAN 2 192.168.1.xxx and the first switch is also a L2 one.

    My configuration is:
    Fritzbox -> Netgear GS108e -> Zyxel GS1200-8

    Fritzbox -> Netgear switch port 8 untagged on both VLANs 1 and 2
    Netgear switch port1 tagged both VLANs -> GS1200 port 1 tagged for both VLANs





    I have a configuration that seems to work. But I am not sure if I have implemented with this a security risk by open a backdoor from VLAN 2 to VLAN1.


    Best regards
    Norbert








  • Zyxel_Derrick
    Zyxel_Derrick Posts: 126  Zyxel Employee
    First Anniversary Friend Collector First Answer First Comment
    edited April 2020
    Hi Norbert

    I think the problem is on the port setting between router and first switch.
    You should configure VLAN 2 with tag instead of configuring untag on both VLANs.
    Please try to configure the port to VLAN 2 tagged and try again
    Thanks

    Best regards,
    Zyxel_Derrick
  • Not sure if you got this worked out.
    Think of Tagged also as Trunked. PC's cannot tag, so a PC will always be untagged (switch port Access) and the PVID should match the VLAN. It would only share another VLAN on the same port if it were an IP phone, which does have the capability to TAG if programed to do so. SO, a trunk / uplink will be tagged for all vlans. PVID should have no relevance.
    As for security, VLANS are LAYER 2 protocol not LAYER 3. The router would be set up for .1q trunking, and any cross over of VLAN traffic only occurs at that layer (3), .1q, also known as "Router on a Stick". This is known as inter vlan routing and must have firewall rules in place to block that crossover traffic. VLAN's have no relationship with any IP address / subnet you created so firewall rules will be IP based rules.

    To sum it up. Ports should not be assigned multiple VLANS where all are untagged.

    Tagged ports are trunk ports for uplink
    or
    a port used for multi device connection such as an IP Phone in say Voice VLAN 10 (TAGGED) with the data VLAN 20 untagged with PVID 20

    One important thing. PC's do have a capability in the NIC to modify, change, add vlan info for tagging. It is set to NO by default on every machine out there. Under no circumstances should you EVER change that, unless you enjoy punishing yourself.

    You can always buy a Cisco CCNA study guide and learn everything you wanted know about VLANS. It is a good read. Become a CCNA today.

    Cheers.