NETGEAR is aware of a growing number of phone and online scams. To learn how to stay safe click here.
Forum Discussion
M4300-24X24F VLAN's, ACL and separation
Good day all, I have found an article, but as soon as I try to set the rules according to the article I lose all connection to the switch and need to undo the ACL using the console cable... http...
I wanted to edit my original post, but there is no option to...
Some additional information:
It is a stack of 2x M4300-24X24F
5 VLAN's (with IPs)
- 1 (10.10.10.1 / 255.255.255.0)
- 20 (10.10.20.1 / 255.255.255.0)
- 90 (10.10.90.1 / 255.255.255.0)
- 91 (10.10.91.1 / 255.255.255.0)
- 101 (192.168.42.10 / 255.255.255.0)
On both switches:
- Ports 1-8 and 43-48 are stacking ports
- are configured switchport mode general
- VLANs:
- Tagged 20, 90, 91, 101
- PVID 1
- Ports 9-13 are ports for servers and:
- are configured switchport mode general
- VLANs:
- Tagged 20, 90, 91, 101
- PVID 1
- Ports 25-26 (LAG_1)
- Go to a second switch (to which 2 more switches are attaced)
- To this switch is our firewall and internet connection connected
- These ports are configured as switchport mode general
- VLANs:
- Tagged 20, 90, 91, 101
- PVID 1
- Go to a second switch (to which 2 more switches are attaced)
- Ports 27-30 (LAG_2 - LAG_5)
- Go to office switches
- VLANs:
- Tagged 101
- PVID 1
What do I want?
- Devices from VLAN_20 can connect to servers on VLAN_10, but only to IP range 10.10.10.31-10.10.10.45
- Servers on VLAN_10 (p range 10.10.10.31-10.10.10.45) can connect to devices on VLAN_20
- Rest should all be isolated
I am currently trying to create IP Extended Rules (using CLI) but I cannot see how I can link those to a VLAN.
Or should I bind those rules to ports instead of VLANs?
Example of an ACL i created for VLAN 1:
ip access-list VLAN_1
permit tcp 10.10.10.0 0.0.0.255 10.10.10.0 0.0.0.255
permit tcp 10.10.20.0 0.0.0.255 10.10.10.0 0.0.0.63
deny ip any any
Am I on the right track?
How do I link this to VLAN 1 in CLI?
Hi XanderVR,
Welcome to the community!
First, the Switch M4300 support binding ACL rule to VLAN port, please refer to below configure:
By CLI command:
By web GUI:
Second, I notice that only permit tcp protocol in your ACL rule. Do you only allow tcp packet between VLAN10 and VLAN20?
Hope it helps!
Regards,
EricZ
NETGEAR employee
Hello Eric,
thank you for the information, I will put this to test later today.
I knew that it was possible in the web interface, but I prefer CLI for configuring, and use the web interface for a visual view of settings.
I think TCP is sufficient, as the servers are all webservers which are connected to using HTTP, HTTPS or SSL, so all TCP.
Each VLAN has its own DHCP server so there won't be any UDP passthrough needed.
The rules I created are sufficient for blocking all VLAN taffice to VLAN1, which is not VLAN1 subnet? (Except for the small VLAN20 portion ofcourse)
Hi XanderVR,
Yes, agree with you. The rules should meet your requirement, and the policy should binding to VLAN1 for outbound direction. You can try it on your network. And looking forward to your good news.
NETGEAR Academy
Boost your skills with the Netgear Academy - Get trained, certified and stay ahead with the latest Netgear technology!
Join Us!
