× NETGEAR is aware of a growing number of phone and online scams. To learn how to stay safe click here.

Start a New Discussion

Start a New Discussion

Orbi WiFi 7 RBE973
Reply

Port Based VLANs not isolated

KrustyK
Aspirant
Aspirant
‎2018-03-16 07:44 AM
‎2018-03-16 07:44 AM

Port Based VLANs not isolated

I

Hi,

 

I'm trying to configure port based vlan on netgear m4300 8x8f. According to this tutorial : https://kb.netgear.com/29997/How-to-create-Layer-2-VLANs-on-NETGEAR-ProSAFE-Switches, but there is no isolation between subnet.

 

Consider this graphics, with A = 192.168.2.X subnet, B = 192.168.4.X subnet and C = 192.168.5.X subnet :

 

scheme.png

I want two VLANs : VLAN2 = A + B and VLAN3 = A + C, and a trunk link between A and the switch. So, I've configure port 1/0/9 and 1/0/11 in VLAN2 (untag) and port 1/0/13 and 1/0/11 in VLAN2 (untag)  with the VLAN membership menu. After that, I've configure PVID = 2 / Vlan tag = 2 for 1/0/9 and PVID = 3 / Vlan tag = 3 for 1/0/13.  But i still ping C from B and i don't understand why ...

 

Any advises will be welcome.

 

Best regards

 

Message 1 of 5
Labels:
0 Kudos
Reply
TheEther
Guru
Guru
‎2018-03-16 05:59 PM
‎2018-03-16 05:59 PM

Re: Port Based VLANs not isolated

It's unusual for VLANs to span multiple IP subnets. I'm guessing that you are trying to use VLANs to block traffic between the subnets. That may work from a Layer 2 perspective, but it can be completely undone by the router, which you haven't identified.

The router is where you need to implement policies to block inter-subnet traffic. Otherwise, a ping from B will go the router, which will happily forward it to C and back.
Message 2 of 5
0 Kudos
Reply
KrustyK
Aspirant
Aspirant
‎2018-03-18 07:20 AM
‎2018-03-18 07:20 AM

Re: Port Based VLANs not isolated

Hi @TheEther,

 

Thanks for the reply, is there any approach to isolate subnets with switch only ? 

 

Best regards,

Message 3 of 5
0 Kudos
Reply
TheEther
Guru
Guru
‎2018-03-18 08:33 AM
‎2018-03-18 08:33 AM

Re: Port Based VLANs not isolated

Even though your switch is a Layer 3 switch, AFAICT, no it has no way of isolating subnets beyond the simple act of putting them in separate VLANs.

Does your router support VLANs?
Message 4 of 5
0 Kudos
Reply
schumaku
Guru Guru
Guru
‎2018-03-19 01:06 AM
‎2018-03-19 01:06 AM

Re: Port Based VLANs not isolated

@KrustyKwrote:

 

Thanks for the reply, is there any approach to isolate subnets with switch only ? 

 

By definition and implying proper configuration, VLANs are isolated L2 networks. EIther you have some L3 routing in place (on a switch, on a router, on any host), interconnect the VLANs somehow, or there is a faulty device not properly handling a VLAN trunk (with tagged VLANs) creating an interconnection.

Message 5 of 5
0 Kudos
Reply
Top Contributors
See All
Discussion stats
  • 4 replies
  • ‎2018-03-16 07:44 AM
  • 1568 views
  • 0 kudos
  • 3 in conversation
Announcements