1

First of all I'm relatively new to VLANs. I have a ZyXEL GS-1524 switch and two networks that I want to keep separate, but they need to use the same router. The router is on port 22, ports 17 and 18 belong to the first network, and all other ones to the second.

The issue is that my switch requires all ports to be on VLAN 1. It did not seem to suffice to create only VLAN 2 for the first network, because the same ports belong to VLAN 1 and anything connected to a port belonging to VLAN 1 would be able to reach it.

Therefore I created two new VLANs: VLAN 2 for the first network and VLAN 3 for the second. I also changed the PVIDs so that what comes in untagged on 17 or 18 gets tagged VLAN 2 and the rest VLAN 3. This way, what comes in untagged is forced to remain within the VLAN that is assigned via the PVID.

VLANs ports

Now, what happens if a connected device tags its packets? Tagged packets do not get retagged. If a device that should be on VLAN 2 tags its packets as VLAN 3, nothing would go wrong, I suppose, since its port is not in VLAN 3. However, all ports are in VLAN 1 - the switch doesn't give me any choice. Does that mean that all devices can reach each other as long as either or both sides (not sure) tag their packets as VLAN 1? That would be a breach of security!

Thijs van Dien
  • 141
  • 5
  • What switch is this? You should be able to set it to reject tagged packets. – David Schwartz May 19 '12 at 11:32
  • @DavidSchwartz ZyXEL GS-1524; I was unable to find an option like that, and packets coming from my router should be pre-tagged, because they can be meant for either network. – Thijs van Dien May 19 '12 at 11:37

2 Answers2

2

Per section 8.2 of the manual if a port is set to a static VLAN, packets received on that port will be sent to the configured VLAN whether they're tagged or not.

David Schwartz
  • 31,215
  • 2
  • 53
  • 82
  • Could you quote exactly where you derive this from? And what about my router, which can send packets with either tag, both of which are valid? That is, port 22 belongs to both VLAN 2 and VLAN 3. – Thijs van Dien May 19 '12 at 11:48
  • I can't find any specific statement that says a trunk port can't send packets into a VLAN it's not configured into. But it is clear that a static port cannot send packets into any other VLAN. Section 8.2 says that it will go to the configured VLAN whether it has a VLAN tag or not. – David Schwartz May 19 '12 at 11:50
  • OK, and a trunk port is one that is configured as tag egress? – Thijs van Dien May 19 '12 at 12:23
  • A trunk port is one that is configured for tag egress. Unfortunately, they tried to make things simple and as a result, they don't seem very precise. I wouldn't rely on the security properties of this. – David Schwartz May 19 '12 at 12:29
1

I just recently bought a second-hand GS-1548 which runs the same firmware as the GS-1524 and exhibits the same issue.

In short, the web-based management UI does not allow removing ports from VLAN 1 (the fixed management VLAN). All the ports are always part of VLAN 1, either in tagged or untagged mode. You can freely remove ports from other VLANs but the “not a member” mode is not togglable in VLAN 1.

A quick Google search revealed this restriction is only implemented client-side — in the JavaScript code that runs in your browser. A Blogger user going by the name berry120 has published instructions on how to circumvent this check manually using the web developer tools built into your browser.

I took this one step further and wrote a userscript that transparently bypasses the check and lets you manage VLAN 1 the exact same way as the other VLANs. You can find it here.

(The same issue — and fix — also applies to the other models in the ZyXEL Switch 1500 Series: the ES-1528 and the ES-1552.)

Jukka Aho
  • 111
  • 3