dslreports logo
 
    All Forums Hot Topics Gallery
spc
Search similar:


uniqs
1332

dnoyeB
Ferrous Phallus
join:2000-10-09
Southfield, MI

1 edit

dnoyeB

Member

Routing / switch question about USG20

I'm trying to get my VLAN setup to work. I have found one configuration that works and one that does not, but the VLAN is actuall the same for both. That lead me to this question about the USG behavior.

Initial setup
USG
P2 - LAN1 (192.168.1.x)
P3 - LAN1 (192.168.1.x)

Dlink
P2 - VLAN 736 - Zywall P2
P3 - VLAN 100 - Zywall P3

You would think this setup should work just fine. It should make the zywall work like a switch between the two LAN1 segments. Almost everything works. What does not work are ARP broadcasts. If a device on VLAN 100 sends an ARP asking who has 192.168.1.1 (USG) the USG will reflect that request on P2, but it will not answer that request. Note: all VLAN data is stripped before it reaches the USG. USG is connected to untagged ports on the switch.

Block intra-zone is set to NO. Firewall allows LAN1 to LAN1.

If I change P3 to a different subnet like so
USG
P3 - LAN1 (192.168.2.x)

everything works. Any ideas about this?
Kirby Smith
join:2001-01-26
Derry, NH

Kirby Smith

Member

I'm not sure this is the cause of your issue, but normally the way a configurable (smart) Level 2 switch is configured with the router is as follows. Note that while the router can add and remove VLAN tags as it passes messages to/from the WAN, these tags have no utility unless on the LAN side there is a smart switch capable of dealing with VLANs and has been appropriately configured via its GUI or CLI (if accessible). VLANs created in the router will not do anything when connected to a dumb switch.

One port on the router is taken to be the "trunk" port that the "trunk" port on the switch is connected to. This trunk port has to be assigned to be trunk-like in the switch and specified to be a trunk port, which allows both tagged and untagged messages to pass through it to the processing functionality of the switch.

Assume the LAN 1 port on the router is 192.168.1.1. Configure the switch IP address to be 192.168.1.2. This is also its IP address as seen from the router's point of view, and from the point of view of all devices connected to the switch. Hanging off the switch are other ports going to devices on various VLANs. The default VLAN (VLAN 1) will normally carry through the same IP subnet as the router LAN, 192.168.1.x. Other VLANs, such as VLAN 100, would have a subnet of 192.168.100.x, and be connected to one or more defined switch ports. These ports would be defined in the switch to keep or add/remove VLAN tags as desired.

VLANs have to be established (with the same number) in the configuration of both the switch and the router. The switch and router can do nothing without the switch tagging messages that go "up-hill" from device to router, or the router tagging messages that go "down-hill" from the router to the switch to devices.

Inside the router, the router needs to know that the way to VLAN 100's subnet is via 192.168.1.2. This has to be set in a static route menu.

With only one switch, which VLAN can connect to another can be established in the switch, but if firewall differences are wanted, the VLANs need to be separated in the switch (not part of each other) and controlled by the router's firewall. For example, a VLAN with a printer might be allowed two way traffic with VLAN 1's computers, but not allowed to tour the WWW.

Now, in the OP's configuration, there are two ports being used as trunks, which I think is OK, so long as the switch knows both are trunks. The router will tag messages to each VLAN when so configured. (The router must establish the IP subnet for each VLAN in its menu, and may be configured with MAC binding to ensure what address is offered to each device during DHCP.) The switch needs to be configured so that VLAN 100 is passed to the correct switch ports for the VLAN 100 devices, and so that VLAN 736 is passed to its correct switch ports for the VLAN 736 devices.

But I am not aware of a way to have a smart level 2 switch have two IP addresses of its own. The router's static routes to the two VLANs will point to 192.168.1.2, and end up going to both router ports P2 and P3, I expect. The switch has to do "the right thing" to get these messages to the correct VLAN device ports. I don't believe the router firewall is configured to interfere with traffic within the same LAN. In that respect, traffic between the two ports when they are part of the same subnet will not be filtered.

Since the router is also part of that subnet, one would expect that it would answer an ARP request. But the OP's initial configuration is somewhat different than typical, and it might be a configuration no one at ZyXel imagined.

kirby
Kirby Smith

Kirby Smith to dnoyeB

Member

to dnoyeB
P.S. I'm assuming here that the USG20 has the same VLAN capability as a USG50, which I use.

kirby
Kirby Smith

Kirby Smith to dnoyeB

Member

to dnoyeB
Click for full size
While not my present configuration in detail, the use of switch ports is illustrated in the attached figure. (Sorry for the size, I haven't figured out how to export a jpeg from LibreOffice and upload it here that has less air around it.)

kirby

dnoyeB
Ferrous Phallus
join:2000-10-09
Southfield, MI

dnoyeB

Member

Kirby, thanks for the detailed info. However, my USG is not aware of the VLANs and is not involved in them at all. I probably should not have mentioned them. This is really a question about how the USG behaves when its acting like a switch.

My switches are VLAN capable.

Everything works if P3 uses a different subnet. If I try to make P3 on the same subnet as P2, ARP broadcasts don't work and that does not make sense.

Still digging...
bverdon
join:2012-11-26
Canton, GA

1 recommendation

bverdon

Member

What exactly are you trying to accomplish?

Guess I am trying to figure out why you are trying to put two ports on different VLAN's yet the same layer 3 segment.

dnoyeB
Ferrous Phallus
join:2000-10-09
Southfield, MI

dnoyeB

Member

Its a topology issue. The devices are physically connected to the same segment. I can't change that. However, the VOIP device can tag its packets as part of a VLAN. The other devices cannot.

This is not reflected in my question here. Its just that while I was implementing the setup that should have solved my main issue, this side issue came up because it did not work. From everything I know about networking, it should have worked.