First of all I'm relatively new to VLANs. I have a ZyXEL GS-1524 switch and two networks that I want to keep separate, but they need to use the same router. The router is on port 22, ports 17 and 18 belong to the first network, and all other ones to the second.
The issue is that my switch requires all ports to be on VLAN 1. It did not seem to suffice to create only VLAN 2 for the first network, because the same ports belong to VLAN 1 and anything connected to a port belonging to VLAN 1 would be able to reach it.
Therefore I created two new VLANs: VLAN 2 for the first network and VLAN 3 for the second. I also changed the PVIDs so that what comes in untagged on 17 or 18 gets tagged VLAN 2 and the rest VLAN 3. This way, what comes in untagged is forced to remain within the VLAN that is assigned via the PVID.
Now, what happens if a connected device tags its packets? Tagged packets do not get retagged. If a device that should be on VLAN 2 tags its packets as VLAN 3, nothing would go wrong, I suppose, since its port is not in VLAN 3. However, all ports are in VLAN 1 – the switch doesn't give me any choice. Does that mean that all devices can reach each other as long as either or both sides (not sure) tag their packets as VLAN 1? That would be a breach of security!
Best Answer
Per section 8.2 of the manual if a port is set to a static VLAN, packets received on that port will be sent to the configured VLAN whether they're tagged or not.