NETGEAR is aware of a growing number of phone and online scams. To learn how to stay safe click here.
Forum Discussion
Printing segregated to VLAN by itself
For the life of me, can't get the printer to be alive on its own VLAN.. The SRX5308 is the fw-router (no VPNs just VLANs) Identified 12 VLANs and treating these as port based VLANs and there's a M...
LAST response continued, (This forum's BB system does not allow more than 10K characters per posting)
Ok good, take a breath,
Now the "majik" happens in the ACL scripting and applying to make all this work.
--(Again with BIG thanks to the Middle Enterprise Experts L2 support group resourcefull engr who solved this for us!! This is NOT my work but his.)
(Again can't mention his name in open forum in good conscience, for his own job safety, just in case taken the worng way by mgmt types)--
Within the LAN, Netgear support enables telnet and uses PUTTY as a term to get to the command line interface to the managed VLAN switch, the M4100 in this case.
Also they use Notepad app as a handy scripting and cut-paste device so as to be able to copy-paste enmasse from Notepad into Putty cmd line term.
([HANDY SWITCH access NOTE:
Say you changed the switch admin settings so the switch responds to a non std https port, say you changed it to 7008, so now in PUTTY you would designate to connect to ipaddr_of_switch:7008 and then leave it as port 22 in standard Putty telnet settings.. it workx this way..])
Ok NOW, What didnt work at first, BUT mentioned here bcs some folks mite wana enable the VLAN separation/segregation BUT WANT to leave ALL the VLANs visible AND accessible from the deflt LAN or VLAN 1.
The following lines scripted and applied as ACL 100 work and do what is mentioned in last sentence.
At first the following 3 lines were scripted and applied to all ports except port 4:
access-list 100 permit ip any 10.100.4.0 0.0.0.255
access-list 100 deny ip 10.100.0.0 0.0.15.255 10.100.0.0 0.0.15.255
access-list 100 permit ip any any
HOWEVER ONLY these 3 above lines will let you still see ALL the VLANs from the default LAN BCS "enable InterVLAN routing" is checked on the SRX5308 router in this case.
SO say you want to segregate completely and NOT even let the deflt LAN "see" (access NOR snoop) ANY of the VLANs.
Well these 3 above lines shoulda done it because these 3 above lines implicitly include the default LAN (stipulated as VLAN 1) .. BUT they don't.. why is unknown.
The soln was to explicitly stipulate this condition and address it ONLY for the default VLAN as below after this first part
the below was then scripted
(BTW, i learned from same support engr that the below "netmask-ish" references are not netmask designation but wildcard mask designation as shown in wiki)
http://en.wikipedia.org/wiki/Wildcard_mask
access-list 100 permit ip any 10.100.4.0 0.0.0.255
access-list 100 deny ip 10.100.1.0 0.0.0.255 10.100.2.0 0.0.0.255
access-list 100 deny ip 10.100.1.0 0.0.0.255 10.100.3.0 0.0.0.255
access-list 100 deny ip 10.100.1.0 0.0.0.255 10.100.4.0 0.0.0.255
access-list 100 deny ip 10.100.1.0 0.0.0.255 10.100.5.0 0.0.0.255
access-list 100 deny ip 10.100.1.0 0.0.0.255 10.100.6.0 0.0.0.255
access-list 100 deny ip 10.100.1.0 0.0.0.255 10.100.7.0 0.0.0.255
access-list 100 deny ip 10.100.1.0 0.0.0.255 10.100.8.0 0.0.0.255
access-list 100 deny ip 10.100.1.0 0.0.0.255 10.100.9.0 0.0.0.255
access-list 100 deny ip 10.100.1.0 0.0.0.255 10.100.10.0 0.0.0.255
access-list 100 deny ip 10.100.1.0 0.0.0.255 10.100.11.0 0.0.0.255
access-list 100 deny ip 10.100.1.0 0.0.0.255 10.100.12.0 0.0.0.255
access-list 100 permit ip any any
access-list 101 permit ip any 10.100.4.0 0.0.0.255
access-list 101 deny ip 10.100.0.0 0.0.15.255 10.100.0.0 0.0.15.255
access-list 101 permit ip any any
access list 101 is applied to port 3 and 5-12
acess list 100 is applied to only port 1
so we are denying sub networks from 10.100.0.0 to 10.100.15.0, even tho we are using only subs 10.100.1.0 to 10.100.12.0, gives you some expansion or future playing space.
Several tutorial links tht i googled and found usefull as to ACLs in general, not just Netgear eqpt, altho it is inclusive of Netgear eqpt as well ..
ACL quick tutorial over at Brocade :
http://www.brocade.com/support/Product_Manuals/ServerIron_SecuirtyGuide/acls.3.8.html
then i googled this and found the Cisco tutorials referenced below of good edu value.
https://www.google.com/#q=writing+acl+numbering+convention+1-99+100-199
For an even better and indepth 6 part ACLs tutorial over @ Cisco:
http://blog.globalknowledge.com/technology/cisco/routing-switching/access-control-lists-part-1/
http://blog.globalknowledge.com/technology/cisco/routing-switching/access-control-lists-part-2/
http://blog.globalknowledge.com/technology/cisco/routing-switching/access-control-lists-acls-%E2%80%93-part-3/
http://blog.globalknowledge.com/technology/cisco/routing-switching/access-control-lists-part-4/
http://blog.globalknowledge.com/technology/cisco/routing-switching/access-control-lists-part-5/
http://blog.globalknowledge.com/technology/cisco/routing-switching/access-control-lists-part-6/
Will also try to follow up post as to HOW the ACLs were manipulated and applied to ports in the CLI , Command Line Interface of the switch.
all for now
Ok good, take a breath,
Now the "majik" happens in the ACL scripting and applying to make all this work.
