Is my VLAN 1 a security risk?

switch vlan zyxel

Solution 1:

Per section 8.2 of the manual if a port is set to a static VLAN, packets received on that port will be sent to the configured VLAN whether they're tagged or not.

Solution 2:

I just recently bought a second-hand GS-1548 which runs the same firmware as the GS-1524 and exhibits the same issue.

In short, the web-based management UI does not allow removing ports from VLAN 1 (the fixed management VLAN). All the ports are always part of VLAN 1, either in tagged or untagged mode. You can freely remove ports from other VLANs but the “not a member” mode is not togglable in VLAN 1.

A quick Google search revealed this restriction is only implemented client-side — in the JavaScript code that runs in your browser. A Blogger user going by the name berry120 has published instructions on how to circumvent this check manually using the web developer tools built into your browser.

I took this one step further and wrote a userscript that transparently bypasses the check and lets you manage VLAN 1 the exact same way as the other VLANs. You can find it here.

(The same issue — and fix — also applies to the other models in the ZyXEL Switch 1500 Series: the ES-1528 and the ES-1552.)

Related

Any hardware/software routers that support Full Cone NAT? [closed]
Connecting To 127.0.0.1…Could not open connection to the host, on port 8123: Connect failed
How can you update the password for an AWS ECR repo in Kubernetes?
Method of moment estimator Pareto
Connecting to SQL Server 2008 through an ADSL Router
Additional Dashboard in TFS2010
How do I assign a static IP address to a Win 2008 VPN server?
Can't ping wireless laptop from internal network
Why do I get an initscript error when installing Samba using apt-get?
solaris 10 and windows shares
Unable to query LDAP server on port 389 on the Win2K domain controller from a different subnet
daily, weekly, yearly backup script [closed]