NETGEAR is aware of a growing number of phone and online scams. To learn how to stay safe click here.
Forum Discussion
hamajang
Nov 15, 2016Aspirant
VLAN Internet Connection and Access To Another VLAN
Hello, This is my first time setting up VLANs and I need help. I have the following equipment and IP settings: M6100 Chassis with XCM8944 Managed Switch Firmware Version 11.0.0.18...
- Nov 19, 2016
Hi hamajang,
Please add Named IP ACL such as:"VLAN_60" or special number IP ACL with "101-199" in Page (Security>ACL>Advanced>IP ACL)
Because only advanced ACL support extend rules to control destination IP address.It's my bad that missed this step.:smileyindifferent:
DanielZhang
Nov 15, 2016NETGEAR Expert
Hi Hamajang,
Welcome to NETGEAR community!:smileyhappy:
We had analyze your concern carefully so let me clear it for you.
For 1st question,
"I would like to connect a laptop to port 2 giving me a IP address with the range for VLAN 30 (19.67.30.xxx), be able to access the internet".
First of all, I want to to remaind you that the cable modem must support IP address NAT/PAT function to convert private IP address to public IP address.
A default route need to configure on M6100 that the destination next hop should be the cable modem.
Please Ignore above remaind if your IP address are all public for Internet or a firewall standready in your topology..:smileysurprised:
Let's begin my answer:
All the clients which need to access Internet should make the DNS server to 16.67.0.1(cable modem is the gateway)
In VLAN 1 ,
the GW and DNS(16.67.0.1.) will offer by DHCP pool but VLAN 30 will offer a wrong DNS (19.67.30.1).
So please modify the DNS server to 16.67.0.1 of every DHCP pool on all VLAN except 1.
For 2nd question, " be able to access resources in VLAN 10"
The Private VLAN function will help you to control VLAN communication which support on M6100 chassis switch.
Such as:
VLAN 1 -> primary VLAN, could connect to VLAN 2/3/4,clients could talk with each other in this VLAN.
VLAN 2 -> community VLAN,could connect to VLAN 1 and VLAN 3, clients could talk with each other in this VLAN.
VLAN 3 -> community VLAN,could connect to VLAN 1 and VLAN 2, clients could talk with each other in this VLAN.
VLAN 4 -> Isolated VLAN, could connect to VLAN1 only, clients can't communicate with each other in this VLAN.
There are also three port type to control VLAN communication:
•Promiscuous port. belongs to a primary VLAN and can communicate with all interfaces in the private VLAN, including other promiscuous ports, community ports, and isolated ports.
•Community ports. These ports can communicate with other community ports and promiscuous ports.
•Isolated ports. These can ONLY communicate with promiscuous ports.
Anyway please refer to M6100 manual as below for more details:
M6100 Software Administration Manual (Software Version 11.x)
-->page 54, private VLAN.
M6100 Command Line Interface (CLI) User Manual (Software Version 11.x)
Just remained that make the management connection alone to M6100 during this VLAN deploying.
Let us know if you have new concern.:smileyhappy:
Regards,
Daniel.
hamajang
Nov 16, 2016Aspirant
Hello Daniel,
Thank you for your reply. Thank you also for steering me in the correct path. I will be going on site to apply fixes later today. I will let you know how I do.
I also found this kb article: https://kb.netgear.com/app/answers/detail/a_id/30818
I will see what I can do with the existing router. Worst case, I will have to purchase a router which can handle the seperate VLANs I have created.
I will also attempt to use ACLs to allow/deny access to other VLANs as well as access to the internet.
Thanks again.
- DanielZhangNov 17, 2016NETGEAR Expert
Hi hamajang,
It's good way to add new router about for the separate VLANs traffic forwarding.
And ACL will also make same function with private VLAN.
Look forward to your update:smileyhappy:
Regards,
Daniel.
- XavierLLNov 17, 2016NETGEAR Employee Retired
HI Hamajang,
Totally agree with Daniel , the IP ACL are similar to a firewall rules, just wanted to share with you a good article about how you can implement it:
Hope that it helps!
Regards
Xavier Lleixa
NETGEAR CBU PLM
- hamajangNov 18, 2016Aspirant
Great news
I was able to configure the router at the site. I now have internet access for all VLANs. Thank you for your advice.
Now to my other problem.
I basically want to allow VLAN 60 to access the internet only without having access to any other VLAN. Here is what I didn't tell you before.
I am using a WC7600 Access Point Controller along with WAC730 Access Points. I have unique SSIDs assigned to VLANs 40, 50 and 60, each with their respective IP ranges set in the M6100 switch. I plug an access point in to switch port 40 as an example. This port has been trunked. I connect to each SSID without any problems, each SSID has the correct IP and can connect to the internet. Each SSID can access printers on the LAN. It's a miracle I got that far :-)
I would like to prevent VLAN 60 from accessing any other VLANs and still access the internet. If I put an ACL on switch port 40, wouldn't that affect VLANs 40 and 50 as well? How do I apply an ACL to VLAN 60 only rather than a switch port? Or is there something else I have to configure on my VLAN 60?
Thanks again in advance for your help.
Related Content
NETGEAR Academy

Boost your skills with the Netgear Academy - Get trained, certified and stay ahead with the latest Netgear technology!
Join Us!