VLAN Configuration help - Netgear GSM7224

Craig Rutherford
Craig Rutherford used Ask the Experts™
on
Good Morning Guys.

I am not very experienced with switching and vlan and I would like some help.

First, let me tell you what I want:

My client has two wireless AP's, let's call them "10.50" and "10.51"
And we also have two other people connected to the switch. Let's call them PC1 and PC2

I want everyone that connects to wireless "10.50" to only see the printer, no internet connection. Same thing applies to person PC1 - i want them to only see the printer.

I want everyone that connects to wireless "10.51" to see the printer AND internet connection. Same thing applies to person PC2 - i want them to see both printer and internet

Switch is a 24 port

Port 2 - Printer
Port 3 - Internet
Port 4 - 10.51
Port 5 - 10.50
Port 6 - PC1
Port 7 - PC2

I thought for a moment I could create separate VLANs and include ports 2 and 3 for who wants internet and port 2 to whom only need printer. But I have been told by netgear that the one port can only be part of one VLAN. In other words, each VLAN needs to have its own member ports, I cannot add the same port twice to different VLAN's (eg: i cant gave VLAN ID 2 with member ports 2 and 3 and VLAN ID 3 with member ports 3 and 4)

So here's what I thought it could work, I'll create the following VLAN's

VLAN 2 - Port 2
VLAN 3 - Port 3
VLAN 4 - Port 4
VLAN 5 - Port 5
VLAN 6 - Port 6
VLAN 7 - Port 7

Then after that I want to go to VLAN Port configuration and specify the following

Port: 2
VLAN ID: 2
Priority: 0

So printer physical port can see printer on VLAN 2

Port: 3
VLAN ID: 2
Priority: 0

So Router/Internet physical port 3 can see printer on VLAN 2

Port: 4
VLAN ID: 3
Priority: 0

So 10.51 wireless can see Internet on VLAN 3 and consequently also see the printer as port 3 is also configured to see VLAN 2

Port: 5
VLAN ID: 2
Priority: 0

So 10.50 Wireless can see printer only

Port: 6
VLAN ID: 3
Priority: 0

So PC1 can see Internet on VLAN 3 and consequently also see the printer as port 3 is also configured to see VLAN 2


Port: 7
VLAN ID: 2
Priority: 0

So PC2 can see printer only


Will this work? I'm getting really confused right now and I think those settings I mentioned above are incorrect. I have to do this remotely which means if I screw it up, i'm going to kick people out and wont be fun.

I have also attached a few screenshots of the netgear itself so you can have an idea of what it looks like. I haven't configured the VLAN Port Configuration yet.

Thanks VLAN Configuration VLAN Status VLAN Port Configuration
Comment
Watch Question

Do more with

Expert Office
EXPERT OFFICE® is a registered trademark of EXPERTS EXCHANGE®

Commented:
WHOA!  I think you are getting carried away with the Vlans

Some pieces are missing here.  The switch you mentioned is a layer 2 switch.  Where is the routing in this network?

Author

Commented:
oh yeah I forgot to mention, the switch is also the DHCP server

Commented:
Ok... but again... Where is the routing in this network?
Introduction to Web Design

Develop a strong foundation and understanding of web design by learning HTML, CSS, and additional tools to help you develop your own website.

Commented:
Without a router Vlans they will be completely isolated from each other.  Communication on devices within the same VLAN is possible, but communication with anything outside the VLAN must go through a router.  And each VLAN has to have its own separate IP subnet.

Author

Commented:
and also, by the way, just to give you guys some more info... this network is just a sales-agents network, we have a total separate network with servers etc that do not see this one.

So basically the configuration for this network is comprised of a D-LInk DSL-2730B router that does the ADSL and nothing else (ip address .10.1), the switch that does DHCP (.10.2), the APs and some laptops + PC1 and PC2 and printer

Commented:
That is a fairly unsophisticated router, but it does have some outbound filtering capabilities.  It also appears to be capable of assigning ports to different VLANs (which the documentation wants to call PVC).  You need to start looking at the router and not the switch.  It sounds to me like you simply want to deny internet access to a group of clients.  This can probably be done by assigning them to a separate VLAN, and then in the router you simply deny internet access to anyone on that VLAN.  You may also be able to do it with MAC filtering, but that gets kind of ugly.

Author

Commented:
But I dont want them to be able to see each other either (the ones that are cabled), but I want some of them to see printer and some to access internet and printer, but not to see each other

They are sales agents, they are not related to each other and they have their own personal pcs and data

Commented:
I haven't looked at the settings you've put in but I do think your VLANS are a bit psychotic.
The way I'd do this, you'd need 3 different subnet ranges.

SUBNET 1 applies to VLAN 1. 10.1.1.x/24
In this, add restricted PCs, restriced wireless and the printer.

