What's new

Home Network Design help with L3 Switch

trpltongue

Regular Contributor
View attachment 19768 View attachment 19769 View attachment 19770 View attachment 19768 View attachment 19769 You were fast on this step. It gets easy once you have done it.

Here are my router screens. I forgot the RV340 does not need firewall statements once you add a routing statement. I have posted the routing statements you just need to substitute your network IPs.

I also included my ACL so you know what I am talking about. You may want to use my ACL. It denies all udp DNS except for 9.9.9.9

I noticed the ACL was cut off so I added another screen
Can you help me understand the ACL a bit more? I don't understand how the 2 statements work. The first seems to allow all DNS-UDP and the second denies the same thing?
 

coxhaus

Part of the Furniture
Look at the screen I added. I cut off part of the ACL. The second one should have the IP on it. I am going to delete all pictures and then re-add them.

If you want to test add an access port to VLAN20 and plug in a PC. It should get an IP from DHCP in the 192.168.20.0 network and it should have internet access.
 
Last edited:

trpltongue

Regular Contributor
Look at the screen I added. I cut off part of the ACL. The second one should have the IP on it. I am going to delete all pictures and then re-add them.
That makes a lot more sense :)

I've added the same now:

ACL.PNG


Just so I'm making sure I understand, if for some reason 9.9.9.9 goes down, I'll lose all DNS capability correct?
 

trpltongue

Regular Contributor
yes -- I have never had it go down.
Yeah, I'm not worried about it, just wanted to make sure I understood what the ACL was doing.

So, now I'll need to add the guest network on my WAP using the 192.168.20.x network right?

I need to add the new SSID to VLAN2, correct?
 
Last edited:

coxhaus

Part of the Furniture
If you want to test add an access port to VLAN20 and plug in a PC. It should get an IP from DHCP in the 192.168.20.0 network and it should have internet access.

Now to add the guest VLAN to the wireless. You need to do 2 things.

You need go into your switch under VLAN management. Select Port to VLAN membership and then use your trunk port at the bottom click "join vlan" button. You then need to add VLAN20 down on the bottom left. It will add VLAN20 as a tagged VLAN to your trunk port. You will now see 2 VLANs assigned to your port. save

Now go into your wireless and select wireless. Now select networks and add VLAN20 and your SSID for VLAN20. You need to this for both radios if you want both radios.save

You wireless should now give out an IP for your guest SSID and have internet access.
 

trpltongue

Regular Contributor
I'm having a hard time following the comment regarding "You then need to add VLAN20 down on the bottom left. It will add VLAN20 as a tagged VLAN. save"
I'm not sure where to make this change on the VLAN membership screen:
VLAN membership.PNG


In the meantime, I've added an additional SSID on VLAN2 via the WAP gui as:
Guest_Network.PNG

After completing this step, I connected to the guest network and received an IP address from 192.168.20.254. Internet works, and I'm able to connect to the cisco equipment on the 192.168.10.x network, which I don't think is supposed to happen :)
 

coxhaus

Part of the Furniture
Capture4.PNG
Your screen is different than mine. I need screen shots of your VLAN screens so I can figure out how to do this.

Do you have a screen like this?
 

coxhaus

Part of the Furniture
It looks like Port 3 is ready to go. I am not sure what 3-40941 is. Have you started on VLAN30?

Test your wireless. Your switch may do it automatically on the trunk.
 

trpltongue

Regular Contributor
It looks like Port 3 is ready to go. I am not sure what 3-40941 is. Have you started on VLAN30?

Test your wireless. Your switch may do it automatically on the trunk.
I haven't started anything on VLAN30 yet.

Does this screen help?
VLAN interface settings.PNG


The wireless works fine on the VLAN2 network. I get an IP address from 192.168.20.254 and can connect to the internet. The only problem is that I can also connect to all the cisco gear on the 192.168.10.x network, which I don't think is supposed to happen right? I don't want the guest network to be able to access my main VLAN.
 

coxhaus

Part of the Furniture
OK. You need to go into the switch and create an ACL barring VLAN20 from VLAN1. On my switch it is under access control.
Capture5.PNG


I am off to the Texas Monthly BBQ fest. Lots of BBQ and beer drinking.

