This topic has been marked solved and closed to new posts due to inactivity. We hope you'll join the conversation by posting to an open topic or starting a new one.
Hi. I have 8 GS728TP ProSafe switches (and a couple of GS752TP's) in the company network which I have setup using VLAN 1 for the data network, PC's, Laptops etc and VLAN 2 for the telephone system plus one or two other devices I don't want on the data network. All is working well and as it should but I now have a need to secure both VLAN's and prevent all but required access from one VLAN to the other.
There are about half a dozen devices on VLAN 2 that need access to VLAN 1 and just one device on VLAN 1 that needs access to VLAN 2. In order to ensure the utmost security I'd like to be able to limit access by the MAC address of the devices but doing via the IP would also work.
I have looked at the security page on the switch management via the web access but can't quite figure out what it is I need to be doing having not dealt with security before. Can anyone point me to a resource that would explain how this works and how I need to set it up? Or does someone with experience of this have a simple explanantion of how it's done?
The ACLs you are looking for are called extended ACLs. They are numbered 100-199 and can be created by going to: "Security" --> "ACL" --> "Advanced" --> "IP ACL" --> In the "IP ACL ID" type 100 and click "Add".
This will create rule table 100. Now, you can add rules to the table as you wish. Go to "IP Extended Rules" and you can see your table here. You can start adding rules.
Once you have the rules you need, then you can bind the rules to ports via the menu "IP Binding Table".
A few notes about ACLs. 1. They use wildcard masks instead of subnet masks. 2. ACLs are read from top --> bottom. This means specific rules on top, general rules at the bottom. 3. Remember that the default (hidden) rule on an ACL is "Deny All". What you want is block some stuff and allow the rest. This means that your last rule should be Permit All. 4. The ACL direction is Inbound on these switches. That matters for how you create the ACL 🙂 5. Only bind the ACL on the relevant ports. If you bind it to all ports and you make a mistake, you might block access to the switch itself, which you in turn can't recover from (as the ACL is applied on all ports and there is no console port on these models).
It seems that you wanted to communicate some of your devices from VLAN 2 to VLAN 1. You may need to enable the InterVLAN Routing on your firewall in order to do this as the GS728TP and GS752TP are smart switches only and it doesn't support VLAN routing.
Thanks for the response but what you're telling me doesn't seem to make sense?
If I use the switch IP address on the VLAN as the gateway IP for the devices on that VLAN (the switch itself has a separate gateway which is a firewall/router) then devices on both VLAN's can communicate with the other as the switch is obviously aware of both IP address ranges. Any requests for resources that aren't on either VLAN are then passed to the Firewall/Router and out onto the internet etc. which is how I need it to work and it does.
The problem I have is that I only want specific devices on each of the VLANs to be able to communicate with devices on the other. Would this be as easy as makng sure that the gateway IP's on the specfic devices take them to the switch whereas all other devices have a gateway IP that takes them directly to the firewall/router?
It would not work with this setup as these are 2 different networks. The switch's IP is different from the devices connected to it. We cannot let specific devices to communicate to other subnet unless routing is enabled on your network. Even if you change the default gateway on each device, it would still not work as it doesn't have a route towards the other network.
I would like to have a follow up on this thread. Please let us know if you still need further assistance and just in case that the reply would be the answer to your issue. I encourage you to mark the appropriate reply as the “Accepted Solution” so others can be confident in benefiting from the solution. The NETGEAR Community looks forward to hearing from you and being a helpful resource in the future!
Don't change the device's default gateway as all the inter-vlan routing is working right now. You just need to block from devices from communicating across to the other VLAN.
You need use ACLs for this and they can be implemented on the switches. That is the standard way to do what you are after.
That sounds like what I need and was what I thought I'd need to do in order to implement this sort of security. Is there a breakdown anywhere of how to do this that you know of? I've looked at the settings on the switches and it's not very clear or obvious what I'd need to do to make this work?
The ACLs you are looking for are called extended ACLs. They are numbered 100-199 and can be created by going to: "Security" --> "ACL" --> "Advanced" --> "IP ACL" --> In the "IP ACL ID" type 100 and click "Add".
This will create rule table 100. Now, you can add rules to the table as you wish. Go to "IP Extended Rules" and you can see your table here. You can start adding rules.
Once you have the rules you need, then you can bind the rules to ports via the menu "IP Binding Table".
A few notes about ACLs. 1. They use wildcard masks instead of subnet masks. 2. ACLs are read from top --> bottom. This means specific rules on top, general rules at the bottom. 3. Remember that the default (hidden) rule on an ACL is "Deny All". What you want is block some stuff and allow the rest. This means that your last rule should be Permit All. 4. The ACL direction is Inbound on these switches. That matters for how you create the ACL 🙂 5. Only bind the ACL on the relevant ports. If you bind it to all ports and you make a mistake, you might block access to the switch itself, which you in turn can't recover from (as the ACL is applied on all ports and there is no console port on these models).
Thanks for the resonse and the links. I'll go away and study those and decide on the rules I need but this looks to do what I'm trying to set-up so thank you again.
