Why am I seeing unicast packets from a machine on another VLAN?

Solution 1:

By default every port only uses L2 info to decide how to process packets (L2 == MAC == bridge). That decision doesn't respect L3, i.e. it doesn't know IP ranges of VLANs.

If you enable routing for the VLAN, and the MAC DA [destination address] of an inbound unicast packet is that of the internal bridge-router interface, the packet is routed.

The IP address that you assigned to VLANs (visible on your last screenshot) does not "catch" packets by itself. You need to set your servers up to actually send packets there to that "internal bridge-router interface"; normally, this is done by adding a route table entry on a server:

(on 10.0.10.5):
10.0.11.0/24 dev eth0 via 10.0.10.1

Only such packets destined to that "internal bridge-router interface" will move to another VLAN.

In my example, step by step:

  1. on 10.0.10.5 you do ping 10.0.11.5
  2. server asks "who has 10.0.10.1"
  3. switch says "MAC 10:da:12:34 has 10.0.10.1"
  4. server sends a packet SOURCE 10.0.10.5 DEST 10.0.11.5 MAC_DEST 10:da:12:34
  5. switch seeing such MAC_DEST decides to change the VLAN assigned to that packet
  6. switch also changes MAC_DEST to that belonging to 10.0.11.5

(It's just how any packet forwarding works on Ethernet - nothing specific to Netgear.)

Probably, you don't need a port to be in multiple VLANs (I didn't actually check).

Also, set Routing -> IP -> Routing Mode = Yes

Netgear Support: What is VLAN Routing

Solution 2:

You can't do it like that, you need either special VLAN features (port isolation or such), or you need to do it with a router.

What happens here, is that as a packet (well, Ethernet frame) enters a port, it gets its VLAN id from that port's PVID. Then it is sent out from the other ports that are also on that same VLAN. (Except that a switch would of course only forward it to one particular port, if it has a port for the destination MAC stored for that particular VLAN. It might not, since all the ports are on different VLANs, so the destinations are not to be found in the VLANs the frames are sent from.)

This means, that everything sent to the switch via port 10, can appear on port 11 and 12, but anything sent via port 11 or 12 can only go to port 10.

What port isolation / protected ports / similar features would do, is that they block the forwarding of frames within a single VLAN, with the exception of some special ports. With that sort of feature, you'd put all the ports in one single VLAN, and mark port 10 as special, so it could send/receive traffic to/from 11 and 12. But the feature would isolate 11 and 12 from each other.

The other option is to bring both VLAN 11 and VLAN 12 to the machine on port 10 as tagged VLANs. Then, on that machine, you can make distinct IP interfaces for the VLANs, letting it communicate with both. Without routing set up on the machine, 11 and 12 can't communicate with each other. The machine would still need to VLAN-aware, of course.

Of course, if the Netgear itself can act as a router between VLANs, then that also works. You'll just need to set up VLANs for each machine, arrange the routing and add filtering (firewall) between 11 and 12.

Tags:

Routing

Netgear

Vlan

Recent Posts