NETGEAR is aware of a growing number of phone and online scams. To learn how to stay safe click here.

Forum Discussion

crodrig's avatar
crodrig
Aspirant
Sep 06, 2023
Solved

GS724Tv4 VLAN Routing

NetGear Community,

 

I have a NetGear GS724Tv4 24 Port Gigabit Smart Switch in which I have configured 4 VLANS.

 

I am only using VLAN1 and VLAN4 with VLAN 2 | VLAN3 as the default VLAN's

(VOIP, etc.)

 

VLAN1 [ Management VLAN ]      Port 24         (Untagged)

VLAN4 [ Network access ports ]   Ports 1 ~ 14 (Untagged)

 

I have accessed the Server Log screen to allow the switch to send log messages to a dedicated syslog server on the same network.

 

I have successfully tested the reception of UDP packet data on port 514 from the NetGear GS724Tv4 Smart switch using tcpdump.

 

The issue is that the syslog server has only one ethernet card and must receive network packets/data from VLAN 4 as well as from VLAN1 to meet DISA STIG Requirements of logging NetGear GS724Tv4 server log events.

 

I understand that VLAN1 (Management VLAN) cannot be part of a routed VLAN.

 

Is there a configuration scheme for the NetGear GS724Tv4 switch which will allow receiving network packets from both VLAN1 and VLAN4 on ethernet interface eth0?

 

I would assume an alternate plan is to install a separate ethernet card on the syslog server dedicated to receiving NerGear switch logging events via UDP.

 

Any advice would be greatly appreciated, as I have traversed the internet searching for a viable solution.

 

Thank you.

  • crodrig's avatar
    crodrig
    Sep 12, 2023

    NetGear Community,

     

    I have decided to install a second PCIe ethernet card on the server/workstation to be used as a rsyslog server for receiving syslog messages (UDP packets) from the GS724Tv4 Smart Switch logging service.

     

    I basically configured the second ethernet card (eth1) on a separate subnet to communicate over the Management VLAN (VLAN1).

     

    The primary ethernet card (eth0) is connected to VLAN4 which allows for inter-connecting workstations as a localized LAN.

     

    The main goal is to provide network isolation between the user space and management space.

     

    I hope this helps some helpless souls.

4 Replies

  • schumaku's avatar
    schumaku
    Guru - Experienced User
    Sep 08, 2023
    crodrig wrote:

    The issue is that the syslog server has only one ethernet card and must receive network packets/data from VLAN 4 as well as from VLAN1 to meet DISA STIG Requirements of logging NetGear GS724Tv4 server log events..

    Curious what syslog messaged from the GS724Tv4 you expect to receive on the management VLAN (VLAN 1 by default) -and- the access ports on VLAN 4 in your example? 

    • crodrig's avatar
      crodrig
      Aspirant
      Sep 08, 2023

      Schumaku,

       

      As per DISA STIG Requirements,

       

      Group ID: V-3070

      Group Title: Management connections must be logged.

      Rule ID: SV-3070r4_rule

      Rule Title: Network devices must log all attempts to establish a management connection for administrative access.

       

      Fix Text: Configure the device to log all access attempts to the device to establish a management connection for administrative access.

       

      I currently have the GS724Tv4 logging severity code (6) and higher.

       

      Informational (6). Provides device information.

       

      The access ports on VLAN4 are configured as the internal subnet for an isolated network. No network connections are allowed to the outside world (Internet, VPN, WAN, etc.)

       

      Thanks.

      • schumaku's avatar
        schumaku
        Guru - Experienced User
        Sep 09, 2023

        There are still no management access vectors on this VLAN. 

NETGEAR Academy

Boost your skills with the Netgear Academy - Get trained, certified and stay ahead with the latest Netgear technology! 

Join Us!

ProSupport for Business

Comprehensive support plans for maximum network uptime and business peace of mind.

 

Learn More