Reply

Inter-vlan communication + port access restriction

flipfl0p
Aspirant

Inter-vlan communication + port access restriction

Hi all. 

I'd like to have a following setup:

VLAN10 - Desktop users

VLAN20 - WLAN users

VLAN30 - Printers

VLAN50 - Management

 

I want users from VLAN10 and VLAN20 to:

- only be able to print from the printers on VLAN30 (a few specific open ports only)

- not have any access to each other

 

I also want admins from VLAN50 to have access to all other VLANs

 

1. What is a proper way of accomplishing following in general ?

 

I'm having a few GS108Tv2 switches at my disposal.

2a. What are my options with those + a router ? 

2b. Which switch should I consider in order to accomplish the task if only using a switch, without a router ?

 

 

Additionally, I want to make sure, that if the switch gets factory reset (incl. resetting all the port-restrictions) and the complete network is opened and defaulted to VLAN1, none of the clients can access anything. (The router itself is physically secured, however,  the rest of the switches are unfortunately not). 

3. How would I accomplish that ?

 

 

Thanx in advance.

 

Model: GS108Tv2|ProSafe 8 ports gigabit smart switch
Message 1 of 7
flipfl0p
Aspirant

Re: Inter-vlan communication + port access restriction

up

Message 2 of 7
DaneA
NETGEAR Moderator

Re: Inter-vlan communication + port access restriction

@flipfl0p,

 

 

I'd like to have a following setup:

VLAN10 - Desktop users

VLAN20 - WLAN users

VLAN30 - Printers

VLAN50 - Management

 

I want users from VLAN10 and VLAN20 to:

- only be able to print from the printers on VLAN30 (a few specific open ports only)

- not have any access to each other

 

I also want admins from VLAN50 to have access to all other VLANs

 

1. What is a proper way of accomplishing following in general ?

Configure VLAN Routing for all VLANS.  Then, configure ACLs (Access Control Lists) so that (a) VLAN 10 has no access to VLAN 20 and vice versa, (b) VLANs 10, 20 & 50 has access to VLAN 30 and (c) VLAN 50 has access to all VLANs. 

 

 

I'm having a few GS108Tv2 switches at my disposal.

2a. What are my options with those + a router ? 

2b. Which switch should I consider in order to accomplish the task if only using a switch, without a router ?

GS108Tv2 supports both VLAN and ACL.  If you will use a router, make sure that it is a VLAN-aware router.  VLAN-aware router meaning it supports VLAN and it can be a DHCP server to each VLAN.  

 

If you will not use a VLAN-aware router, you will have to assign static IP addresses to all devices that will be connected to their respective VLANs.

 

 

Additionally, I want to make sure, that if the switch gets factory reset (incl. resetting all the port-restrictions) and the complete network is opened and defaulted to VLAN1, none of the clients can access anything. (The router itself is physically secured, however,  the rest of the switches are unfortunately not). 

3. How would I accomplish that ?

Once the switch is reset to factory defaults, all configured setting will be lost and it will go back to its default IP address as well as being DHCP client.  If you perform a factory reset to a switch, for example: the GS108Tv2, it will go back to its default IP address which is 192.168.0.239.  While the GS108Tv2 is not connected to a network, you can simply access its web-GUI by connecting a PC/laptop (that has a static IP address of 192.168.0.x, where x can be a number between 1 to 254).

 

After you perform a factory reset to the GS108Tv2 then you reconnect it to a network with a DHCP server (or a router), it will acquire an IP address.  In order to access it, you will need to know first what IP address did the GS108Tv2 obtained from the DHCP server before you can access it. 

 

If you need assistance on setting up VLAN and ACLs, you may open a support ticket with NETGEAR Support here at anytime and one of the NETGEAR Support Expert will help you.

 

 

Regards,

 

DaneA

NETGEAR Community Team

Message 3 of 7
flipfl0p
Aspirant

Re: Inter-vlan communication + port access restriction

@DaneA , thanx a lot for the reply.

 

RE: ...(c) VLAN 50 has access to all VLANs. 

But, if there's inter-vlan-routing between VLAN50 and all others, the users would be able to access fx web-gui, which is not desired. Should ACL be applied, so VLAN50 has access to other VLANs, but not the other way around ?

 

RE: GS108Tv2 supports both VLAN and ACL. 

 - Does GS108Tv2 support inter-vlan-routing then ? 😮

(From what I read in the specs, it's only v3 that supports it) 

 

RE: the GS108Tv2, it will go back to its default IP address which is 192.168.0.239.

