[nSLUG] Ranting / VLAN Tagging

chris thompson ct8ball at gmail.com
Thu May 28 10:10:45 ADT 2015


So I'm fighting my way through configuring VLAN tagging on various
equipment, after of course making sure the latest firmware is on there...
and fighting through to find a browser that will display the VLAN
Management 'interface'.. known issue but the device is EOL so what do you
do.

but the VLAN tagging doesn't actually function... Now I'm relatively new to
the entire tagging/segregating at this level, so Ive been fighting through
thinking all along I have been doing something wrong. The simple test, tag
port 18, plug into port 12, ping the device directly connected to port 18,
likewise ping from port 18 to 12. The result is expected to be simple and
expected, traffic doesn't get through...

I finally broke down today and reached out to Netgear.. oops. The
conversation is below, now I'm trying very hard to be humble here, as I
really don't have much knowledge or experience with this.. yet...

if you kind folks could provide any type of insight I would be greatly
appreciated.

*Arnold: Thank you for choosing NETGEAR.*
*Arnold: Hi Christopher! How may I assist you today?*
*Christopher Thompson: hhi*
*Christopher Thompson: I have configured the switch to use VLAN tagging,
for instance, port 18 is tagged with vlan 250, but is still able to
communicate with all other ports*
*Christopher Thompson: I have attempted to change the other ports to U, as
well blank and ensured the latest firmware/boot loader are installed*
*Christopher Thompson: the unit was just reset 5 minutes ago*
*Christopher Thompson: can you help me please?*
*Arnold: Is that only happens to port 18?*
*Christopher Thompson: any port that is configured with a VLAN is not
behaving as expected*
*Christopher Thompson: I have attempted it with several different ports
representing various parts of the network*
*Christopher Thompson: as well different VLAN numbers*
*Arnold: With the test you did, have you tried if a certain computer from
vlan can access the drive of another computer from a different vlan?*
*Christopher Thompson: this is corrrect*
*Arnold: Do you have the switch connected directly to the router or another
switch?*
*Christopher Thompson: it is connected to a router yes*
*Christopher Thompson: the router/firewall is connected on the trunk port*
*Christopher Thompson: it is a zyxel zywall 100.. if that makes any
difference*
*Arnold: Have you check if maybe you have a vlan routing enable from the
router which is the vlan host.*
*Christopher Thompson: I will open the config and double-check right now*
*Christopher Thompson: I don't believe the network traffic should be going
to the router/firewall as it's the default gateway*
*Christopher Thompson: traffic in the same subnet should be going straight*
*Christopher Thompson: is that inaccurate? or is there something about that
I do not understand?*
*Arnold: For a vlan host, vlan can be configured to communicate to other
vlan.*
*Arnold: That will the vlan routing works.*
*Arnold: The router still the one handling the routing process.*
*Arnold: By the way, I would like to give your customer ID 30399294 so that
in case we get disconnected, you may log back in and look for me or
continue with the next expert.*
*Christopher Thompson: So would I have to add all the vlans to the router?*
*Christopher Thompson: would it route that traffic by default?*
*Arnold: Yes, the router should be the vlan host.*
*Christopher Thompson: okay. I will have to do further investigation*
*Christopher Thompson: by host you mean configure the routes and VLAN's all
in there, complimented with the tagging just on the switch?*
*Arnold: Yes, that is correct.*
*Christopher Thompson: okay. But shouldn't the switch read the 802 frame
and drop the traffic anyways?*
*Christopher Thompson: it is the first central point away from the client*
*Christopher Thompson: and the configuration to my knowledge should
function such that a vlan tagged packet should not be sent to a non-vlan or
different vlan tagged port*
*Arnold: That is correct.*
*Christopher Thompson: sooo*
*Christopher Thompson: how is it happening that my tagged traffic is going
to a non-vlan member port*
*Arnold: I am thinking that it might not being routed properly.*
*Christopher Thompson: and vise-versa*
*Christopher Thompson: well I'd say*
*Christopher Thompson: even without the firewall in the mix the switch
should honor that rule.*
*Christopher Thompson: that's kind of what VLAN tags are supposed to do*
*Christopher Thompson: outside of how other equipment works.*
*Arnold: That happened even the port is tagged right?*
*Christopher Thompson: yes*
*Christopher Thompson: the port continues to be tagged, the modification of
other ports from U to not being a member were both tested*
*Christopher Thompson: my test machine is plugged into port 12*
*Arnold: You might be doing an Asymmetric VLAN.*
*Christopher Thompson: that is a bit over my head. can you please explain?*
*Arnold: Let me see if I can get you ca link to further explain that.*
*Christopher Thompson: okay, I can read up on it, but how do we do a
non-asymetric vlan then?*
*Christopher Thompson: I have an explanation of an Asymetric VLAN here, and
according to this, it's exactly what I am trying to accomplish*
*Christopher Thompson: all traffic should be allowed out the trunk*
*Arnold: Yes, do have a router that will provide or be the host vlan.*
*Christopher Thompson: but traffic from p18 should not be allowed to any
other port*
*Arnold: The router for different vlan should be corrected.*
*Christopher Thompson: it's not a problem with the router though? I'm
confused*
*Arnold: Asymmetric vlan is being done if there is no router that can be
host of the vlans.*
*Christopher Thompson: inter-subnet traffic does not go through your
gateway*
*Christopher Thompson: ie. 192.168.1.1 talks directly to 192.168.1.2*
*Christopher Thompson: or for simplicity, 192.168.1.18 talks directly to
192.168.1.12*
*Christopher Thompson: the traffic therein does not go through the gateway
of 192.168.1.1*
*Christopher Thompson: so the 802 taggs should be completely intact*
*Christopher Thompson: and the VLAN tags should be honored by the switch.*
*Christopher Thompson: soo*
*Arnold: For asymmetric VLAN once the port have been configured as untagged
for both ports on different vlan they will be able to communicate to each
other provided that they are on the same network or subnet.*
*Christopher Thompson: I think I understand the concept of U(untag)*
*Christopher Thompson: but I have attempted to make all other ports both
non-members, as well as untagged*
*Arnold: I see.*
*Arnold: By default the port will be member of vlan 1.*
*Christopher Thompson: certainly*
*Christopher Thompson: all ports are by default 'untagged' or VLAN1*
*Christopher Thompson: and that default group cannot be modified*
*Arnold: Yes, all ports are untagged to vlan 1.*
*Arnold: And yes, vlan 1 cannot be modified.*
*Christopher Thompson: right.*
*Arnold: Please try that with a router that will be the host to test it
further.*
*Christopher Thompson: pardon?*
*Arnold: Sorry, try it with a router that has vlan feature for you to test
it further.*
*Christopher Thompson: I have tested this with other switches, other
routers, and yours is the only one that doesn't honor tagging*
*Christopher Thompson: and I'm not quite sure what 'testing' is going to
tell me about how your device isn't functioning?*
*Christopher Thompson: so you don't know what the problem is?*
*Christopher Thompson: or don't know what the resolution is?*
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://nslug.ns.ca/pipermail/nslug/attachments/20150528/9bd0f585/attachment.html>


More information about the nSLUG mailing list