- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark
- Subscribe
- Printer Friendly Page
Re: M5300 oneway VLAN Routing
- Mark as New
- Bookmark
- Subscribe
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
M5300 oneway VLAN Routing
I have two VLANs, VLAN 1 and VLAN 2
I want to allow computers in VLAN 1 to access the computers in VLAN 2
I DO NOT want computers in VLAN 2 to be able to access computers in VLAN 1
How would I go about this?
- Mark as New
- Bookmark
- Subscribe
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Re: M5300 oneway VLAN Routing
Hi @autoitaus,
Welcome to the community! 🙂
Let me share the article below and use it as a guide to implement the network setup you want:
VLAN Routing on a NETGEAR Smart Switch
Regards,
DaneA
NETGEAR Community Team
- Mark as New
- Bookmark
- Subscribe
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Re: M5300 oneway VLAN Routing
Thanks for the reply Dane, but I've already tried this previously and it hasn't worked. I've just tried again and confirmed that to be the case. When I add these rules in, traffic will not flow in either direction.
Refer screenshots.
Thanks
- Mark as New
- Bookmark
- Subscribe
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Re: M5300 oneway VLAN Routing
The article provided blocks ALL communication between VLAN 10 and VLAN 20.
As mentioned in my original post, I need VLAN 10 to be able to access VLAN 20 but I do not want VLAN 20 to access VLAN 10.
Thanks
- Mark as New
- Bookmark
- Subscribe
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Re: M5300 oneway VLAN Routing
The article provided blocks ALL communication between VLAN 10 and VLAN 20.
As I have mentioned from my previous response, use the article as a guide only. After VLAN Routing has been configured, you will have to create an ACL to allow computers in VLAN 1 to access the computers in VLAN 2 and another ACL to prevent computers in VLAN 2 to be able to access computers in VLAN 1.
For further assistance, you may open a chat or online support ticket with NETGEAR Support at anytime.
Regards,
DaneA
NETGEAR Community Team
- Mark as New
- Bookmark
- Subscribe
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Re: M5300 oneway VLAN Routing
In my screenshot I have two rules
1. Deny Source 192.168.19.0/24 to Dest 172.29.240.0/24
2. Allow everything
Traffice from 172.29.240.0/24 to 192.168.19.0/24 does not match rule 1, therefore it will fall to rule 2 - allow all.
- Mark as New
- Bookmark
- Subscribe
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Re: M5300 oneway VLAN Routing
- Mark as New
- Bookmark
- Subscribe
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Re: M5300 oneway VLAN Routing
I apologize for the late response. Let's try this via console connection:
(M5300) #config
(M5300) (Config)#access-list 1 deny 192.168.19.0 0.0.0.255
(M5300) (Config)#access-list 1 permit ip any any
(M5300)#interface [VLAN 1 port members]
(M5300) (Interface [VLAN 1 port members])#ip access-group 1 in
(M5300) (Interface [VLAN 1 port members])#exit
(M5300) (Config)#exit
Let us know how it goes.
Regards,
DaneA
NETGEAR Community Team
- Mark as New
- Bookmark
- Subscribe
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
- Mark as New
- Bookmark
- Subscribe
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Re: M5300 oneway VLAN Routing
Kindly delete the previous ACL command then try this:
(M5300) #config
(M5300) (Config)#access-list 1 deny 192.168.19.0 0.0.0.255
(M5300) (Config)#access-list 1 permit any any
(M5300)#interface [VLAN 1 port members]
(M5300) (Interface [VLAN 1 port members])#ip access-group 1 in
(M5300) (Interface [VLAN 1 port members])#exit
(M5300) (Config)#exit
Let us know how it goes.
Regards,
DaneA
NETGEAR Community Team
- Mark as New
- Bookmark
- Subscribe
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
- Mark as New
- Bookmark
- Subscribe
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Re: M5300 oneway VLAN Routing
Kindly delete the previous ACL commands then try this below:
(M5300) #config
(M5300) (Config)#access-list 1 deny 192.168.19.0 0.0.0.255
(M5300) (Config)#access-list 1 permit 0.0.0.0 255.255.255.255
(M5300)#interface [VLAN 1 port members]
(M5300) (Interface [VLAN 1 port members])#ip access-group 1 in
(M5300) (Interface [VLAN 1 port members])#exit
(M5300) (Config)#exit
Let us know how it goes.
