NETGEAR is aware of a growing number of phone and online scams. To learn how to stay safe click here.

Forum Discussion

hamajang's avatar
hamajang
Aspirant
Nov 15, 2016
Solved

VLAN Internet Connection and Access To Another VLAN

Hello, This is my first time setting up VLANs and I need help.  I have the following equipment and IP settings: M6100 Chassis with XCM8944 Managed Switch                 Firmware Version 11.0.0.18...
Solutions
  • DanielZhang's avatar
    DanielZhang
    Nov 19, 2016

    Hi hamajang,


    Please add Named IP ACL such as:"VLAN_60" or special number IP ACL with "101-199" in Page (Security>ACL>Advanced>IP ACL)
    Because only advanced ACL support extend rules to control destination IP address.

    It's my bad that missed this step.:smileyindifferent:

     

    acl_1.png

DanielZhang's avatar
DanielZhang
NETGEAR Expert
Nov 15, 2016

Hi Hamajang,

 

Welcome to NETGEAR community!:smileyhappy:

 

We had analyze your concern carefully so let me clear it for you.

 

For 1st  question,

 "I would like to connect a laptop to port 2 giving me a IP address with the range for VLAN 30 (19.67.30.xxx), be able to access the internet".

 

First of all, I want to to remaind you that the cable modem must support IP address NAT/PAT function to convert private IP address to public IP address.

A default route need to configure on M6100 that the destination next hop should be the cable modem.

Please Ignore above remaind if your IP address are all public for Internet or a firewall standready in your topology..:smileysurprised:

 

Let's begin my answer:

All the clients which need to access Internet should make the DNS server to 16.67.0.1(cable modem is the gateway)

In VLAN 1 ,

the GW and DNS(16.67.0.1.) will offer by DHCP pool but VLAN 30 will offer a wrong DNS (19.67.30.1).

So please modify the DNS server to 16.67.0.1 of every DHCP pool on all VLAN except 1.

 

For 2nd question, " be able to access resources in VLAN 10"

 

The Private VLAN function will help you to control VLAN communication which support on M6100 chassis switch.

Such as:

VLAN 1 -> primary VLAN, could connect to VLAN 2/3/4,clients could talk with each other in this VLAN.

VLAN 2 -> community VLAN,could connect to VLAN 1 and VLAN 3, clients could talk with each other in this VLAN.

VLAN 3 -> community VLAN,could connect to VLAN 1 and VLAN 2, clients could talk with each other in this VLAN.

VLAN 4 -> Isolated VLAN, could connect to VLAN1 only, clients can't  communicate with each other in this VLAN.

 

 

There are also three port type to control VLAN communication:

•Promiscuous port. belongs to a primary VLAN and can communicate with all interfaces in the private VLAN, including other promiscuous ports, community ports, and isolated ports.
•Community ports. These ports can communicate with other community ports and promiscuous ports.
•Isolated ports. These can ONLY communicate with promiscuous ports.

 

Anyway please refer to M6100 manual as below for more details:

M6100 Software Administration Manual (Software Version 11.x)

-->page 54, private VLAN.

M6100 Command Line Interface (CLI) User Manual (Software Version 11.x)

 

 

 

Just remained that make the management connection alone to M6100 during this VLAN deploying.

 

private vlan.png

 

 

Let us know if you have new concern.:smileyhappy:

 

Regards,

Daniel.

 

hamajang's avatar
hamajang
Aspirant
Nov 16, 2016

Hello Daniel,

 

Thank you for your reply.  Thank you also for steering me in the correct path.  I will be going on site to apply fixes later today.  I will let you know how I do.

 

I also found this kb article:  https://kb.netgear.com/app/answers/detail/a_id/30818

 

I will see what I can do with the existing router.  Worst case, I will have to purchase a router which can handle the seperate VLANs I have created.

I will also attempt to use ACLs to allow/deny access to other VLANs as well as access to the internet.

 

Thanks again.

  • DanielZhang's avatar
    DanielZhang
    NETGEAR Expert
    Nov 17, 2016

    Hi hamajang,

     

    It's good way to add new router about for the separate VLANs traffic forwarding.

    And ACL will also make same function with private VLAN.

     

    Look forward to your update:smileyhappy:

     

    Regards,

    Daniel.

     

     

      • hamajang's avatar
        hamajang
        Aspirant
        Nov 18, 2016

        Great news

         

        I was able to configure the router at the site.  I now have internet access for all VLANs.  Thank you for your advice.

        Now to my other problem.

         

        I basically want to allow VLAN 60 to access the internet only without having access to any other VLAN.  Here is what I didn't tell you before.

        I am using a WC7600 Access Point Controller along with WAC730 Access Points.  I have unique SSIDs assigned to VLANs 40, 50 and 60, each with their respective IP ranges set in the M6100 switch.  I plug an access point in to switch port 40 as an example.  This port has been trunked.  I connect to each SSID without any problems, each SSID has the correct IP and can connect to the internet.  Each SSID can access printers on the LAN.  It's a miracle I got that far :-)

         

        I would like to prevent VLAN 60 from accessing any other VLANs and still access the internet.  If I put an ACL on switch port 40, wouldn't that affect VLANs 40 and 50 as well?  How do I apply an ACL to VLAN 60 only rather than a switch port?  Or is there something else I have to configure on my VLAN 60?

         

        Thanks again in advance for your help.

NETGEAR Academy

Boost your skills with the Netgear Academy - Get trained, certified and stay ahead with the latest Netgear technology! 

Join Us!

ProSupport for Business

Comprehensive support plans for maximum network uptime and business peace of mind.

 

Learn More