1. This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn More.
Dismiss Notice

Welcome To SNBForums

SNBForums is a community for anyone who wants to learn about or discuss the latest in wireless routers, network storage and the ins and outs of building and maintaining a small network.

If you'd like to post a question, simply register and have at it!

While you're at it, please check out SmallNetBuilder for product reviews and our famous Router Charts, Ranker and plenty more!

Home Network Design help with L3 Switch

Discussion in 'Other LAN and WAN' started by trpltongue, Oct 18, 2019.

  1. trpltongue

    trpltongue Regular Contributor

    Joined:
    Oct 13, 2019
    Messages:
    90
    Can you help me understand the ACL a bit more? I don't understand how the 2 statements work. The first seems to allow all DNS-UDP and the second denies the same thing?
     
  2. coxhaus

    coxhaus Part of the Furniture

    Joined:
    Oct 7, 2010
    Messages:
    3,186
    Location:
    texas
    Look at the screen I added. I cut off part of the ACL. The second one should have the IP on it. I am going to delete all pictures and then re-add them.

    If you want to test add an access port to VLAN20 and plug in a PC. It should get an IP from DHCP in the 192.168.20.0 network and it should have internet access.
     
    Last edited: Nov 3, 2019
  3. trpltongue

    trpltongue Regular Contributor

    Joined:
    Oct 13, 2019
    Messages:
    90
    That makes a lot more sense :)

    I've added the same now:

    ACL.PNG

    Just so I'm making sure I understand, if for some reason 9.9.9.9 goes down, I'll lose all DNS capability correct?
     
  4. coxhaus

    coxhaus Part of the Furniture

    Joined:
    Oct 7, 2010
    Messages:
    3,186
    Location:
    texas
    yes -- I have never had it go down.
     
  5. trpltongue

    trpltongue Regular Contributor

    Joined:
    Oct 13, 2019
    Messages:
    90
    Yeah, I'm not worried about it, just wanted to make sure I understood what the ACL was doing.

    So, now I'll need to add the guest network on my WAP using the 192.168.20.x network right?

    I need to add the new SSID to VLAN2, correct?
     
    Last edited: Nov 3, 2019
  6. coxhaus

    coxhaus Part of the Furniture

    Joined:
    Oct 7, 2010
    Messages:
    3,186
    Location:
    texas
    If you want to test add an access port to VLAN20 and plug in a PC. It should get an IP from DHCP in the 192.168.20.0 network and it should have internet access.

    Now to add the guest VLAN to the wireless. You need to do 2 things.

    You need go into your switch under VLAN management. Select Port to VLAN membership and then use your trunk port at the bottom click "join vlan" button. You then need to add VLAN20 down on the bottom left. It will add VLAN20 as a tagged VLAN to your trunk port. You will now see 2 VLANs assigned to your port. save

    Now go into your wireless and select wireless. Now select networks and add VLAN20 and your SSID for VLAN20. You need to this for both radios if you want both radios.save

    You wireless should now give out an IP for your guest SSID and have internet access.
     
  7. trpltongue

    trpltongue Regular Contributor

    Joined:
    Oct 13, 2019
    Messages:
    90
    I'm having a hard time following the comment regarding "You then need to add VLAN20 down on the bottom left. It will add VLAN20 as a tagged VLAN. save"
    I'm not sure where to make this change on the VLAN membership screen:
    VLAN membership.PNG

    In the meantime, I've added an additional SSID on VLAN2 via the WAP gui as:
    Guest_Network.PNG
    After completing this step, I connected to the guest network and received an IP address from 192.168.20.254. Internet works, and I'm able to connect to the cisco equipment on the 192.168.10.x network, which I don't think is supposed to happen :)
     
  8. coxhaus

    coxhaus Part of the Furniture

    Joined:
    Oct 7, 2010
    Messages:
    3,186
    Location:
    texas
    Capture4.PNG Your screen is different than mine. I need screen shots of your VLAN screens so I can figure out how to do this.

    Do you have a screen like this?
     
  9. trpltongue

    trpltongue Regular Contributor

    Joined:
    Oct 13, 2019
    Messages:
    90
    Here are the vlan screens:
    port vlan membership.PNG VLAN membership.PNG Port to VLAN1.PNG port to VLAN2.PNG
     
  10. coxhaus

    coxhaus Part of the Furniture

    Joined:
    Oct 7, 2010
    Messages:
    3,186
    Location:
    texas
    It looks like Port 3 is ready to go. I am not sure what 3-40941 is. Have you started on VLAN30?

    Test your wireless. Your switch may do it automatically on the trunk.
     
  11. trpltongue

    trpltongue Regular Contributor

    Joined:
    Oct 13, 2019
    Messages:
    90
    I haven't started anything on VLAN30 yet.

