NETGEAR is aware of a growing number of phone and online scams. To learn how to stay safe click here.
Forum Discussion
M4300-24X24F VLAN's, ACL and separation
Good day all,
I have found an article, but as soon as I try to set the rules according to the article I lose all connection to the switch and need to undo the ACL using the console cable...
I have a stack of 2x M4300-24X24F, which contains several VLAN's: 1, 20, 90, 91 and 101
Now all theses VLAN,s should not be able to route to eachother, except for VLAN 20 to a few hosts in VLAN 1, and theses few hosts in VLAN 1 to all of VLAN 20.
So what is the best way to configure this?
Or did I really make a big mistake and should I have gone for HP instead?? (At least on our old HP switch routing is opt-IN instead of opt-OUT?)
Sorry to say, but even budget TP-LINK has a more intuitive interface...
8 Replies
I think I will have to rethink this all over, probably I'm looking at it from the wrong perspective.
When I create an inbound rule, that allows connections on VLAN 10 from 2 different subnets, and deny everything else, my internet connection drops...
I think I should turn it around, and first deny all dorfferent subnets, and as final rule allow all?
Currently lacking a bit of time for this configuration, as I'm trying to configure these switches for use with RDMA/RoCE. (Created a different topic for it)
Thank you for your answer.
Other VLAN's do not need internet access through VLAN10, they get internet access through the firewall, which is connnected to the M4300 with a trunk link.
In fact all VLAN's should be fully separated, except for VLAN20 which needs TCP access to a certain range of devices in the VLAN10 subnet.
So I create several outbound rules that denies access to other VLAN subnets (1 rule for each subnet), 1 rule that allows TCP from the small range from VLAN10 to VLAN20, and a rule that allows all other traffic?
Ands these ruls are all outbound?
I wanted to edit my original post, but there is no option to...
Some additional information:
It is a stack of 2x M4300-24X24F
5 VLAN's (with IPs)
- 1 (10.10.10.1 / 255.255.255.0)
- 20 (10.10.20.1 / 255.255.255.0)
- 90 (10.10.90.1 / 255.255.255.0)
- 91 (10.10.91.1 / 255.255.255.0)
- 101 (192.168.42.10 / 255.255.255.0)
On both switches:
- Ports 1-8 and 43-48 are stacking ports
- are configured switchport mode general
- VLANs:
- Tagged 20, 90, 91, 101
- PVID 1
- Ports 9-13 are ports for servers and:
- are configured switchport mode general
- VLANs:
- Tagged 20, 90, 91, 101
- PVID 1
- Ports 25-26 (LAG_1)
- Go to a second switch (to which 2 more switches are attaced)
- To this switch is our firewall and internet connection connected
- These ports are configured as switchport mode general
- VLANs:
- Tagged 20, 90, 91, 101
- PVID 1
- Go to a second switch (to which 2 more switches are attaced)
- Ports 27-30 (LAG_2 - LAG_5)
- Go to office switches
- VLANs:
- Tagged 101
- PVID 1
What do I want?
- Devices from VLAN_20 can connect to servers on VLAN_10, but only to IP range 10.10.10.31-10.10.10.45
- Servers on VLAN_10 (p range 10.10.10.31-10.10.10.45) can connect to devices on VLAN_20
- Rest should all be isolated
I am currently trying to create IP Extended Rules (using CLI) but I cannot see how I can link those to a VLAN.
Or should I bind those rules to ports instead of VLANs?
Example of an ACL i created for VLAN 1:
ip access-list VLAN_1
permit tcp 10.10.10.0 0.0.0.255 10.10.10.0 0.0.0.255
permit tcp 10.10.20.0 0.0.0.255 10.10.10.0 0.0.0.63
deny ip any anyAm I on the right track?
How do I link this to VLAN 1 in CLI?
Hi XanderVR,
Welcome to the community!
First, the Switch M4300 support binding ACL rule to VLAN port, please refer to below configure:
By CLI command:
By web GUI:
Second, I notice that only permit tcp protocol in your ACL rule. Do you only allow tcp packet between VLAN10 and VLAN20?
Hope it helps!
Regards,
EricZ
NETGEAR employee
Hello Eric,
thank you for the information, I will put this to test later today.
I knew that it was possible in the web interface, but I prefer CLI for configuring, and use the web interface for a visual view of settings.
I think TCP is sufficient, as the servers are all webservers which are connected to using HTTP, HTTPS or SSL, so all TCP.
Each VLAN has its own DHCP server so there won't be any UDP passthrough needed.
The rules I created are sufficient for blocking all VLAN taffice to VLAN1, which is not VLAN1 subnet? (Except for the small VLAN20 portion ofcourse)
NETGEAR Academy
Boost your skills with the Netgear Academy - Get trained, certified and stay ahead with the latest Netgear technology!
Join Us!