If you get on the wireless guest SSID you cannot edit the RV340 router. Try it.

I am wrong for your router. My router is in a separate router VLAN which we can do later. I share a printer on my guest network so I believe 192.168.10.1 will not be blocked as I don't block the first part of the VLAN1 network so you will need to modify the ACL for your current setup with the router in VLAN1.
 
Last edited:

trpltongue

Regular Contributor
OK. You need to go into the switch and create an ACL barring VLAN20 from VLAN1. On my switch it is under access control.View attachment 19786

I am off to the Texas Monthly BBQ fest. Lots of BBQ and beer drinking.

If you get on the wireless guest SSID you cannot edit the RV340 router. Try it.
Awesome! Have fun at the BBQ fest, I'm jealous and I'm in Houston!
 

trpltongue

Regular Contributor
OK. You need to go into the switch and create an ACL barring VLAN20 from VLAN1. On my switch it is under access control.View attachment 19786

I am off to the Texas Monthly BBQ fest. Lots of BBQ and beer drinking.

If you get on the wireless guest SSID you cannot edit the RV340 router. Try it.

I am wrong for your router. My router is in a separate router VLAN which we can do later. I share a printer on my guest network so I believe 192.168.10.1 will not be blocked as I don't block the first part of the VLAN1 network so you will need to modify the ACL for your current setup with the router in VLAN1.
I added the ACE in the switch as below. But I can still access 192.168.10.254 from the guest network (I currently have an IP address of 192.168.20.21).

Switch ACE.PNG


I really want to block the guest network from everything else, not just individual IP's, but I am guessing if I block the guest network from the switch it should kill all communication right?
 

coxhaus

Part of the Furniture
My guest is you need to use 192.168.10.1 as your destination IP address. Using 0.0.0.255 should block the whole class C. But you need to figure out what works for you.

Did you bind the ACL to the port?

PS
I thought I read where you can use the VLANs instead of using IP addresses. Setup an ACL blocking by VLAN. It may work better for you.
 
Last edited:

trpltongue

Regular Contributor
I tried to change the above to 10.1 and still didn't block access to the cisco gear when I logged into the guest network.

I'll take a look at VLAN blocking.
 

coxhaus

Part of the Furniture
Did you bind the ACE to the port? ACE work on the port level. ACL work at a higher level. Which are you doing?
 

trpltongue

Regular Contributor
Okay, so I think I got it working.

Had to modify the ACE a bit as below:
Switch ACE.PNG


Then I bound it to VLAN2. I'm not sure why, but it didn't work until I bound it to VLAN2:
acl binding.PNG


With this setup, the guest network gets internet but nothing else. There must be a better way to do this though, as I'll have to setup an ACE for every other VLAN as well to block the guest network from them.
 

coxhaus

Part of the Furniture
Your screen is different than my screen but if you don't want to work at port level then setup an ACL and not a ACE. Once an ACL is setup it should stand. You just need to figure out what you need.
 

trpltongue

Regular Contributor
Okay, so I think I'm understanding better. On this switch, the help file for Configuring ACL's states that you have to:

1) create an ACL (which is just creating a name for an access control workflow)
2) create an ACE (this is where you define all the rules and associate an ACE with an ACL)
3) associate the ACL with either a VLAN or a Port

That's why it didn't work earlier. I had created the ACL and the ACE, but hadn't associated it with a VLAN or Port so it wasn't actually active.

When I first associated my ACL with VLAN2 I couldn't access anything, not even the internet. That's because I set the default action to deny, so any traffic which didn't match the ACE was denied AND any traffic that did match the ACE was denied. Essentially everything was denied :)

Now I've modified the ACE association to VLAN2 so that the default behavior is permit. Now, when traffic doesn't match the ACE criteria it is allowed through. That means that if traffic matches the ACE, it is denied, if it doesn't match the ACE, it is allowed. So any traffic from 20.x network to the 10.x network (which matches my ACE) is blocked, and any other traffic is allowed.
 

Latest threads

Sign Up For SNBForums Daily Digest

Get an update of what's new every day delivered to your mailbox. Sign up here!
Top