NETGEAR is aware of a growing number of phone and online scams. To learn how to stay safe click here.
Forum Discussion
Solved
How to block traffic between other ports but Internet access point using FS750T2
Hi, I'm new to network stuff and I hope someone could help me out with this problem: I have several apartments and one Internet access point (VPN gateway) connected to a 48 port switch. There...
Hi MPS82
To separate devices, in that way that you want, you will need to use VLANs. It is the only proper way to do this. Each "department" in its own VLAN.
However, you will have a problem in that these VLANs need to be routed to the Internet as well. This switch cannot do that as it is only a layer 2 switch. It can do the VLAN part, but not the routing part. It is fine as long as your router/gateway can though. Is your router/gateway VLAN aware?
Cheers
Hi hokie21
"Isn't the switch now forcing all traffic that would normally be routed to another switch port for a PC to be forced to the router port only?"
Yes, but only in one direction - from clients to router. Your ACL is inbound and only bound on client ports :) So, unicast traffic will only really take a detour. You are not actually blocking anything with these ACLs - as you know.
Example (given that ARP tables and address tables are known and populated):
- PC A (port 1) and PC B (port 2).
- PC A sends ping to PC B --> Ping is forced up to the router (due to the ACL) and arrives at the router.
- Router's LAN ports are a switch, essentially. Given a populated address table, the router looks at the destination mac address of the frame and determines to send the frame (back) to the switch. No ACL is stopping that action.
- The frame arrives at the switch and the switch will look in its address table and send it to PC B (port 2). There is nothing stopping or redirection the traffic in that direction.
I am not testing this, I am just "deducing" here. I might give it a test later.
But even so... how would you solve the problem of say, OP wants to add a shared device? Maybe a printer or a NAS or something else? That will be a big problem. Even if you find a work-around, it would still make more sense to use VLANs + ACLs for pure scalability. VLANs are the standard method for segmenting networks and for good reason. It scales incredibly well. More effort in the beginning, better management and less effort once implemented.
You method is really good in certain scenarios - absolutely! And maybe for OP finds it easier to implement. It always good to have options.
Cheers
Just to add... I played around with it in the lab.
You are right hokie21, it actually works as noticed in your tests - even with static ARP entries. No communication is happening between the two PCs. It must be because the router won't allow even a unicast to be sent back from where it came - i.e. the packets are likely discarded by the router.
So, that is really interesting!
Still though - that solution won't scale at all, compared to VLANs :)
Cheers
NETGEAR Academy
Boost your skills with the Netgear Academy - Get trained, certified and stay ahead with the latest Netgear technology!
Join Us!
