In this walk-through, we will guide you through the switch setup for a generic VLAN configuration:
The uplink port to our router is VLAN-capable, while the PC Edge-Port is VLAN-incapable. The tutorial below on this example shows you how to set up switch-ports for both tagged and untagged VLANs.
Tagged VLAN
If you have VLAN-capable devices (firewalls or Access-Point with VLAN-Interfaces/VLAN-capable SSIDs preconfigured, etc.), you have to set up the Port tagged to the VLAN-ID you want to pass through. In our example, we will set up a VLAN with VID=10 on a GS2200. By default, all VLAN Ports are untagged members in VLAN1, and all ports have PVID = 1. This makes VLAN-incapable devices connected to the ports communicate via VLAN1.
First, navigate to:
SWITCHING > VLAN > VLAN Setup > Static VLAN
You then can see click on add/edit to add a VLAN10 menu:
In this menu, create a VLAN by activating the VLAN, giving it a Name (we went here for "VLAN10" and assigned the VLAN-ID - in our example 10. Afterwards, set the membership of the ports you want to set to "Fixed", set up tagging (since we want these ports tagged) and then press "Add" to apply the setting and create the VLAN.
Note: Do not forget to press "Save" if you want these settings permanently saved onto switch configuration!
Untagged VLAN
Sometimes, the end device in question is not VLAN-capable but still shall join a VLAN (like most PCs do not have VLAN settings within their network interface cards). In our example, a PC connected to Port 10 of our GS2200 switch is supposed to become a member of VLAN10 without actually having VLAN established on its network interface card. For this, navigate again to
SWITCHING > VLAN > VLAN Setup > Static VLAN
This time, we will choose the Port our PC is connected to to be an untagged member in VLAN 10. For this, we set membership status to "Fixed" while unchecking the "Tagged"-Checkbox.
After that, we press again "Apply" to apply our settings.
Please note that only one untagged membership per Port is allowed! This automatically means that we have to take away the default untagged membership in VLAN1. Mark the VID1 and click "Add/edit" to edit the VLAN1:
Here, ensure that you have VLAN1 set for the VLAN10-untagged Port to "Forbidden", or tag it via Tx-Tagging-Checkbox. Afterwards, save temporarily via the "Apply" button.
As a next step, it is important to know that the PVID of a port must always match its untagged membership - so we still have to set up the PVID of Port10 of the switch to being 10. This can be done via:
SWITCHING > VLAN > VLAN Setup > VLAN Port Setup
Here, you can set the PVID according to our needs:
You know I can plug in the PC on Port10 of your switch and receive an IP address from VLAN10 of the USG!
Note: Do not forget to press "Save" if you want these settings permanently saved onto switch configuration!
What have we learnt?
The most important learning out of this generic setup example are:
- Tagged and untagged VLANs are set up differently (Tagged Membership vs. Untagged Membership+PVID)
- Only one untagged membership per Port allowed
- PVID has to match the untagged membership
For more information on VLANs, these might be interesting articles to browse through as well:
VLANs - A deeper look at how they work
Separate VLANs on a ZyWALL/USG
Comments
0 commentsPlease sign in to leave a comment.