NETGEAR is aware of a growing number of phone and online scams. To learn how to stay safe click here.
Forum Discussion
Inter-vlan communication + port access restriction
Hi all. I'd like to have a following setup: VLAN10 - Desktop users VLAN20 - WLAN users VLAN30 - Printers VLAN50 - Management I want users from VLAN10 and VLAN20 to: - only be able to print...
DaneA , thanx a lot for the reply.
RE: ...(c) VLAN 50 has access to all VLANs.
But, if there's inter-vlan-routing between VLAN50 and all others, the users would be able to access fx web-gui, which is not desired. Should ACL be applied, so VLAN50 has access to other VLANs, but not the other way around ?
RE: GS108Tv2 supports both VLAN and ACL.
- Does GS108Tv2 support inter-vlan-routing then ? :o
(From what I read in the specs, it's only v3 that supports it)
RE: the GS108Tv2, it will go back to its default IP address which is 192.168.0.239.
Yes, of course, I obviously forgot add the scenario where a rogue "specialist" aka persistent (ab)user resets the switch, sets it as DHCP-client and leaves the default VLAN1 for everyone. I want to make sure, that if it happens, even though, desktops will get their IPs from from router, they won't have access to anything unless the switch is properly configured and secured.
I see, there's MAC-learning and filtering, 802.1x and RADIUS, etc. I guess, disabling VLAN1 on the router would do the trick, but from what I remember, it cannot not be disabled on most of the venders. MAC-filtering would be reset as well unless, it's supported on the router as well...802.1x and RADIUS would take time to set up properly from what I remember.
- What would you recommend here ?
flipfl0p wrote:RE: the GS108Tv2, it will go back to its default IP address which is 192.168.0.239.
Yes, of course, I obviously forgot add the scenario where a rogue "specialist" aka persistent (ab)user resets the switch, sets it as DHCP-client and leaves the default VLAN1 for everyone. I want to make sure, that if it happens, even though, desktops will get their IPs from from router, they won't have access to anything unless the switch is properly configured and secured.
The "fix" would be having a "catch-all" VLAN 1 going to a dead-end or a landing page on the complete network, whatever. So in the first iteration they "can't"
flipfl0p wrote:I see, there's MAC-learning and filtering, 802.1x and RADIUS, etc. I guess, disabling VLAN1 on the router would do the trick, but from what I remember, it cannot not be disabled on most of the venders. MAC-filtering would be reset as well unless, it's supported on the router as well...802.1x and RADIUS would take time to set up properly from what I remember.
What do you expect here? A factory default is what it is - you can't re-define the factory default settings.
There is nothing replacing physical security. No mater what kind of switch, router, wireless access point almost regardless of the brand - if I'm a bad boy and have physical access i can fully take over the control of each and every device. Even if there might be some protection for the factry reset button ... but there are always backdoors. Figure.
schumaku wrote:
flipfl0p wrote:RE: the GS108Tv2, it will go back to its default IP address which is 192.168.0.239.
Yes, of course, I obviously forgot add the scenario where a rogue "specialist" aka persistent (ab)user resets the switch, sets it as DHCP-client and leaves the default VLAN1 for everyone. I want to make sure, that if it happens, even though, desktops will get their IPs from from router, they won't have access to anything unless the switch is properly configured and secured.
The "fix" would be having a "catch-all" VLAN 1 going to a dead-end or a landing page on the complete network, whatever. So in the first iteration they "can't"
Was thinking about that too. Is the easiest way to implement it not to assign any ports to VLAN1 on the core (and physically secured) switch ? I guess, I could also exclude VLAN1 from the trunk between router and core switch.
flipfl0p wrote:I see, there's MAC-learning and filtering, 802.1x and RADIUS, etc. I guess, disabling VLAN1 on the router would do the trick, but from what I remember, it cannot not be disabled on most of the venders. MAC-filtering would be reset as well unless, it's supported on the router as well...802.1x and RADIUS would take time to set up properly from what I remember.
What do you expect here? A factory default is what it is - you can't re-define the factory default settings.
There is nothing replacing physical security. No mater what kind of switch, router, wireless access point almost regardless of the brand - if I'm a bad boy and have physical access i can fully take over the control of each and every device. Even if there might be some protection for the factry reset button ... but there are always backdoors. Figure.
You're absolutely right here, and let's not even include actual vulnerabilities - as mentioned, my "advisaries" are less smart, but very stubbern, who try to "fix" things themselves every time there are any issues with the internet or access to other ressources like printers. As I said before, the core router and main switch (GS108Tv2 as well) are reasonably physically secured, however, the switches at the tables are not. I guess, I could implement MAC-filtering on the main switch itself, but I was wondering whether the main switch can learn the MAC-addresses from other switches which are connected to it ?
NETGEAR Academy
Boost your skills with the Netgear Academy - Get trained, certified and stay ahead with the latest Netgear technology!
Join Us!
