ZyXEL → usg50, vlans, switch

Been using the USG50 for just over a week now and am making the next move on the network, "VLANs". Already using subnets but keep getting told that VLANs with the subnets are the correct way to setup the network.

Bear in mind that this is a home network, but the main reason for using multiple subnets was to keep broadcast and arp traffic from spreading on the data network from the video network.

The question to cut to the chase, should I take Lan 1 and Lan 2 from the USG to 2 different ports on my Cisco (Linksys) SLM2024 and assign VLANs to match or just use 1 cable from Lan1 to the switch and setup VLANs in the USG on LAN1?

The goal is:

10.1.1.254/24 USG50
10.1.1.0/24 Main Data Network
10.1.20.0/24 vlan20 IP Camera network
10.1.30.0/24 vlan30 NAS & SetTop Boxes for TV Network
10.1.40.0/24 vlan40 Wireless APs

10.1.1.253 Cisco SLM2024

I can answer what I did with my USG50 and a Cisco SG200-26. This is a work in progress, and I believe only necessary if one ultimately wants more LANs than the nominal three that the USG50 supports. Note broadcast traffic wouldn't normally pass between LAN1 and LAN2 because they are on different subnets.

In my case, all Ethernet cables make "home runs" to the switch, with one device per cable. Each cable is connected to a switch port. Switch ports that connect to incoming cables are set to be Access ports. This means that they add tags to incoming traffic and remove tags from outgoing traffic. (For now ignore that VLAN1, the default VLAN, is still in default mode and doesn't tag any messages.)

VLANxx is established in the switch and associated with (for now) two of these ports.

Port 26, but it could be any port on the switch, is set to be a Trunk port. This port passes and receives tagged and untagged traffic to/from the USG50, LAN1 port. At the moment, only printers are on their own VLAN, and suitable firewall rules are established in the USG50.

My USG50 has one VLAN established in it, eventually to be more VLANs. The VLAN setup includes DHCP for specific assigned printer IP addresses. The VLAN in the router has to have the same VLAN number as the corresponding VLAN in the switch (so the tags make sense in both directions). The router has to be told that the path to (in your case) 10.1.30.0/24 is via 10.1.1.253 with two hops (forget the word used). Otherwise, the router will drop VLAN traffic if it doesn't know the route to it. The route is established using the static route menu. (There could be some automatic router knowledge of the path in some configurations, but this is what I did.)

In my case, using router firewall rules, LAN1 untagged traffic can connect to the VLANxx printers and vice versa, but the printers have no access to the WANs.

More complex scenarios outside my skill set are possible with multiple managed switches and/or routers.

kirby

Good question.
What is efficient when comparing VLANs vs subnets wrt comparing a smart switch and a router. If you have two or three distinct groups of users that can be handled by subnets and router ports..... why buy a managed switch and use VLANs.

For multiples of groups I can see VLANs being advantageous. Also if there is a lot of traffic between units within a VLAN (more internal than internet traffic) and this can be separated from the Router it is more efficient use of router CPU?

What is done with lets say a common device that two VLAN groups need access too (aka a shared printer)? In a subnet scenario, would simply create firewall rules allowing one way access to print...... either hosting the printer in either subnet (or put these common devices in their own subnet and use firewall rules). What is the VLAN equivalent?

You would just let the port the Printer is connected to, be a member of both VLANs

Well there ya go........ The advantage of VLANs is that you can overlap devices KEWL.