?
Solved

VLAN problem, need help with ensuring vlan seperation with shared internet

Posted on 2011-04-22
14
Medium Priority
?
1,128 Views
Last Modified: 2012-05-11
Hi,

I hope someone can help, spent 2 days on this already and seem to be going round in circles, have to be honest not a network specialist but did read up on the netgear site and it all seemed so straight forward.

Here is my setup.

The physical setup is a Netgear GSM7328FS Layer 3 switch with fibre connections to 2 GS724TP switches, which are layer 2.

I have 3 vlans, VLAN2 for one switch and VLAN3 for the other, plus a VLAN4 has a router for the shared internet plus the usual management VLAN1.

I need to be able to configure the VLAN/Switches so that VLAN2 and VLAN3 can not see each other but they can both access the same internet conenction on VLAN4.

Ok here is what i've done so far.

VLAN1 - Management 192.168.1.1/255.255.255.0
VLAN2 - Private 10.56.1.10/255.255.255.0
VLAN3 - Public 192.168.30.1/255.255.255.0
VLAN4 - Management 192.168.40.1/255.255.255.0

DHCP on the GSM7328
10.56.0.0/255.255.0.0
192.168.30.0/255.255.255.0

GSM7328FS
Port 1 - Tagged with VLAN2/VLAN4
Port 9 - Tagged with VLAN3/VLAN4
Port 24 - Tagged with VLAN2/VLAN3/VLAN4

GS724TP
Port 1-4 Untagged on VLAN2
Port 23 - Tagged with VLAN2/VLAN4 this goes to Port 1 on the GSM7328FS

GS724TP
Port 1-4 Untagged on VLAN3
Port 23 - Tagged with VLAN2/VLAN4 this goes to Port 1 on the GSM7328FS

Internet Router
IP 192.168.40.252
Static Routes
10.56.0.0/255.255.0.0 DG 192.168.40.1
192.168.30.0/255.255.255.0 DG 192.168.40.1

What i don't quite follow is how from one siwtch i.e. the guest switch on 192.168.30.0 network they can ping addresses on the other switch when we are not trunking that vlan.

Any assistance would be very welcome, as i need to get this all setup for Tuesday.

Cheers Paul.
0
Comment
Question by:pskemp
  • 5
  • 4
  • 4
  • +1
14 Comments
 
LVL 47

Expert Comment

by:Craig Beck
ID: 35450810
The L3 switch is routing the VLANs.

You need to configure ACLs on the L3 switch so it won't route between VLANs.
Check this out... (page 9-2 - Configuring IP ACLs).

ftp://downloads.netgear.com/files/gsm7212_gsm7224_gsm7248_60015_adminguide.pdf
0
 
LVL 3

Expert Comment

by:dmf415
ID: 35450830
You can ping any address on the other switches unless you use a firewall.   A VLAN is all the devices in a broadcast domain.  If you did not want access outside of your vlan you would not want to put a gateway on your network config.
0
 
LVL 47

Expert Comment

by:Craig Beck
ID: 35450881
Each client on VLAN 2 and 3 needs to use a gateway to get to the internet via VLAN 4.  ACLs is the only way to do achieve this, whilst maintaining connectivity via the L3 switch.
0
Free recovery tool for Microsoft Active Directory

Veeam Explorer for Microsoft Active Directory provides fast and reliable object-level recovery for Active Directory from a single-pass, agentless backup or storage snapshot — without the need to restore an entire virtual machine or use third-party tools.

 
LVL 1

Author Comment

by:pskemp
ID: 35450934
Thanks for the quick responses.

Yes the layer 3 switch is IP routing the VLANS.

I did try the ACL route, but i couldn't get them to apply to the VLAN.