Yes, of course, I obviously forgot add the scenario where a rogue "specialist" aka persistent (ab)user resets the switch, sets it as DHCP-client and leaves the default VLAN1 for everyone. I want to make sure, that if it happens, even though, desktops will get their IPs from from router, they won't have access to anything unless the switch is properly configured and secured.

I see, there's MAC-learning and filtering, 802.1x and RADIUS, etc. I guess, disabling VLAN1 on the router would do the trick, but from what I remember, it cannot not be disabled on most of the venders. MAC-filtering would be reset as well unless, it's supported on the router as well...802.1x and RADIUS would take time to set up properly from what I remember. 

 - What would you recommend here ?

 

 

Message 4 of 7
schumaku
Guru

Re: Inter-vlan communication + port access restriction


@flipfl0p wrote:

RE: the GS108Tv2, it will go back to its default IP address which is 192.168.0.239.

Yes, of course, I obviously forgot add the scenario where a rogue "specialist" aka persistent (ab)user resets the switch, sets it as DHCP-client and leaves the default VLAN1 for everyone. I want to make sure, that if it happens, even though, desktops will get their IPs from from router, they won't have access to anything unless the switch is properly configured and secured.


The "fix" would be having a "catch-all" VLAN 1 going to a dead-end or a landing page on the complete network, whatever. So in the first iteration they "can't" 

 


@flipfl0p wrote:

I see, there's MAC-learning and filtering, 802.1x and RADIUS, etc. I guess, disabling VLAN1 on the router would do the trick, but from what I remember, it cannot not be disabled on most of the venders. MAC-filtering would be reset as well unless, it's supported on the router as well...802.1x and RADIUS would take time to set up properly from what I remember. 


What do you expect here? A factory default is what it is - you can't re-define the factory default settings.

 

There is nothing replacing physical security. No mater what kind of switch, router, wireless access point almost regardless of the brand - if I'm a bad boy and have physical access i can fully take over the control of each and every device. Even if there might be some protection for the factry reset button ... but there are always backdoors. Figure.

 

 

Message 5 of 7
flipfl0p
Aspirant

Re: Inter-vlan communication + port access restriction

 
Message 6 of 7
flipfl0p
Aspirant

Re: Inter-vlan communication + port access restriction


@schumaku wrote:

@flipfl0p wrote:

RE: the GS108Tv2, it will go back to its default IP address which is 192.168.0.239.

Yes, of course, I obviously forgot add the scenario where a rogue "specialist" aka persistent (ab)user resets the switch, sets it as DHCP-client and leaves the default VLAN1 for everyone. I want to make sure, that if it happens, even though, desktops will get their IPs from from router, they won't have access to anything unless the switch is properly configured and secured.


The "fix" would be having a "catch-all" VLAN 1 going to a dead-end or a landing page on the complete network, whatever. So in the first iteration they "can't" 


Was thinking about that too. Is the easiest way to implement it not to assign any ports to VLAN1 on the core (and physically secured) switch ? I guess, I could also exclude VLAN1 from the trunk between router and core switch.



@flipfl0p wrote:

I see, there's MAC-learning and filtering, 802.1x and RADIUS, etc. I guess, disabling VLAN1 on the router would do the trick, but from what I remember, it cannot not be disabled on most of the venders. MAC-filtering would be reset as well unless, it's supported on the router as well...802.1x and RADIUS would take time to set up properly from what I remember. 




What do you expect here? A factory default is what it is - you can't re-define the factory default settings.

 

There is nothing replacing physical security. No mater what kind of switch, router, wireless access point almost regardless of the brand - if I'm a bad boy and have physical access i can fully take over the control of each and every device. Even if there might be some protection for the factry reset button ... but there are always backdoors. Figure.

 


You're absolutely right here, and let's not even include actual vulnerabilities - as mentioned, my "advisaries" are less smart, but very stubbern, who try to "fix" things themselves every time there are any issues with the internet or access to other ressources like printers. As I said before, the core router and main switch (GS108Tv2 as well) are reasonably physically secured, however, the switches at the tables are not.  I guess, I could implement MAC-filtering on the main switch itself, but I was wondering whether the main switch can learn the MAC-addresses from other switches which are connected to it ? 

Message 7 of 7
Top Contributors
Discussion stats
  • 6 replies
  • 1231 views
  • 1 kudo
  • 3 in conversation
Announcements