NETGEAR is aware of a growing number of phone and online scams. To learn how to stay safe click here.
Forum Discussion
Solved
Questions concerning VLAN on GS108Ev3
Hi there
I'm building a network right now and I'm configuring my switch on which leads to the router and then into the network.
Short questions about the VLAN:
A) Have I configured the VLANs correctly? (see pictures)
I want exactly one VLAN per port
B) How do I make sure that the different networks can only access the corresponding VLAN?
e. g. VLAN 4 = printer
Printers should then be connected directly to VLAN 4 on the switch.
Does it have to be done on the router?
Best regards
neverbesuccessfull
Ref. the VMs ... it depends on how the interfaces are configured - on the virtualisation host as well as on the VM itself. A system can handle just an untagged network, or multiple services which can talk or offer services to multiple VLANs can be configured for tagging (multiple virtual interfaces), so the port can be either dedicated to one VLAN (untagged), or as a VLAN trunk handling access to multiple VLANs.
7 Replies
neverbesuccessf wrote:...
A) Have I configured the VLANs correctly? (see pictures)The pictures require some moderation before becoming visible - standby.
neverbesuccessf wrote:B) How do I make sure that the different networks can only access the corresponding VLAN?
e. g. VLAN 4 = printer
Printers should then be connected directly to VLAN 4 on the switch.
Does it have to be done on the router?Assuming you make use of 802.1Q Advanced settings - because somehow you need to connect all the VLAN to a router, what typically does happen by a VLAN trunk, inlcuding all VLANs. With a PVID 4 set on the port, and set the port to [U] for VLAN ID 4, and no other VLAN being a member of this port - yes, this port does just connct t the VLAN ID 4. And of course, each VLAN must have it's own TCP/IP subnetwork, maintained and supported ie by a DHCP server, from the router. To have the printers discoverable from the client (PC, Mac, mobile device, ....), to have printers reachable from the other VLAN(s), router and the firewall rules must be set accordingly.
Putting printers to a dedicated VLAN does make sense only on a bigger managed environment, where all printing and queueing is handled on a server. For work group or direct printing, this i not the greatest idea. It will mostly prohibit printing from mobile devices like iOS or Android, too.
Tell us a little bit more on the environment (ie. router, servers, VLAN plan, ...).
schumaku wrote:
neverbesuccessf wrote:...
A) Have I configured the VLANs correctly? (see pictures)The pictures require some moderation before becoming visible - standby.
neverbesuccessf wrote:B) How do I make sure that the different networks can only access the corresponding VLAN?
e. g. VLAN 4 = printer
Printers should then be connected directly to VLAN 4 on the switch.
Does it have to be done on the router?Assuming you make use of 802.1Q Advanced settings - because somehow you need to connect all the VLAN to a router, what typically does happen by a VLAN trunk, inlcuding all VLANs. With a PVID 4 set on the port, and set the port to [U] for VLAN ID 4, and no other VLAN being a member of this port - yes, this port does just connct t the VLAN ID 4. And of course, each VLAN must have it's own TCP/IP subnetwork, maintained and supported ie by a DHCP server, from the router. To have the printers discoverable from the client (PC, Mac, mobile device, ....), to have printers reachable from the other VLAN(s), router and the firewall rules must be set accordingly.
Putting printers to a dedicated VLAN does make sense only on a bigger managed environment, where all printing and queueing is handled on a server. For work group or direct printing, this i not the greatest idea. It will mostly prohibit printing from mobile devices like iOS or Android, too.
Tell us a little bit more on the environment (ie. router, servers, VLAN plan, ...).Hello schumaku
Thank you very much for your answer, I really appreciate it.
A) So are these configurations enough for VLAN on the switch or does it require more?
B) Yes I will set some firewall rules
Concering my environment:
- I will have 3 zones, network (router), DMZ (Webserver, Mailserver and PBX-Server) and LAN zone (Printer, Clients, Phone)
Network services: DHCP, DNS, FTP, SMB, HTTP/s, SLP, NTP, SSH, RTP
DMZ services: HTTP/s, FTP, IMAP, POP3, SMTP, SMB
LAN services: SSH, RTP, FTP, DHCP, DNS, SLP, SMTP, POP3, IMAP, IPP, VOIP, SIP
Router:
Edgerouter X
Server:
Mailserver
Webserver
PBX-Server
VLAN-plan:
1: WLAN
2: PC
3: VOIP
4: Printer
Firewallrules:
I did it like that:
LAN zone - DMZ zone: All zones from LAN zone to DMZ zone will be allowed and the rest will be denied. The rest is deny all.
Did it like that with every zone.
And outbound to inbound is denied all.
What do you think is this enough safe and professional?
Kind regards
neverbesuccessfullTry to tie Zones, VLANs, and TCP/IP subnetworks together.
While your approach might be well secure, it might be unhandy, depending on the usage again. A "hundred" years ago, where the wireless was for surfing the Internet, and probably accessing some internal mail servers, plus an Intranet server, this set-up was state-of-the-art.
Today, you want the WLAN for your trusted devices, the LAN, NAS, and printers very near together - easily discoverable services, ad-hoc access to the services, say to a multi-function-device form a mobile phone to scan some document pages.
NETGEAR Academy
Boost your skills with the Netgear Academy - Get trained, certified and stay ahead with the latest Netgear technology!
Join Us!
