× NETGEAR is aware of a growing number of phone and online scams. To learn how to stay safe click here.
Orbi WiFi 7 RBE973
Reply

Re: M5300 oneway VLAN Routing

autoitaus
Tutor

M5300 oneway VLAN Routing

I have two VLANs, VLAN 1 and VLAN 2

 

I want to allow computers in VLAN 1 to access the computers in VLAN 2

I DO NOT want computers in VLAN 2 to be able to access computers in VLAN 1

 

How would I go about this?

Model: GSM7352Sv2h2 | M5300-52G3ProSAFE 48-port Managed L3 Gigabit Stackable Switch
Message 1 of 27
DaneA
NETGEAR Employee Retired

Re: M5300 oneway VLAN Routing

Hi @autoitaus,

 

Welcome to the community! 🙂 

 

Let me share the article below and use it as a guide to implement the network setup you want:

 

VLAN Routing on a NETGEAR Smart Switch

 

 

Regards,


DaneA
NETGEAR Community Team

Message 2 of 27
autoitaus
Tutor

Re: M5300 oneway VLAN Routing

Thanks for the reply Dane, but I've already tried this previously and it hasn't worked. I've just tried again and confirmed that to be the case. When I add these rules in, traffic will not flow in either direction.

 

Refer screenshots.


Thanks

 

 

Message 3 of 27
autoitaus
Tutor

Re: M5300 oneway VLAN Routing

The article provided blocks ALL communication between VLAN 10 and VLAN 20.

 

As mentioned in my original post, I need VLAN 10 to be able to access VLAN 20 but I do not want VLAN 20 to access VLAN 10.

 

Thanks

Message 4 of 27
DaneA
NETGEAR Employee Retired

Re: M5300 oneway VLAN Routing

@autoitaus,

 

The article provided blocks ALL communication between VLAN 10 and VLAN 20.

As I have mentioned from my previous response, use the article as a guide only.  After VLAN Routing has been configured, you will have to create an ACL to allow computers in VLAN 1 to access the computers in VLAN 2 and another ACL to prevent computers in VLAN 2 to be able to access computers in VLAN 1.  

 

For further assistance, you may open a chat or online support ticket with NETGEAR Support at anytime.

 

 

Regards,


DaneA

NETGEAR Community Team

Message 5 of 27
autoitaus
Tutor

Re: M5300 oneway VLAN Routing

In my screenshot I have two rules

 

1. Deny Source 192.168.19.0/24 to Dest 172.29.240.0/24

2. Allow everything

 

Traffice from 172.29.240.0/24 to 192.168.19.0/24 does not match rule 1, therefore it will fall to rule 2 - allow all.

Message 6 of 27
autoitaus
Tutor

Re: M5300 oneway VLAN Routing

The rule attached also allows two way traffic as well, even though there is specifically a deny in there for one direction. I've tried logging a call with Netgear, but their online chat is down and so is their my.netgear.com portal - I've confirmed this with Netgear directly. I don't have time to spend hours on the phone, so the only other option on their support page is to post in the community forums (which is here)
Message 7 of 27
DaneA
NETGEAR Employee Retired

Re: M5300 oneway VLAN Routing

@autoitaus,

 

I apologize for the late response. Let's try this via console connection:


(M5300) #config
(M5300) (Config)#access-list 1 deny 192.168.19.0 0.0.0.255 
(M5300) (Config)#access-list 1 permit ip any any

 

(M5300)#interface [VLAN 1 port members]
(M5300) (Interface [VLAN 1 port members])#ip access-group 1 in
(M5300) (Interface [VLAN 1 port members])#exit
(M5300) (Config)#exit

 

Let us know how it goes. 

 

 

Regards,


DaneA

NETGEAR Community Team

Message 8 of 27
autoitaus
Tutor

Re: M5300 oneway VLAN Routing

Error as per attached

Message 9 of 27
DaneA
NETGEAR Employee Retired

Re: M5300 oneway VLAN Routing

@autoitaus,

 

Kindly delete the previous ACL command then try this:

 

(M5300) #config
(M5300) (Config)#access-list 1 deny 192.168.19.0 0.0.0.255 
(M5300) (Config)#access-list 1 permit any any

 

(M5300)#interface [VLAN 1 port members]
(M5300) (Interface [VLAN 1 port members])#ip access-group 1 in
(M5300) (Interface [VLAN 1 port members])#exit
(M5300) (Config)#exit

 

Let us know how it goes. 

 

 

Regards,

 

DaneA

NETGEAR Community Team

Message 10 of 27
autoitaus
Tutor

Re: M5300 oneway VLAN Routing

Error as per attached

Message 11 of 27
DaneA
NETGEAR Employee Retired

Re: M5300 oneway VLAN Routing

@autoitaus,

 

Kindly delete the previous ACL commands then try this below:

 

(M5300) #config
(M5300) (Config)#access-list 1 deny 192.168.19.0 0.0.0.255 
(M5300) (Config)#access-list 1 permit 0.0.0.0 255.255.255.255

 

(M5300)#interface [VLAN 1 port members]
(M5300) (Interface [VLAN 1 port members])#ip access-group 1 in
(M5300) (Interface [VLAN 1 port members])#exit
(M5300) (Config)#exit

 

Let us know how it goes. 

