VLAN problem, need help with ensuring vlan seperation with shared internet

Hi,

I hope someone can help, spent 2 days on this already and seem to be going round in circles, have to be honest not a network specialist but did read up on the netgear site and it all seemed so straight forward.

Here is my setup.

The physical setup is a Netgear GSM7328FS Layer 3 switch with fibre connections to 2 GS724TP switches, which are layer 2.

I have 3 vlans, VLAN2 for one switch and VLAN3 for the other, plus a VLAN4 has a router for the shared internet plus the usual management VLAN1.

I need to be able to configure the VLAN/Switches so that VLAN2 and VLAN3 can not see each other but they can both access the same internet conenction on VLAN4.

Ok here is what i've done so far.

VLAN1 - Management 192.168.1.1/255.255.255.0
VLAN2 - Private 10.56.1.10/255.255.255.0
VLAN3 - Public 192.168.30.1/255.255.255.0
VLAN4 - Management 192.168.40.1/255.255.255.0

DHCP on the GSM7328
10.56.0.0/255.255.0.0
192.168.30.0/255.255.255.0

GSM7328FS
Port 1 - Tagged with VLAN2/VLAN4
Port 9 - Tagged with VLAN3/VLAN4
Port 24 - Tagged with VLAN2/VLAN3/VLAN4

GS724TP
Port 1-4 Untagged on VLAN2
Port 23 - Tagged with VLAN2/VLAN4 this goes to Port 1 on the GSM7328FS

GS724TP
Port 1-4 Untagged on VLAN3
Port 23 - Tagged with VLAN2/VLAN4 this goes to Port 1 on the GSM7328FS

Internet Router
IP 192.168.40.252
Static Routes
10.56.0.0/255.255.0.0 DG 192.168.40.1
192.168.30.0/255.255.255.0 DG 192.168.40.1

What i don't quite follow is how from one siwtch i.e. the guest switch on 192.168.30.0 network they can ping addresses on the other switch when we are not trunking that vlan.

Any assistance would be very welcome, as i need to get this all setup for Tuesday.

Cheers Paul.
LVL 1
pskempAsked:
Who is Participating?
 
Craig BeckConnect With a Mentor Commented:
Try something like...

access-list 102 deny ip any 192.168.30.0 255.255.255.0
access-list 102 permit ip any any
access-list 103 deny ip any 10.56.0.0 255.255.255.0
access-list 103 permit ip any any
interface vlan 2
ip access-group 102 in
exit
interface vlan 3
ip access-group 103 in
exit
0
 
Craig BeckCommented:
The L3 switch is routing the VLANs.

You need to configure ACLs on the L3 switch so it won't route between VLANs.
Check this out... (page 9-2 - Configuring IP ACLs).

ftp://downloads.netgear.com/files/gsm7212_gsm7224_gsm7248_60015_adminguide.pdf
0
 
dmf415Commented:
You can ping any address on the other switches unless you use a firewall.   A VLAN is all the devices in a broadcast domain.  If you did not want access outside of your vlan you would not want to put a gateway on your network config.
0
Get expert help—faster!

Need expert help—fast? Use the Help Bell for personalized assistance getting answers to your important questions.

 
Craig BeckCommented:
Each client on VLAN 2 and 3 needs to use a gateway to get to the internet via VLAN 4.  ACLs is the only way to do achieve this, whilst maintaining connectivity via the L3 switch.
0
 
pskempAuthor Commented:
Thanks for the quick responses.

Yes the layer 3 switch is IP routing the VLANS.

I did try the ACL route, but i couldn't get them to apply to the VLAN.

I created the following access-lists.

access-list 101 deny ip any 192.168.30.0 255.255.255.0
access-list 102 deny ip any 10.56.0.0 255.255.255.0
access-list 103 permit any any

I then tried to apply them to the VLAN as so

configure t
interface vlan 2
ip access-group 101 in 1
ip access-group 103 in 2
exit
interface vlan 3
ip access-group 102 in 1
ip access-group 103 in 2
exit

But the config seems to ignore them and if i look at show running-config interface vlan 2 it doesn't show the access groups

It just shows

interface vlan 2
routing
ip address 10.56.1.10 255.255.0.0
ip ospf area 0.0.0.0
ip rip

Cheers in advance
Paul.
0
 
pskempAuthor Commented:
Thinking on the ACL route, should i be applying the ACL to the VLAN or a lan port. Applying it to the VLAN seemed the most logical choice?
0
 
QuietFrankConnect With a Mentor Commented:
you ACLs should be in this format:

access-list ACL# permit/deny protocol source destination

so it should look like this

for guest
access-list 101 deny ip subnet3 0.0.0.255 subnet1 0.0.0.255
access-list 101 deny ip subnet3 0.0.0.255 subnet2 0.0.0.255
access-list ip any any

apply it to the VLAN 3 interface going OUT.

This is all you need to do. If you are on any other VLAN, you can send a packet to a guest machine, but it will never make it back because of the ACL blocking it as it leaves the VLAN 3 interface for one of the other interfaces. If you want to still put an ACL on VLAN 1 and 2, use the same format using a different ACL number i.e..102.

Frank
0
 
pskempAuthor Commented:
Thanks for the response QuietFrank.

Unfortunately i can't apply this to the interface out,  the netgear interafce doesn't allow the out command only in.

Anyway of doing this on the in of vlan2.

I did just try on vlan2 adding group 101 on the in, as this acl seems to suggest blocking vlan3 traffic from vlan2, but still no joy.

Cheers Paul.
0
 
QuietFrankCommented:
Try craigbecks comment, i think that will work. I think you may have to change the 255.255.255.0 to 0.0.0.255. When specifying networks in ACLs, you usually have to use the wildcard mask.

Frank
0
 
Craig BeckCommented:
Good call @QuietFrank!  I think the Netgear switches translate the masks though - but try it anyway.
0
 
QuietFrankCommented:
Glad to see I'm not the only one up at this time!
0
 
pskempAuthor Commented:
Thanks for the responses, sorry for the late reply.

I managed to get this working on Sadurday using the ACL, based on craigbeck but with the change on the subnet i.e. using the wildcard mask as suggested by QuietFrank.

I had to apply this to the ports, as i still had the problem in that i couldn't get them to apply to the VLAN's which was annoying, same problem as before the GUI doesn't give you the option and the CLI accepted the command but it never showed in the config.

Happy to splity the points between you two, if you're ok with that.

Cheers Paul
0
 
QuietFrankCommented:
I'm happy to hear that it worked.

I'm fine with splitting the points.

Frank
0
 
Craig BeckCommented:
Cool with me :-)  Glad to help!
0
Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

All Courses

From novice to tech pro — start learning today.