    Does this screen help?
    VLAN interface settings.PNG

    The wireless works fine on the VLAN2 network. I get an IP address from 192.168.20.254 and can connect to the internet. The only problem is that I can also connect to all the cisco gear on the 192.168.10.x network, which I don't think is supposed to happen right? I don't want the guest network to be able to access my main VLAN.
     
  12. coxhaus

    coxhaus Part of the Furniture

    Joined:
    Oct 7, 2010
    Messages:
    3,186
    Location:
    texas
    OK. You need to go into the switch and create an ACL barring VLAN20 from VLAN1. On my switch it is under access control. Capture5.PNG

    I am off to the Texas Monthly BBQ fest. Lots of BBQ and beer drinking.

    If you get on the wireless guest SSID you cannot edit the RV340 router. Try it.

    I am wrong for your router. My router is in a separate router VLAN which we can do later. I share a printer on my guest network so I believe 192.168.10.1 will not be blocked as I don't block the first part of the VLAN1 network so you will need to modify the ACL for your current setup with the router in VLAN1.
     
    Last edited: Nov 3, 2019
    L&LD likes this.
  13. trpltongue

    trpltongue Regular Contributor

    Joined:
    Oct 13, 2019
    Messages:
    90
    Awesome! Have fun at the BBQ fest, I'm jealous and I'm in Houston!
     
  14. trpltongue

    trpltongue Regular Contributor

    Joined:
    Oct 13, 2019
    Messages:
    90
    I added the ACE in the switch as below. But I can still access 192.168.10.254 from the guest network (I currently have an IP address of 192.168.20.21).

    Switch ACE.PNG

    I really want to block the guest network from everything else, not just individual IP's, but I am guessing if I block the guest network from the switch it should kill all communication right?
     
  15. coxhaus

    coxhaus Part of the Furniture

    Joined:
    Oct 7, 2010
    Messages:
    3,186
    Location:
    texas
    My guest is you need to use 192.168.10.1 as your destination IP address. Using 0.0.0.255 should block the whole class C. But you need to figure out what works for you.

    Did you bind the ACL to the port?

    PS
    I thought I read where you can use the VLANs instead of using IP addresses. Setup an ACL blocking by VLAN. It may work better for you.
     
    Last edited: Nov 3, 2019
  16. trpltongue

    trpltongue Regular Contributor

    Joined:
    Oct 13, 2019
    Messages:
    90
    I tried to change the above to 10.1 and still didn't block access to the cisco gear when I logged into the guest network.

    I'll take a look at VLAN blocking.
     
  17. coxhaus

    coxhaus Part of the Furniture

    Joined:
    Oct 7, 2010
    Messages:
    3,186
    Location:
    texas
    Did you bind the ACE to the port? ACE work on the port level. ACL work at a higher level. Which are you doing?
     
  18. trpltongue

    trpltongue Regular Contributor

    Joined:
    Oct 13, 2019
    Messages:
    90
    Okay, so I think I got it working.

    Had to modify the ACE a bit as below:
    Switch ACE.PNG

    Then I bound it to VLAN2. I'm not sure why, but it didn't work until I bound it to VLAN2:
    acl binding.PNG

    With this setup, the guest network gets internet but nothing else. There must be a better way to do this though, as I'll have to setup an ACE for every other VLAN as well to block the guest network from them.
     
  19. coxhaus

    coxhaus Part of the Furniture

    Joined:
    Oct 7, 2010
    Messages:
    3,186
    Location:
    texas
    Your screen is different than my screen but if you don't want to work at port level then setup an ACL and not a ACE. Once an ACL is setup it should stand. You just need to figure out what you need.
     
  20. trpltongue

    trpltongue Regular Contributor

    Joined:
    Oct 13, 2019
    Messages:
    90
    Okay, so I think I'm understanding better. On this switch, the help file for Configuring ACL's states that you have to:

    1) create an ACL (which is just creating a name for an access control workflow)
    2) create an ACE (this is where you define all the rules and associate an ACE with an ACL)
    3) associate the ACL with either a VLAN or a Port

    That's why it didn't work earlier. I had created the ACL and the ACE, but hadn't associated it with a VLAN or Port so it wasn't actually active.

    When I first associated my ACL with VLAN2 I couldn't access anything, not even the internet. That's because I set the default action to deny, so any traffic which didn't match the ACE was denied AND any traffic that did match the ACE was denied. Essentially everything was denied :)

    Now I've modified the ACE association to VLAN2 so that the default behavior is permit. Now, when traffic doesn't match the ACE criteria it is allowed through. That means that if traffic matches the ACE, it is denied, if it doesn't match the ACE, it is allowed. So any traffic from 20.x network to the 10.x network (which matches my ACE) is blocked, and any other traffic is allowed.