 

 

Regards,

 

DaneA

NETGEAR Community Team

Message 12 of 27
autoitaus
Tutor

Re: M5300 oneway VLAN Routing

Hi Dane,

 

I need to attach the ACL to a VLAN, not individual ports. What is the syntax for this?

Message 13 of 27
DaneA
NETGEAR Employee Retired

Re: M5300 oneway VLAN Routing

@autoitaus,

 

The only way is to attach the ACL to the port members of the VLAN.  

 

 

Regards,

 

DaneA

NETGEAR Community Team

Message 14 of 27
autoitaus
Tutor

Re: M5300 oneway VLAN Routing

I find it extremely unlikely that a Layer 3 switch can't support multiple VLANs running on a single port. There is no way Netgear requires you to have a dedicated Port for each and every VLAN when the switch supports thousands of VLANs, otherwise I'd need a switch with thousands of Ports.

 

You can attach an ACL to a VLAN via the GUI, so there must be a way to do it via the console

 

Refer attached

 

Message 15 of 27
autoitaus
Tutor

Re: M5300 oneway VLAN Routing

Sorry Dane, I understand what you're saying now. Attached the Rule to Deny traffic to all the Ports that have that VLAN connected.

 

I did this, and it successfully blocked traffic coming from 192.168.19.0/24

 

However, it also blocked all traffic coming from other subnets as well.

 

Message 16 of 27
DaneA
NETGEAR Employee Retired

Re: M5300 oneway VLAN Routing

@autoitaus,

 

I inquired your concern to the NETGEAR Support Team and just got a feedback today that the only way to achieve your goal is to set VLAN 1 port members to be also port members of VLAN 2 untagged.  No ACL needed just via port membership. 

 

 

Regards,

 

DaneA

NETGEAR Community Team

Message 17 of 27
autoitaus
Tutor

Re: M5300 oneway VLAN Routing

No that is not possible. There are 40 virtual servers running on 5 physical servers connected to 5 ports. Each port runs multiple servers with multiple VLANs. What I want to do (one way traffic to a segregated network) is stock standard Layer 3 switching.

Message 18 of 27
DaneA
NETGEAR Employee Retired

Re: M5300 oneway VLAN Routing

@autoitaus,

 

It would be best that you open a chat or online support ticket with NETGEAR Support at anytime and discuss your current network setup and your concern.

 

 

Regards,

 

DaneA

NETGEAR Community Team

Message 19 of 27
autoitaus
Tutor

Re: M5300 oneway VLAN Routing

I don't have a support contract, that's why I'm asking the community.

Message 20 of 27
DaneA
NETGEAR Employee Retired

Re: M5300 oneway VLAN Routing

@autoitaus,

 

It would be best if you post a screenshot or image of your detailed network setup on how is everything connected.  In this way, community members might chimed in and post suggestions.  

 

 

Regards,

 

DaneA

NETGEAR Community Team

Message 21 of 27
autoitaus
Tutor

Re: M5300 oneway VLAN Routing

setup.jpg

 

Sure - as above.

I want 192.168.1.1 to be able to access 192.168.19.1 but I DO NOT want 192.168.19.1 to access 192.168.1.1

 

Message 22 of 27
jiska78
Tutor

Re: M5300 oneway VLAN Routing

Might be time to switch to buying Cisco switches instead of Netgear if they can't handle basic routing security rules.

Message 23 of 27
DaneA
NETGEAR Employee Retired

Re: M5300 oneway VLAN Routing

@autoitaus,

 

I also inquired your concern to the higher tier of NETGEAR Support and got a feedback today.  As per the higher tier of NETGEAR Support, you can use extended ACL’s with TCP Flag.  As reference guide, kindly read pages 222-236 of the M5300 user manual here on how to do this.  

 

 

Regards,

 

DaneA

NETGEAR Community Team

Message 24 of 27
autoitaus
Tutor

Re: M5300 oneway VLAN Routing

Thanks for your persistence.

 

Step 5 on Page 224 says:

(Netgear Switch) (Config)#access-list 101 deny tcp any flag +syn -ack

 

Switch says:

(2920-Stack) (Config)#access-list 101 deny tcp any flag +syn -ack
                                                                                                  ^
% Invalid input detected at '^' marker.

 

So, in other words, the manual has the incorrect syntax. Even if it did work, though, the next step binds to a Port, rather than a VLAN.

Message 25 of 27
Top Contributors
Discussion stats
  • 26 replies
  • 6957 views
  • 1 kudo
  • 3 in conversation
Announcements