Print

Please login or register.
1 Hour 1 Day 1 Week 1 Month Forever
Login with username, password and session length

[tom_fahy]

Hi, sorry I am a bit of a networking noob, so excuse my limited knowledge.

I need to install 3 different VLANS on a DGS-1248T.

The First should have only access to LAN (no internet access) computers and devices that need to pull files and programs from server but cannot access internet. for example warehouse terminal that needs access to SAP server.

The Second should have access to both company LAN and Internet, for example managers and admin terminals.

The Third should have only internet access - guest users - public wifi ETC.

My naive solution would be to create overlapping ports  - for example port 1 on DGS-1248t (switch from now on) would be connected to internet gateway router (DSL line) and port 2 to the server.

VLAN 1 would have all terminals requiring access to server - plus port 2 (server access)

VLAN 2 would have all manager terminals and admin terminals - plus port 1 and 2 (internet and server access)

VLAN 3 would have a WAP and two or three guest LAN sockets - plus port 1 (internet access)


Hopefully you can get an idea of what I am trying to do from that info.. and suggest me the correct way of doing in from on the DGS-1248t

Thanks

[tom_fahy]

Could someone even tell me if it is possible or not?

Thanks

[FurryNutz]

Link>Welcome!

• What region are you located?

[PacketTracer]

Hi,

before thinking about VLANs and how to configure them, we should first clarify what your communication needs are! A VLAN in general means, that you also have a separate IP subnet per VLAN, say 192.168.1.0/24 for VLAN 1, 192.168.2.0/24 for VLAN 2 and 192.168.3.0/24 for VLAN 3. Given this, a simple solution to your problem could look like this:


|--- VLAN1 ---.
              |
           .-----.
           |  S1 |
           |     |
          -+-SRV-+-
           |     |
           | S2  |
           `-----´
              |      .-----.        .--.   .--.
|--- VLAN2 ---+------|R1   |       /    `-´    `
                     | RTR |WAN---+  INTERNET   )
|--- VLAN3 ----------|R2   |       \    .-.    .
                     `-----´        `--´   `--´


Here SRV is your server and RTR is your Internet router. To make this scenario work, the following conditions must be met:

• SRV must have two network interfaces S1 and S2 connecting to VLAN 1 and VLAN 2 respectively. S1 and S2 can either be two physical NICs or two logical interfaces (belonging to different VLANs) sharing a single physical NIC. Linux supports that kind of logical interfaces, while with Windows it is the job of the NIC driver to provide this feature.
• IP routing between S1 and S2 must be disabled to prevent VLAN 1 to access the Internet
• RTR must provide two different LAN ports R1 and R2 (with two different IP subnets for the connected LANs/VLANs), where R1 is for the trusted LAN and R2 is for the guests.
• RTR must prohibit IP routing between R1 and R2. Only routing to the Internet (R1<->WAN, R2<->WAN) must be allowed.

Hence ...

• ... clients in VLAN 1 can only access SRV via its interface S1, but not VLAN 2, VLAN 3 or the Internet.
• ... clients in VLAN 2 can only access SRV via its interface S2 and the Internet via R1, but not VLAN 1 or VLAN 3
• ... clients in VLAN 3 can only access the Internet via R2, but not VLAN 1 or VLAN 2

Before proceeding with VLAN configuration, your feedback is needed, if your server SRV and your router RTR can satisfy the above listed requirements. If not, a more complex but also more general and flexible solution using a firewall is needed.

My naive solution would be to create overlapping ports  - for example port 1 on DGS-1248t (switch from now on) would be connected to internet gateway router (DSL line) and port 2 to the server.  ...

Sharing ('overlapping') a port, e.g. port 2 connecting to the server, among two VLANs (1 and 2 in your case) does not work if the connected server only has a single logical network interface. For each VLAN assigned to a switch port you would need a separate logical network interface at the server site, where all logical network interfaces share a single physical server NIC. Or your server has two physical NICs connecting to two different switch ports, one assigned to VLAN 1 and the other assigned to VLAN 2. See bullet [1] listed above.

In the same way your router RTR must either support two logical network interfaces sharing the same physical LAN port or (more likely) have two physical LAN ports R1 and R2, one for the standard (trusted) LAN and the other for the guest LAN. See bullet [3] listed above.


PT

[tom_fahy]

Thanks for the really detailed and informative answer.

I could just add another NIC to the server giving it a different subnet to satisfy that requirement . On the router side I dont think so it is a simple MODEM/ROUTER with intergrated Switch for 4 ports. I will have a look at the interface to see if there is an option there.

If not I could buy a router which has such a function and place in before the gateway router, no?

Getting back to the firewall is there a hardware solution in which I could choose which ports on the switch have access to internet or LAN services or both?

