Advertisement
Hey,<\/p>\n
Many similar topics and threads on this case, but still wanted to ask a question to see if my logic holds up.<\/p>\n
I’m using a Zyxel GS1900-48 to setup a default VLAN topology and have run into the access/trunk/tagged/untagged debacle many people seem to have.<\/p>\n
So from my understanding, to setup a VLAN topology on a Zyxel switch I need to:<\/p>\n
I’ve done this in my lab and it works, however, in the port section of Zyxel, the port connecting to the firewall, is in PVID 1 (default) and does not have VLAN Trunk enabled.<\/p>\n
Example:<\/p>\n
Port 1, 2, 3, 4 = PVID 10
\nPort 5, 6, 7, 8 = PVID 20
\nPort 9, 10, 11, 12 = PVID 30
\nPort 13, 14, 15, 16 = PVID 40<\/p>\n
Port 48 = PVID 1<\/p>\n
Port 1, 2, 3, 4 = UNTAGGED for VLAN 10, Excluded for all other ports except port 48
\nPort 5, 6, 7, 8 = UNTAGGED for VLAN 20, Excluded for all other ports except port 48
\nPort 9, 10, 11, 12 = UNTAGGED for VLAN 30, Excluded for all other ports except port 48
\nPort 13, 14, 15, 16 = UNTAGGED for VLAN 40, Excluded for all other ports except port 48<\/p>\n
Port 48 = TAGGED for every VLAN ID<\/p>\n
The trunk port is used for passing traffic between switches and firewalls, but how come I do not need to enable it for the port connecting to my firewall? From what I can understand, a trunk port is only necessary to carry traffic which isnt assigned a VLAN ID to the firewall. Since the port is Tagged with a known VLAN, it will send the frame through to the connecting device, but this is exactly what a trunk port is for?<\/p>","upvoteCount":5,"answerCount":5,"datePublished":"2020-12-24T06:11:22.000Z","author":{"@type":"Person","name":"leonmoris","url":"https://community.spiceworks.com/u/leonmoris"},"suggestedAnswer":[{"@type":"Answer","text":"
Hey,<\/p>\n
Many similar topics and threads on this case, but still wanted to ask a question to see if my logic holds up.<\/p>\n
I’m using a Zyxel GS1900-48 to setup a default VLAN topology and have run into the access/trunk/tagged/untagged debacle many people seem to have.<\/p>\n
So from my understanding, to setup a VLAN topology on a Zyxel switch I need to:<\/p>\n
I’ve done this in my lab and it works, however, in the port section of Zyxel, the port connecting to the firewall, is in PVID 1 (default) and does not have VLAN Trunk enabled.<\/p>\n
Example:<\/p>\n
Port 1, 2, 3, 4 = PVID 10
\nPort 5, 6, 7, 8 = PVID 20
\nPort 9, 10, 11, 12 = PVID 30
\nPort 13, 14, 15, 16 = PVID 40<\/p>\n
Port 48 = PVID 1<\/p>\n
Port 1, 2, 3, 4 = UNTAGGED for VLAN 10, Excluded for all other ports except port 48
\nPort 5, 6, 7, 8 = UNTAGGED for VLAN 20, Excluded for all other ports except port 48
\nPort 9, 10, 11, 12 = UNTAGGED for VLAN 30, Excluded for all other ports except port 48
\nPort 13, 14, 15, 16 = UNTAGGED for VLAN 40, Excluded for all other ports except port 48<\/p>\n
Port 48 = TAGGED for every VLAN ID<\/p>\n
The trunk port is used for passing traffic between switches and firewalls, but how come I do not need to enable it for the port connecting to my firewall? From what I can understand, a trunk port is only necessary to carry traffic which isnt assigned a VLAN ID to the firewall. Since the port is Tagged with a known VLAN, it will send the frame through to the connecting device, but this is exactly what a trunk port is for?<\/p>","upvoteCount":5,"datePublished":"2020-12-24T06:11:22.000Z","url":"https://community.spiceworks.com/t/tagging-untagging-and-trunks/785734/1","author":{"@type":"Person","name":"leonmoris","url":"https://community.spiceworks.com/u/leonmoris"}},{"@type":"Answer","text":"
I might be completely talking outta my a** here, but you did do “trunking” on port 48 by tagging it with every VLAN ID - all traffic from all VLAN IDs can (and should be able to) pass through here. Your firewall just needs to have rules what to allow/block regarding traffic from specific VLAN IDs.<\/p>\n
It seems counter-intuitive to UNTAG ports for a specific ID, rather than TAGGING it for the ID of VLAN traffic it should use them for. But that might just be the way your switch does things.<\/p>","upvoteCount":0,"datePublished":"2020-12-24T08:08:50.000Z","url":"https://community.spiceworks.com/t/tagging-untagging-and-trunks/785734/2","author":{"@type":"Person","name":"jspr","url":"https://community.spiceworks.com/u/jspr"}},{"@type":"Answer","text":"
Didn’t read the whole question, so I could be wrong with my answer…:<\/p>\n
Trunks are the ‘big pipes’ you use to forward all the VLAN traffic to another switch or router.<\/p>\n
Next you have ports that will automatically put a ‘sticker’ on each connection that is established over it. These ports will also only accept the traffic that is labelled with the same sticker - the VLAN TAG.<\/p>\n
Than you have some ports that are somewhat between a full trunk and tagged port. This could be a port for an accesspoint, where you would want to allow traffic labeled for multiple VLANs. Different than on the tagged ports, on these ports the packets ariving from the accesspoint would already carry the ‘sticker’ - VLAN TAG. But than there might be some packets, that arrive without a sticker (e.g if you connect a PC to the same port). To tell the switch what VLAN ID to apply to this traffic, you would use the untagged option.<\/p>\n
Hope it’s simple enough to understand?<\/p>","upvoteCount":0,"datePublished":"2020-12-24T08:25:45.000Z","url":"https://community.spiceworks.com/t/tagging-untagging-and-trunks/785734/3","author":{"@type":"Person","name":"bojanzajc6669","url":"https://community.spiceworks.com/u/bojanzajc6669"}},{"@type":"Answer","text":"