Regards,
DaneA
NETGEAR Community Team
- Mark as New
- Bookmark
- Subscribe
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Re: M5300 oneway VLAN Routing
Hi Dane,
I need to attach the ACL to a VLAN, not individual ports. What is the syntax for this?
- Mark as New
- Bookmark
- Subscribe
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Re: M5300 oneway VLAN Routing
The only way is to attach the ACL to the port members of the VLAN.
Regards,
DaneA
NETGEAR Community Team
- Mark as New
- Bookmark
- Subscribe
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Re: M5300 oneway VLAN Routing
I find it extremely unlikely that a Layer 3 switch can't support multiple VLANs running on a single port. There is no way Netgear requires you to have a dedicated Port for each and every VLAN when the switch supports thousands of VLANs, otherwise I'd need a switch with thousands of Ports.
You can attach an ACL to a VLAN via the GUI, so there must be a way to do it via the console
Refer attached
- Mark as New
- Bookmark
- Subscribe
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Re: M5300 oneway VLAN Routing
Sorry Dane, I understand what you're saying now. Attached the Rule to Deny traffic to all the Ports that have that VLAN connected.
I did this, and it successfully blocked traffic coming from 192.168.19.0/24
However, it also blocked all traffic coming from other subnets as well.
- Mark as New
- Bookmark
- Subscribe
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Re: M5300 oneway VLAN Routing
I inquired your concern to the NETGEAR Support Team and just got a feedback today that the only way to achieve your goal is to set VLAN 1 port members to be also port members of VLAN 2 untagged. No ACL needed just via port membership.
Regards,
DaneA
NETGEAR Community Team
- Mark as New
- Bookmark
- Subscribe
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Re: M5300 oneway VLAN Routing
No that is not possible. There are 40 virtual servers running on 5 physical servers connected to 5 ports. Each port runs multiple servers with multiple VLANs. What I want to do (one way traffic to a segregated network) is stock standard Layer 3 switching.
- Mark as New
- Bookmark
- Subscribe
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Re: M5300 oneway VLAN Routing
It would be best that you open a chat or online support ticket with NETGEAR Support at anytime and discuss your current network setup and your concern.
Regards,
DaneA
NETGEAR Community Team
- Mark as New
- Bookmark
- Subscribe
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Re: M5300 oneway VLAN Routing
I don't have a support contract, that's why I'm asking the community.
- Mark as New
- Bookmark
- Subscribe
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Re: M5300 oneway VLAN Routing
It would be best if you post a screenshot or image of your detailed network setup on how is everything connected. In this way, community members might chimed in and post suggestions.
Regards,
DaneA
NETGEAR Community Team
- Mark as New
- Bookmark
- Subscribe
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Re: M5300 oneway VLAN Routing
Sure - as above.
I want 192.168.1.1 to be able to access 192.168.19.1 but I DO NOT want 192.168.19.1 to access 192.168.1.1
- Mark as New
- Bookmark
- Subscribe
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Re: M5300 oneway VLAN Routing
Might be time to switch to buying Cisco switches instead of Netgear if they can't handle basic routing security rules.
- Mark as New
- Bookmark
- Subscribe
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Re: M5300 oneway VLAN Routing
I also inquired your concern to the higher tier of NETGEAR Support and got a feedback today. As per the higher tier of NETGEAR Support, you can use extended ACL’s with TCP Flag. As reference guide, kindly read pages 222-236 of the M5300 user manual here on how to do this.
Regards,
DaneA
NETGEAR Community Team
- Mark as New
- Bookmark
- Subscribe
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Re: M5300 oneway VLAN Routing
Thanks for your persistence.
Step 5 on Page 224 says:
(Netgear Switch) (Config)#access-list 101 deny tcp any flag +syn -ack
Switch says:
(2920-Stack) (Config)#access-list 101 deny tcp any flag +syn -ack
^
% Invalid input detected at '^' marker.
So, in other words, the manual has the incorrect syntax. Even if it did work, though, the next step binds to a Port, rather than a VLAN.