NETGEAR is aware of a growing number of phone and online scams. To learn how to stay safe click here.
Forum Discussion
M4300-24X24F VLAN's, ACL and separation
Good day all, I have found an article, but as soon as I try to set the rules according to the article I lose all connection to the switch and need to undo the ACL using the console cable... http...
I think I will have to rethink this all over, probably I'm looking at it from the wrong perspective.
When I create an inbound rule, that allows connections on VLAN 10 from 2 different subnets, and deny everything else, my internet connection drops...
I think I should turn it around, and first deny all dorfferent subnets, and as final rule allow all?
Currently lacking a bit of time for this configuration, as I'm trying to configure these switches for use with RDMA/RoCE. (Created a different topic for it)
Hi XanderVR,
No, I suggest you create outbound rule and binding to VLAN10, not inbound. It will not affect internet access for VLAN10 clients.
BTW: does other VLANs client need access internet via VLAN10? If not, it is no any affect.
Thank you for your answer.
Other VLAN's do not need internet access through VLAN10, they get internet access through the firewall, which is connnected to the M4300 with a trunk link.
In fact all VLAN's should be fully separated, except for VLAN20 which needs TCP access to a certain range of devices in the VLAN10 subnet.
So I create several outbound rules that denies access to other VLAN subnets (1 rule for each subnet), 1 rule that allows TCP from the small range from VLAN10 to VLAN20, and a rule that allows all other traffic?
Ands these ruls are all outbound?
Hi XanderVR,
We re-think about your requirement, as we need meet 2 quirement at the same time.One is isolated traffic between all VLANs, just permit VLAN20 subnet tcp service to VLAN1 partial subnet;
Another is not block internet access for every VLAN clients.
It's more complex, we need change the policy rule. So could you please try the configurations as below:
For VLAN1:
ip access-list VLAN_1
permit tcp 10.10.10.0 0.0.0.63 10.10.20.0 0.0.0.255
deny ip any 10.10.20.0 0.0.0.255
deny ip any 10.10.90.0 0.0.0.255
deny ip any 10.10.91.0 0.0.0.255
deny ip any 192.168.42.0 0.0.0.255
permit ip any any
ip access-group VLAN_1 vlan 1 inFor VLAN20:
ip access-list VLAN_20
permit tcp 10.10.20.0 0.0.0.255 10.10.10.0 0.0.0.63
deny ip any 10.10.10.0 0.0.0.255
deny ip any 10.10.90.0 0.0.0.255
deny ip any 10.10.91.0 0.0.0.255
deny ip any 192.168.42.0 0.0.0.255
permit ip any any
ip access-group VLAN_20 vlan 20 inFor VLAN90:
ip access-list VLAN_90
deny ip any 10.10.10.0 0.0.0.255
deny ip any 10.10.20.0 0.0.0.255
deny ip any 10.10.91.0 0.0.0.255
deny ip any 192.168.42.0 0.0.0.255
permit ip any any
ip access-group VLAN_90 vlan 90 inFor VLAN91:
ip access-list VLAN_91
deny ip any 10.10.10.0 0.0.0.255
deny ip any 10.10.20.0 0.0.0.255
deny ip any 10.10.90.0 0.0.0.255
deny ip any 192.168.42.0 0.0.0.255
permit ip any any
ip access-group VLAN_91 vlan 91 inFor VLAN101:
ip access-list VLAN_101
deny ip any 10.10.10.0 0.0.0.255
deny ip any 10.10.20.0 0.0.0.255
deny ip any 10.10.90.0 0.0.0.255
deny ip any 10.10.91.0 0.0.0.255
permit ip any any
ip access-group VLAN_101 vlan 101 in
NETGEAR Academy
Boost your skills with the Netgear Academy - Get trained, certified and stay ahead with the latest Netgear technology!
Join Us!