SUBNET 2 applies to VLAN 2.  10.1.2.x/24
In this, put computers with internet access and the wireless router with access and add a default gateway.

SUBNET 3 applies to VLAN 3.  10.1.3.x/24.  This is where you put the internet connection.

Without looking at what your switch is capable of, you should be able to block all access to internet from the first subnet.  If you must, you should be able to block all traffic from specific ip addresses on certain ports (internet port) but then it all comes down to how you are routing.

Commented:
You can ignore my previous post... I didn't see that you didn't want them to see each other.  Just turn the firewalls on on each PC to block external access should stop them from coming in.
(If using windows Vista / 7, make sure you don't set it to work or home network).

Commented:
You are trying to do some pretty sophisticated things with some pretty unsophisticated equipment.  I don't think you can do what you want to with what you have to work with.  If you had a Cisco switch I would tell you to create a private VLAN to isolate the individual devices.  But you don't have that option and the only way to isolate a device is to put it on its own VLAN.  And that means that to be able to access anything from that VLAN you need to pass it through one of the router ports assigned to that VLAN.  You have 4 ports on the router.  Assuming you put the printer on one that leaves you 3 other VLANs to play with for the end user devices.  If you have more than 3 end user devices you can't isolate them from each other.  Not to mention this is a really ugly and hard to maintain configuration.  

Author

Commented:
at the moment only the switch is plugged in to the router... all the VLAN configuration I want is to be done on the switch, not the Router. So that way we have 24 ports to play around with. I wanted to setup one port with internet, one port with printer and than setup the other ports as separate vlans but allowing some ports to see the router port (thus providing internet) and the printer port, and other people to only see the printer port... you think that isn;t possible with this device?

Commented:
You can create VLANs to your hearts content on the switch.  But if you put more than one device on a given vlan those devices will be able to see each other.  And without going through the router devices on that VLAN will not be able to communicate with anything in any other VLAN.  So if you put user A on one VLAN 1 and your printer on VLAN 2, then you can get user A to the printer.  But now you are using 4 ports on the switch and 2 on your router.  Port 1 on your router is assigned to VLAN 1 and connects to a switch port that is also assigned to VLAN 1.  Then User A connects to another port on the switch that is assigned to VLAN 1.  Port 2 on the router is assigned to VLAN 2 and connects to a switch port that is also assigned to VLAN 2.  The printer connects to another port on the switch that is assigned to VLAN 2.  Now on the router you can control whether or not user A can access the printer.  See how ugly this is getting?  And you have only handled two devices.

Commented:
Think of it this way.  Consider each VLAN as a physically separate device.  So if you create a VLAN and connect a PC to it, you now have a separate switch with 1 PC and nothing else connected to it.  If you create another VLAN and connect a printer, you now have a separate switch with 1 printer connected to it.  Obviously they can't communicate with each other.  And you can't connect the two switches directly together either, since the devices are on separate IP subnets.  You have to connect those two switches to a router in order to get the devices on them to communicate.  We haven't even discussed the DHCP issues here.  You really can't get where you want to go from here.

Author

Commented:
So what's the best way to go? Replace those units with a fully managed layer 3 cisco switch?

i really need to be able to restrict people from seeing each other and also controlling which port/vlan can access the web and which port/vlan can access the internet and print

Commented:
Just buy a cheap switch and another printer.
problem solved.

one switch is the printer only group.  the other connects to the internet.

Commented:
Just to add my two sense:

Netgear devices are really good in general. But you want a router, not a switch it sounds like... although I like the answer above me.


Just buy a cheap switch and another printer.
problem solved.


I am surprised you don't want them to be able to see each other. As somebody mentioned, a firewall with stealth mode can accomplish that.

But why is seeing things a problem if they can't access each other, which as long as your file and printer sharing usernames and passwords aren't known won't happen.

Firewalls are more secure and are your best bet.

--Sam

Author

Commented:
"another printer" -> their printer is a 10k multi function printer... can't buy another one

see, let me explain this whole situation again... this client is a real estate agency. They have a rentals department and a sales department.
We manage their rentals department, we have servers, etc etc, its all nice and good - forget about this.

When we talk about sales agents in a real estate agency, that means we hire a space so they can use our resources. in this case, our internet and our multi function centre printer. Each sales person is an independent sales agent of their own - the other sales guy sitting on the room next to him is basically a competition.

Because we only provide him the physical space, we do not manage their PCs - only what happens from the blue cable/wireless up to the cloud.

When we offer the "room", we basically tell him "you can access the internet and the printer for $$ or just the printer for $. No one can see what's in your PC as you have your own VLAN or your own subnet, or whatever"

The example I gave were only about 4 people... the reality is that we have 20 agents to manage. Some via wireless some via cable.  

See the dillema?

