The ZyWALL 110 has two LAN interfaces, both of which can support multiple VLANs. In this example, I'm configuring the ZyWALL's LAN2 interface with VLANs 10, 11, and 12, as shown below. This means the LAN2 interface is supporting four VLANs: LAN2's PVID or native VLAN, plus the three VLANs I created.
I've also configured a DHCP server on each VLAN. LAN2's native VLAN uses the 172.23.2.0/24 subnet. For VLANs 10-12, I created DHCP servers to use the 172.23.10.0/24, 172.23.11.0/24, and 172.23.12.0/24 subnets.
Create VLANs on ZyXEL Router
I'm connecting the ZyWALL's LAN2 interface to the Cisco SG200-26 switch. I've created VLANs 2, 10, 11, and 12 on the SG200-26 and made ports 17 and 18 trunks. Port 17 will be my trunk from the ZyWALL to the Cisco switch, and port 18 will be my trunk from the Cisco switch to the NETGEAR switch. The PVID, or native VLAN, or ports 17 and 18 is VLAN 2. Ports 17 and 18 are untagged members of VLAN 2, have a PVID of VLAN 2, and are tagged members of VLANs 10,11, and 12, shown below.
Any port on the Cisco switch that I configure as an access port and untagged member of VLAN 2, 10, 11, or 12 will place the device connected to that port in the assigned VLAN. As you can see below, I've configured port 9 as a member of VLAN 2, port 10 a member of VLAN 10, port 11 a member of VLAN 11 and port 12 a member of VLAN 12. Access ports will have a PVID equal to their VLAN assignment.
VLANs on Cisco Switch
To extend my VLANs from the Cisco Switch, I'll connect port 18 on the Cisco switch to a similarly configured port on the NETGEAR GS108T switch. On the NETGEAR, I've configured port 4 as my trunk, making port 4 an untagged member of VLAN 2 and a tagged member of VLANs 10-12. My trunk port will have a PVID = 2. I've also configured the GS108T's port 5 as an untagged member of VLAN 2, port 6 as an untagged member of VLAN 10, port 7 as an untagged member of VLAN 11, and port 8 as an untagged member of VLAN 12.
VLAN Tagging on NETGEAR Switch
The image above, which is a combination of four screenshots from the GS108T, shows my tagging configurations on the NETGEAR switch by VLAN and port. The image below shows my PVID assignments by port.
VLAN PVIDs on NETGEAR Switch
With these configurations, port 9 on the Cisco switch and port 5 on the NETGEAR switch are on VLAN 2, port 10 on the Cisco switch and port 6 on the NETGEAR switch are on VLAN 10, port 11 on the Cisco switch and port 7 on the NETGEAR switch are on VLAN 11, and port 12 on the Cisco switch and port 8 on the NETGEAR switch are on VLAN 12. Since I've configured DHCP settings to align with VLANs, I can tell which VLAN a PC is on by checking its IP address.
Some devices, such as the Cisco SG200-26 used in this example, allow you to configure port type as access, general, or trunk. Access ports can only be members of one untagged VLAN and should be used for ports connected to PCs. General ports can be members of multiple untagged VLANs. General ports are useful when configuring port-based VLANs on an 802.1Q devices, as discussed in my previous article. Trunk ports can be members of one untagged VLAN and multiple tagged VLANs, and should be used for ports connecting to other 802.1Q VLAN aware devices, such as the devices used in the above examples.
In these two examples, I've set up 802.1Q VLAN tagging between a router and a switch, between a switch and an access point and between two switches. The first key is making sure your VLAN assignments match on each end of a trunk. Specifically, the untagged PVID (native VLAN) should match on each end of a trunk and you need to specify the remaining tagged VLANs on each end of the trunk. The second key is making sure your device ports have the correct VLAN assignment and a matching PVID. I found it helps to write down a chart of VLANs, ports, and tagging assignments before you start configuring.
802.1Q VLAN tagging allows segmentation of network traffic by VLAN and by subnet. With this segmentation in place, security and QoS rules can be created on one or more devices to filter traffic between VLANs and/or subnet and to prioritize traffic by VLANs and/or subnet. In a future article, I'll put together a few examples of filtering and prioritization to do just that.