Thanks again

[PacketTracer]

If not I could buy a router which has such a function and place in before the gateway router, no?

In this case you have two choices:

• If the new router has a builtin modem, replace your present gateway router with the new one.
• If the new router doesn't have a builtin modem, place it before your present gateway. To prevent double NAT, bridge your present gateway, that is reduce its function to be a modem only and not a router.

Getting back to the firewall is there a hardware solution in which I could choose which ports on the switch have access to internet or LAN services or both?

Yes, for example look at the following picture, where your gateway router is either replaced by a firewall (if the firewall has a builtin modem) or where the firewall is placed behind your gateway router, which is reduced to work as a modem only:


                         .----------------------------.
                         |                            |
                         |          FIREWALL          |
                         |                            |
                       .-+-.                          |
                       |   |                          |
|-- VLAN1----------- LAN1 <-----.                     |
                       |   |    |                     |
                       `-+-´    |                     |
         .-----.         |      |                     |
         |     |         |      |                     |
         | SRV |         |      |                     |
         |     |         |      |                     |
         `--+--´       .-+-.    |                     |
            |          |  <-----´                     |
|-- VLAN2---+------- LAN2  |                          |
                       |  -----------------------.    |
                       `-+-´                     |  .-+-.          .--.   .--.
                         |                       `--->  |         ´    `-´    `
                         |                          |  WAN ------(  INTERNET   )
                         |                       .--->  |         .    .-.    .
                       .-+-.                     |  `-+-´          `--´   `--´
                       |   |                     |    |
|-- VLAN3----------- LAN3 -----------------------´    |
                       |   |                          |
                       `-+-´                          |
                         |                            |
                         `----------------------------´


Here it is assumed that the firewall has at least three layer 3 ports LAN1, LAN2, LAN3 (that is they belong to three different IP subnets) which have to be connected to 3 switch ports, where these switch ports have different VLANs VLAN1, VLAN2 and VLAN3. Your server SRV is connected to VLAN2 (that is to another switch port that is assigned VLAN2). Inside your firewall your would allow traffic between LAN ports LAN1 and LAN2 in both directions. But you will only allow traffic from ports LAN2 and LAN3 to pass to the WAN port that is to the Internet. All other communication (WAN --> LANx, LAN1 --> WAN,  LAN3 <--> LAN1, LAN3 <--> LAN2) is blocked.

The same holds true for the following slightly different scenario:


                         .----------------------------.
                         |                            |
                         |          FIREWALL          |
                         |                            |
                         |           .---.            |
                         |           |   |            |
|-- VLAN1-----------.    |    .---- LI1 <----.        |
                    |    |    |      |   |   |        |
                    |    |    |      `---´   |        |
         .-----.    |    |    |              |        |
         |     |    |    |    |              |        |
         | SRV |    |    |    |              |        |
         |     |    |    |    |              |        |
         `--+--´    |  .-+-.  |      .---.   |        |
            |       `---------´      |  <----´        |
|-- VLAN2---+-------- LAN --------- LI2  |            |
                    .---------.      |  ---------.    |
                    |  `-+-´  |      `---´       |  .-+-.          .--.   .--.
                    |    |    |                  `--->  |         ´    `-´    `
                    |    |    |                     |  WAN ------(  INTERNET   )
                    |    |    |                  .--->  |         .    .-.    .
                    |    |    |      .---.       |  `-+-´          `--´   `--´
                    |    |    |      |   |       |    |
|-- VLAN3-----------´    |    `---- LI3 ---------´    |
                         |           |   |            |
                         |           `---´            |
                         |                            |
                         `----------------------------´


Here the firewall only has a single layer 2 interface LAN. But it supports the feature to form a number of logical layer 3 interfaces, e.g. LI1, LI2 and LI3, where each of them is assigned a different VLAN, namely VLAN1, VLAN2 and VLAN3 respectively. In this case the LAN port connects to a single switch port, where this switch port has to be assigned the same three VLANs VLAN1, VLAN2 and VLAN3. Looking at allowed and blocked traffic flows, the same statements as in the above scenario are valid, you just have to replace LAN1 by LI1, LAN2 by LI2 and LAN3 by LI3.

[FurryNutz]

Any status on this? 

Thanks for the really detailed and informative answer.

I could just add another NIC to the server giving it a different subnet to satisfy that requirement . On the router side I dont think so it is a simple MODEM/ROUTER with intergrated Switch for 4 ports. I will have a look at the interface to see if there is an option there.

If not I could buy a router which has such a function and place in before the gateway router, no?

Getting back to the firewall is there a hardware solution in which I could choose which ports on the switch have access to internet or LAN services or both?

Thanks again