NETGEAR is aware of a growing number of phone and online scams. To learn how to stay safe click here.
Forum Discussion
Solved
VLAN Security
Hi. I have 8 GS728TP ProSafe switches (and a couple of GS752TP's) in the company network which I have setup using VLAN 1 for the data network, PC's, Laptops etc and VLAN 2 for the telephone system pl...
Hi again,
The ACLs you are looking for are called extended ACLs. They are numbered 100-199 and can be created by going to: "Security" --> "ACL" --> "Advanced" --> "IP ACL" --> In the "IP ACL ID" type 100 and click "Add".
This will create rule table 100. Now, you can add rules to the table as you wish. Go to "IP Extended Rules" and you can see your table here. You can start adding rules.
Once you have the rules you need, then you can bind the rules to ports via the menu "IP Binding Table".
A few notes about ACLs.
1. They use wildcard masks instead of subnet masks.
2. ACLs are read from top --> bottom. This means specific rules on top, general rules at the bottom.
3. Remember that the default (hidden) rule on an ACL is "Deny All". What you want is block some stuff and allow the rest. This means that your last rule should be Permit All.
4. The ACL direction is Inbound on these switches. That matters for how you create the ACL :)
5. Only bind the ACL on the relevant ports. If you bind it to all ports and you make a mistake, you might block access to the switch itself, which you in turn can't recover from (as the ACL is applied on all ports and there is no console port on these models).
Here is a Netgear KB about it: https://kb.netgear.com/21714/How-do-I-set-up-an-IP-Access-Control-List-ACL-with-two-rules-using-the-web-interface-on-my-managed-switch
Cheers!
Hi John,
Thanks for the response but what you're telling me doesn't seem to make sense?
If I use the switch IP address on the VLAN as the gateway IP for the devices on that VLAN (the switch itself has a separate gateway which is a firewall/router) then devices on both VLAN's can communicate with the other as the switch is obviously aware of both IP address ranges. Any requests for resources that aren't on either VLAN are then passed to the Firewall/Router and out onto the internet etc. which is how I need it to work and it does.
The problem I have is that I only want specific devices on each of the VLANs to be able to communicate with devices on the other. Would this be as easy as makng sure that the gateway IP's on the specfic devices take them to the switch whereas all other devices have a gateway IP that takes them directly to the firewall/router?
Regards,
Tom Burbury
Hi Tom,
Don't change the device's default gateway as all the inter-vlan routing is working right now. You just need to block from devices from communicating across to the other VLAN.
You need use ACLs for this and they can be implemented on the switches. That is the standard way to do what you are after.
Cheers
Hi Hopchen,
That sounds like what I need and was what I thought I'd need to do in order to implement this sort of security. Is there a breakdown anywhere of how to do this that you know of? I've looked at the settings on the switches and it's not very clear or obvious what I'd need to do to make this work?
Regards
Hi again,
The ACLs you are looking for are called extended ACLs. They are numbered 100-199 and can be created by going to: "Security" --> "ACL" --> "Advanced" --> "IP ACL" --> In the "IP ACL ID" type 100 and click "Add".
This will create rule table 100. Now, you can add rules to the table as you wish. Go to "IP Extended Rules" and you can see your table here. You can start adding rules.
Once you have the rules you need, then you can bind the rules to ports via the menu "IP Binding Table".
A few notes about ACLs.
1. They use wildcard masks instead of subnet masks.
2. ACLs are read from top --> bottom. This means specific rules on top, general rules at the bottom.
3. Remember that the default (hidden) rule on an ACL is "Deny All". What you want is block some stuff and allow the rest. This means that your last rule should be Permit All.
4. The ACL direction is Inbound on these switches. That matters for how you create the ACL :)
5. Only bind the ACL on the relevant ports. If you bind it to all ports and you make a mistake, you might block access to the switch itself, which you in turn can't recover from (as the ACL is applied on all ports and there is no console port on these models).
Here is a Netgear KB about it: https://kb.netgear.com/21714/How-do-I-set-up-an-IP-Access-Control-List-ACL-with-two-rules-using-the-web-interface-on-my-managed-switch
Cheers!Hi Hopchen,
Thanks for the resonse and the links. I'll go away and study those and decide on the rules I need but this looks to do what I'm trying to set-up so thank you again.
Regards
NETGEAR Academy
Boost your skills with the Netgear Academy - Get trained, certified and stay ahead with the latest Netgear technology!
Join Us!