So, in short we want:

- Each sales agent/wireless ap, to have their own separate VLAN or subnet, that allows them to see either the printer or the printer+internet, and not being able to be seen by anyone that isn't within their VLAN or Subnet. We also want to be able to know how much traffic their VLAN/Subnet/Port are using, see reports from it, and be secure enough to prevent unwanted traffic to be transmitted, such as spam or viruses, as we cannot manage their pcs themselves.

One option would be to put a router in between our switch and each one of the sales agents, so that way we can setup the router the way we want to do what we want. But that adds another point of failure to the equation... we don't want 20 routers sitting between the switch and the client...

So, without putting a server in between, is there a switch, router, or firewall device that will allow us to do what is described above? Remember, reporting is important so we know if there's anyone in this network causing issues

Regards,

Rod
Commented:
Thanks for the explanation, it makes your requirements a lot easier to understand.  And it also makes it very clear that you can't do that with your current hardware.  So what are your options?  Keep in mind that my answers are going to be colored by the fact that my experience is primarily with Cisco equipment.  I am not a Cisco employee.

Your primary requirement seems to be isolation of individual end users from each other.  There are a couple of features on Cisco switches that can fulfill this requirement, protected ports and private VLANs.

The protected port feature is the simpler of the two options.  Basically you would configure all of your end user ports as protected ports.  Protected ports do not communicate with other protected ports, even if they exist in the same VLAN.  This is very simple to configure and very effective.  The limitation is that it only works within one switch.  If you have multiple switches, this mechanism breaks down.  In your case you might be able to get away with this.  This feature has been around for a long time, and I think most switch models support it, maybe even some of the lower cost Cisco branded Linksys devices.  I am not very familiar with these.  The feature is available on the lower cost layer 2 2960 model for sure.  I use this to isolate some customer quality control agents that are located on the premises of the company I work for, but it only works because they are on the same switch.

The private VLAN feature is a little more robust and thus more complex and I am not going into it's configuration here.  It accomplishes the same thing and is not limited to a single switch.  It will function across a network of switches, so a user in an isolated vlan on one switch cannot communicate with a user on the same isolated VLAN on another switch.  You would probably need to step up to a layer 3 3560 platform to get this feature.  I know that it is not available on the 2960.

Your other option of isolating individual end stations is as you suggested putting everyone on their own VLAN.  But in order to do this you would need a more robust router or firewall.  You could potentially use an ASA-5505 firewall with a security plus license that would support 20 VLANs.

For comparison purposes, 24 port 2960 you can probably pick up for ~$400, ASA 5505 Sec Plus ~$600, 24 port 3560 ~$1200.

Now that you have isolated the end stations, you have numerous options to control access to resources (printer, internet).  I almost have to believe that the printer itself has access controls, and you could also configure internet access control on the existing router.   However, with the switch options you could also control this at the switch using port access control lists configured on each end-user port.  

The traffic reporting requirement is a little trickier.  I am not sure what you are after here unless you want to charge by the megabyte - but for what?  Printer access?  Internet access?  Or just aggregate LAN usage?  Certainly the switches keep counters for aggregate traffic, but they are not going to provide you with any useful reports.  You would need something collecting this data via SNMP and generating the reports.  And if your reporting requirement is more complex, i.e. "This user transferred x megabytes of data across the internet and sent x bytes to printer" rather than "this user transferred x bytes in total" you would need something more complex and the switches are not going to provide source and destination based data to be reported on.  To do this on a switch you would need to step up to a netflow capable switch, maybe a 3750 series and you would need a separate netflow data collector.  Probably overkill in your environment.  You may be able to do this with the ASA option, I am not sure.

As for outbound spam filtering, well, that is a pretty complex science.  You really need a purpose built appliance to do this, or force all outbound SMTP traffic through an external service.  But all of these measures will only thwart the ignorant.  If you have a technically savvy user there are ways they could get around this.  As for network based virus containment you are talking some additional $$ and may have to step up to an ASA-5510 with a security services module.  I don't think the benefit is worth the cost.  You may need to prune your requirements unless you have very deep pockets.

Those are my thoughts.  As I said, my experience is with Cisco.  There are always other options and usually at least a dozen ways to accomplish your goals.

Author

Commented:
Hello Guys.

Turns out the device I had could not do the things I wanted. I ended up adding a SonicWALL firewall in my network that did everything I wanted and more.

Thanks for all the help

Rod

Author

Commented:
Im closing the question.

Author

Commented:
Although I couldn't do what I wanted to with the device I had, JDavis guided me through the right path and shared a whole bunch of helpful information. Thanks

Do more with

Expert Office
Submit tech questions to Ask the Experts™ at any time to receive solutions, advice, and new ideas from leading industry professionals.

Start 7-Day Free Trial