Have a client site with a Watchguard M300 and HPE 1920-48G. We're a small shop and mostly service small business so we don't do VLANing enough for me to be as efficient as I could be with this stuff. Anyway, this particular client site has multiple departments that are slowly being migrated to be behind the Watchguard instead of their own ISPs/ISP hardware, and we've reached a point where departments outnumber available interfaces on the M300 so they're finally letting us get VLANs deployed.
These are the VLANs I've created on the Watchguard;
- VLAN1 - dept1 - 192.168.1.1/24 - Optional - No DHCP
- VLAN2 - dept2 - 192.168.2.1/24 - Optional - DHCP
- VLAN3 - dept3 - 192.168.3.1/24 - Trusted - No DHCP
- VLAN4 - dept4 - 192.168.4.1/24 - Optional - DHCP
- VLAN5 - phones - 192.168.5.1/24 - Optional - DHCP
- VLAN6 - dept5 - 192.168.6.1/24 - Optional - DHCP
- VLAN7 - dept6 - 192.168.7.1/24 - Optional - DHCP
- VLAN8 - wireless - 192.168.8.1/24 - Optional - DHCP
All 8 VLANs are tagged on the last physical interface of the Watchguard, which I've set to type VLAN.
On the core switch I have the following configuration;
RJ45 ports;
- 1-12 = untagged VLAN3 - access - pvid3
- 13-19 = untagged VLAN4 - access - pvid4
- 20 - untagged VLAN1 - access - pvid1
- 21 - untagged VLAN2 - access - pvid2
- 22 - untagged VLAN5 - access - pvid5
- 23 = untagged VLAN8 - access - pvid60
- 24-47 = inactive/disabled
- 48 = tagged VLANs 2-5, 60 / untagged VLAN 1 - trunk - pvid1(it auto untagged VLAN 1 and set PVID 1)
SFP ports;
- 49 = untagged VLAN6 - access - pvid6
- 50 = untagged VLAN7 - access - pvid7
VLAN interfaces;
- VLAN ID 3 - 192.168.3.2/24 (static IP configuration)
- VLAN ID 1 - 169.254.x.x/16 (the default interface from when the switch was default state and plugged in to a network with DHCP originally, but not plugged in to that network anymore so lost the IP, can this vlan interface be deleted?)
The goal here is that all traffic from behind the switch should be tagged as one of eight VLANs based on what port the traffic comes in on, then the traffic goes back out through the trunk port 48 to the Watchguard, and the watchguard/switch should be accessible/managed at their 192.168.3.x addresses from any of the switch ports untagged for VLAN3(1-12). Neither device needs to be managed from any other network/VLAN.
Why did port 48 of the switch(VLAN trunk) automatically untag VLAN1/set PVID 1 when I tried to tag all VLANs/not untag any VLANs, and won't this cause the traffic being tagged by port 20 to not go out over port 48 to the Watchguard because it's not set as tagged for that port, or am I misunderstanding how this works? Should I adjust my configuration somewhere or...?
No comments:
Post a Comment