NETGEAR is aware of a growing number of phone and online scams. To learn how to stay safe click here.
Forum Discussion
Solved
How to block traffic between other ports but Internet access point using FS750T2
Hi, I'm new to network stuff and I hope someone could help me out with this problem: I have several apartments and one Internet access point (VPN gateway) connected to a 48 port switch. There...
Hi MPS82
To separate devices, in that way that you want, you will need to use VLANs. It is the only proper way to do this. Each "department" in its own VLAN.
However, you will have a problem in that these VLANs need to be routed to the Internet as well. This switch cannot do that as it is only a layer 2 switch. It can do the VLAN part, but not the routing part. It is fine as long as your router/gateway can though. Is your router/gateway VLAN aware?
Cheers
Hi MPS82
To separate devices, in that way that you want, you will need to use VLANs. It is the only proper way to do this. Each "department" in its own VLAN.
However, you will have a problem in that these VLANs need to be routed to the Internet as well. This switch cannot do that as it is only a layer 2 switch. It can do the VLAN part, but not the routing part. It is fine as long as your router/gateway can though. Is your router/gateway VLAN aware?
Cheers
Hi,
Thank you for comment! This was hepful. I will check if my gateway is VLAN aware from the supplier.
No problem. Any questions - let us know :)
This can be done with MAC ACLs. The switch will prevent traffic flow between the cusotmer ports, but allows all traffic to the Internet (router) port. You don't need to set up VLANs.
Make a MAC rule with ID=1, action permit, assign queue=0, redirect interface= the port connected to your router, match every=false. Souce and destination MAC and mask should be set to FF:FF:FF:FF:FF:FF.
Go into "MAC binding configuration" and set ACL ID to the name of the ACL you made above. Click the ports that are part of this special configuration.
Save it all and test. I checked it on my 724Tv2 just now and it works fine.
Hi hokie21
Thanks for your input, and I see your point. Essentially redirect all traffic to the router, from each port. This would actually work as well, but there is a potential problem.
The reason this works is because ARP requests cannot resolved between the devices in the LAN, as everything is redirected to the uplink port. Thus all ARPs are redirected to the uplink as well, but they will be discarded by the router as the router won't forward broadcast down the same link. It just means that no LAN device can communicate because ARPs cannot be resolved. However, Internet still works as all devices can communicate with the router.
Two problems with the ACL setup
- It is not as secure as VLANs because the only reason LAN devices cannot communicate is because ARPs cannot be resolved. But, if I add static entries to the ARP tables of the end devices, then they can communicate. If security is key, use VLANs.
- If OP ever wanted to add another shared device to the network - such as a printer, NAS, etc., that would be a problem as well!
Maybe I should have been clearer, in my wording, originally. I still stand by the fact that to do it properly, you use VLANs.
Cheers :)
NETGEAR Academy
Boost your skills with the Netgear Academy - Get trained, certified and stay ahead with the latest Netgear technology!
Join Us!
