|reply to miguel |
Re: usg50, vlans, switch
I can answer what I did with my USG50 and a Cisco SG200-26. This is a work in progress, and I believe only necessary if one ultimately wants more LANs than the nominal three that the USG50 supports. Note broadcast traffic wouldn't normally pass between LAN1 and LAN2 because they are on different subnets.
In my case, all Ethernet cables make "home runs" to the switch, with one device per cable. Each cable is connected to a switch port. Switch ports that connect to incoming cables are set to be Access ports. This means that they add tags to incoming traffic and remove tags from outgoing traffic. (For now ignore that VLAN1, the default VLAN, is still in default mode and doesn't tag any messages.)
VLANxx is established in the switch and associated with (for now) two of these ports.
Port 26, but it could be any port on the switch, is set to be a Trunk port. This port passes and receives tagged and untagged traffic to/from the USG50, LAN1 port. At the moment, only printers are on their own VLAN, and suitable firewall rules are established in the USG50.
My USG50 has one VLAN established in it, eventually to be more VLANs. The VLAN setup includes DHCP for specific assigned printer IP addresses. The VLAN in the router has to have the same VLAN number as the corresponding VLAN in the switch (so the tags make sense in both directions). The router has to be told that the path to (in your case) 10.1.30.0/24 is via 10.1.1.253 with two hops (forget the word used). Otherwise, the router will drop VLAN traffic if it doesn't know the route to it. The route is established using the static route menu. (There could be some automatic router knowledge of the path in some configurations, but this is what I did.)
In my case, using router firewall rules, LAN1 untagged traffic can connect to the VLANxx printers and vice versa, but the printers have no access to the WANs.
More complex scenarios outside my skill set are possible with multiple managed switches and/or routers.