VLANs and the ZyXEL GS1900–16
Setting up VLANs on my home network, mostly as a learning experience, required several components and I recently purchased a managed switch to accomplish this.
I did a quick search on Amazon for inexpensive hardware that would contain a good set of features; that is how I ended up ordering the ZyXEL GS1900 series managed switch. Would have loved to have gotten the Ubiquiti switches, but they are out of my current price range.
This ZyXEL switch has a good set of features, and I was happy to see that it also has terminal access, which is only via telnet, and it also has a serial port, although you have to open the device to get to it.
Unfortunately, the documentation provided by ZyXEL is not the best, and this meant that for someone that was completely new to this, it caused much head-scratching at first and read a bit to find out how to accomplish what I wanted.
Using the Wizard to Configure VLANs
This method is the quickest and provides a simpler interface with a drag and drop of ports. To access this feature, access the web management of the switch and click on the Switch icon that is labeled VLAN.
A pop-up window shows up with the wizard, be sure to allow pop-ups, and this first screen allows you to add a new VLAN or modify an existing one. The other two steps remain the same on either option.
If you want to create a new VLAN then enter the number on the left section, you enter only the number of the VLAN and not the name, this results in the format VLAN#### (where # is the ID) for the name, but can be later changed.
If you want to edit an existing VLAN, then select the corresponding ID on the right-hand side.
On the second step, there are 3 columns. The first column, this shows the available ports. The second column shows the tagged ports. The third column shows the untagged ports. However, what does this mean?
For VLAN to work correctly, the traffic needs to be tagged, and this can happen at the device or switch level.
If the device is doing the tagging, then the port should be placed in the tagged column, this sets the switch not to tag the traffic in that port but instead expect the tag to already exist in the packet. Placing the port in the third column tells the switch that the packets are not tagged and thus tag it with that VLAN ID. Leaving the port on the first column excludes that port from the VLAN ID.
The third step in this wizard is just the overview of the changes made.
VLAN Configuration Section
This section allows the user to configure more details of the VLANs, but it feels a bit more complex. When I first tried to set up the switch, I went through here, and it became confusing. I also found out that the user guide is not good at explaining this section, searching on the Internet resulted in a little help.
There are three tabs; the first shows the configured VLANs on the switch and their names. You can add, remove, and rename the VLANs.
The second tab, allows you to configure certain aspects of the port, but the user guide, again, shows the lack of detail. You can set the trunk option for the respective ports and what type of traffic is allowed, such as only allowing tagged traffic or untagged, as well as the PVID for any untagged traffic that goes through the port.
The third tab, allows you to forbid, exclude, tag, or untag ports for each of the VLANs that exist in the configuration. Unlike the wizard, this section does not have a nice graphical layout and instead relies on a table with radio buttons and showing one VLAN at a time, which is selected from the drop down at the top.
I feel that the forbidden and the excluded options do the same, but there is a difference, according to the user guide. The forbidden option does not allow the port to join the VLAN, while the excluded option removes the port from the VLAN, either option prevents a tagged or untagged packet from going through that VLAN.
The tagged option looks for the tag in the packet and only passes the packet to that VLAN if the matches the ID. The untagged option sets the VLAN ID tag on a packet that does not have it.
As an example, as I feel this explains it better, say we have 4 VLANs, and the device connected to port 8 should only access VLAN 2 and 3, but not 1 and 4. In the VLAN Port tab, select each of the VLANs from the drop down at the top, for the VLAN 1 and 4 set the port to either forbidden or excluded, for the VLAN 2 set it to tagged, and for the VLAN 3 set it to untagged. What this means is that if the device were to send any packets tagged with the VLAN ID 1 or 4, it gets dropped at the switch. If the packet contains the ID 2, then it is passed to that VLAN, and if it does not have any tags, then it is passed to the VLAN 3.
Keeping in mind that not all devices or network cards support VLANs, and this does not apply to wifi, then you want to configure the switch to tag the packets going through that port. For example, an Apple TV does not allow to set the tag in the configuration; then you set the tagging of the traffic on the switch.
Do try not to have more than one VLAN set as untagged on a single port, not sure what that would happen, but does not make sense.