--(Again with BIG thanks to the Middle Enterprise Experts L2 support group resourcefull engr who solved this for us!! This is NOT my work but his.)
(Again can't mention his name in open forum in good conscience, for his own job safety, just in case taken the worng way by mgmt types)--
Within the LAN, Netgear support enables telnet and uses PUTTY as a term to get to the command line interface to the managed VLAN switch, the M4100 in this case.
Also they use Notepad app as a handy scripting and cut-paste device so as to be able to copy-paste enmasse from Notepad into Putty cmd line term.
([HANDY SWITCH access NOTE:
Say you changed the switch admin settings so the switch responds to a non std https port, say you changed it to 7008, so now in PUTTY you would designate to connect to ipaddr_of_switch:7008 and then leave it as port 22 in standard Putty telnet settings.. it workx this way..])
Ok NOW, What didnt work at first, BUT mentioned here bcs some folks mite wana enable the VLAN separation/segregation BUT WANT to leave ALL the VLANs visible AND accessible from the deflt LAN or VLAN 1.
The following lines scripted and applied as ACL 100 work and do what is mentioned in last sentence.
At first the following 3 lines were scripted and applied to all ports except port 4:
access-list 100 permit ip any 10.100.4.0 0.0.0.255
access-list 100 deny ip 10.100.0.0 0.0.15.255 10.100.0.0 0.0.15.255
access-list 100 permit ip any any
HOWEVER ONLY these 3 above lines will let you still see ALL the VLANs from the default LAN BCS "enable InterVLAN routing" is checked on the SRX5308 router in this case.
SO say you want to segregate completely and NOT even let the deflt LAN "see" (access NOR snoop) ANY of the VLANs.
Well these 3 above lines shoulda done it because these 3 above lines implicitly include the default LAN (stipulated as VLAN 1) .. BUT they don't.. why is unknown.
The soln was to explicitly stipulate this condition and address it ONLY for the default VLAN as below after this first part
the below was then scripted
(BTW, i learned from same support engr that the below "netmask-ish" references are not netmask designation but wildcard mask designation as shown in wiki)
http://en.wikipedia.org/wiki/Wildcard_mask
access-list 100 permit ip any 10.100.4.0 0.0.0.255
access-list 100 deny ip 10.100.1.0 0.0.0.255 10.100.2.0 0.0.0.255
access-list 100 deny ip 10.100.1.0 0.0.0.255 10.100.3.0 0.0.0.255
access-list 100 deny ip 10.100.1.0 0.0.0.255 10.100.4.0 0.0.0.255
access-list 100 deny ip 10.100.1.0 0.0.0.255 10.100.5.0 0.0.0.255
access-list 100 deny ip 10.100.1.0 0.0.0.255 10.100.6.0 0.0.0.255
access-list 100 deny ip 10.100.1.0 0.0.0.255 10.100.7.0 0.0.0.255
access-list 100 deny ip 10.100.1.0 0.0.0.255 10.100.8.0 0.0.0.255
access-list 100 deny ip 10.100.1.0 0.0.0.255 10.100.9.0 0.0.0.255
access-list 100 deny ip 10.100.1.0 0.0.0.255 10.100.10.0 0.0.0.255
access-list 100 deny ip 10.100.1.0 0.0.0.255 10.100.11.0 0.0.0.255
access-list 100 deny ip 10.100.1.0 0.0.0.255 10.100.12.0 0.0.0.255
access-list 100 permit ip any any
access-list 101 permit ip any 10.100.4.0 0.0.0.255
access-list 101 deny ip 10.100.0.0 0.0.15.255 10.100.0.0 0.0.15.255
access-list 101 permit ip any any
access list 101 is applied to port 3 and 5-12
acess list 100 is applied to only port 1
so we are denying sub networks from 10.100.0.0 to 10.100.15.0, even tho we are using only subs 10.100.1.0 to 10.100.12.0, gives you some expansion or future playing space.
Several tutorial links tht i googled and found usefull as to ACLs in general, not just Netgear eqpt, altho it is inclusive of Netgear eqpt as well ..
ACL quick tutorial over at Brocade :
http://www.brocade.com/support/Product_Manuals/ServerIron_SecuirtyGuide/acls.3.8.html
then i googled this and found the Cisco tutorials referenced below of good edu value.
https://www.google.com/#q=writing+acl+numbering+convention+1-99+100-199
For an even better and indepth 6 part ACLs tutorial over @ Cisco:
http://blog.globalknowledge.com/technology/cisco/routing-switching/access-control-lists-part-1/
http://blog.globalknowledge.com/technology/cisco/routing-switching/access-control-lists-part-2/
http://blog.globalknowledge.com/technology/cisco/routing-switching/access-control-lists-acls-%E2%80%93-part-3/
http://blog.globalknowledge.com/technology/cisco/routing-switching/access-control-lists-part-4/
http://blog.globalknowledge.com/technology/cisco/routing-switching/access-control-lists-part-5/
http://blog.globalknowledge.com/technology/cisco/routing-switching/access-control-lists-part-6/
Will also try to follow up post as to HOW the ACLs were manipulated and applied to ports in the CLI , Command Line Interface of the switch.
all for now
NETGEAR Academy
Boost your skills with the Netgear Academy - Get trained, certified and stay ahead with the latest Netgear technology!
Join Us!