I created the following access-lists.

access-list 101 deny ip any 192.168.30.0 255.255.255.0
access-list 102 deny ip any 10.56.0.0 255.255.255.0
access-list 103 permit any any

I then tried to apply them to the VLAN as so

configure t
interface vlan 2
ip access-group 101 in 1
ip access-group 103 in 2
exit
interface vlan 3
ip access-group 102 in 1
ip access-group 103 in 2
exit

But the config seems to ignore them and if i look at show running-config interface vlan 2 it doesn't show the access groups

It just shows

interface vlan 2
routing
ip address 10.56.1.10 255.255.0.0
ip ospf area 0.0.0.0
ip rip

Cheers in advance
Paul.
0
 
LVL 1

Author Comment

by:pskemp
ID: 35450971
Thinking on the ACL route, should i be applying the ACL to the VLAN or a lan port. Applying it to the VLAN seemed the most logical choice?
0
 
LVL 3

Assisted Solution

by:QuietFrank
QuietFrank earned 1000 total points
ID: 35451664
you ACLs should be in this format:

access-list ACL# permit/deny protocol source destination

so it should look like this

for guest
access-list 101 deny ip subnet3 0.0.0.255 subnet1 0.0.0.255
access-list 101 deny ip subnet3 0.0.0.255 subnet2 0.0.0.255
access-list ip any any

apply it to the VLAN 3 interface going OUT.

This is all you need to do. If you are on any other VLAN, you can send a packet to a guest machine, but it will never make it back because of the ACL blocking it as it leaves the VLAN 3 interface for one of the other interfaces. If you want to still put an ACL on VLAN 1 and 2, use the same format using a different ACL number i.e..102.

Frank
0
 
LVL 1

Author Comment

by:pskemp
ID: 35452121
Thanks for the response QuietFrank.

Unfortunately i can't apply this to the interface out,  the netgear interafce doesn't allow the out command only in.

Anyway of doing this on the in of vlan2.

I did just try on vlan2 adding group 101 on the in, as this acl seems to suggest blocking vlan3 traffic from vlan2, but still no joy.

Cheers Paul.
0
 
LVL 47

Accepted Solution

by:
Craig Beck earned 1000 total points
ID: 35453556
Try something like...

access-list 102 deny ip any 192.168.30.0 255.255.255.0
access-list 102 permit ip any any
access-list 103 deny ip any 10.56.0.0 255.255.255.0
access-list 103 permit ip any any
interface vlan 2
ip access-group 102 in
exit
interface vlan 3
ip access-group 103 in
exit
0
 
LVL 3

Expert Comment

by:QuietFrank
ID: 35454377
Try craigbecks comment, i think that will work. I think you may have to change the 255.255.255.0 to 0.0.0.255. When specifying networks in ACLs, you usually have to use the wildcard mask.

Frank
0
 
LVL 47

Expert Comment

by:Craig Beck
ID: 35455755
Good call @QuietFrank!  I think the Netgear switches translate the masks though - but try it anyway.
0
 
LVL 3

Expert Comment

by:QuietFrank
ID: 35455771
Glad to see I'm not the only one up at this time!
0
 
LVL 1

Author Comment

by:pskemp
ID: 35463043
Thanks for the responses, sorry for the late reply.

I managed to get this working on Sadurday using the ACL, based on craigbeck but with the change on the subnet i.e. using the wildcard mask as suggested by QuietFrank.

I had to apply this to the ports, as i still had the problem in that i couldn't get them to apply to the VLAN's which was annoying, same problem as before the GUI doesn't give you the option and the CLI accepted the command but it never showed in the config.

Happy to splity the points between you two, if you're ok with that.

Cheers Paul
0
 
LVL 3

Expert Comment

by:QuietFrank
ID: 35472410
I'm happy to hear that it worked.

I'm fine with splitting the points.

Frank
0
 
LVL 47

Expert Comment

by:Craig Beck
ID: 35476944
Cool with me :-)  Glad to help!
0

Featured Post

Get your Disaster Recovery as a Service basics

Disaster Recovery as a Service is one go-to solution that revolutionizes DR planning. Implementing DRaaS could be an efficient process, easily accessible to non-DR experts. Learn about monitoring, testing, executing failovers and failbacks to ensure a "healthy" DR environment.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

If you are thinking of adopting cloud services, or just curious as to what ‘the cloud’ can offer then the leader according to Gartner for Infrastructure as a Service (IaaS) is Amazon Web Services (AWS).  When I started using AWS I was completely new…
In this article, we’ll look at how to deploy ProxySQL.
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…

807 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question