VLAN question...

Hi,

We have a Linksys managed 16 port switch with VLAN capability. There are unmanaged switches connected to each port of this Linksys switch. The domain controller (DHCP+DNS) is connected to port 16.

A separate internet feed (on the same subnet) might be connected to any of the unmanaged switches. However if one of the unmanged switches is connected to the internet this should not influence on the internet connectivity of the other unmanaged switches.

I.e. port 1-15 of the managed switch should always be able to talt to port 16 and vice vera. However none of the ports 1-15 should be able to talk to each other.

How do I program this using VLANs?

I have tried to create VLAN ID of 11 assigned to port 1, 12 to port 2 etc up to port 15 and none to port 16, but I don't get the desired results.

Any VLAN guru here who is willing to help me out..?

regards

/geir

each port of this switch

Reply to
Geir Holmavatn
Loading thread data ...

You make port 16 a trunk port that has membership in each of the other VLANs.

You would either need to have the domain controller have 15

802.1Q VLANs on the single ethernet interface, or else you would have to add a router with an 802.1Q VLAN trunk port and then add 15 physical interfaces, one for each of the IP ranges. Either way, each of the other ports would need to be in a different IP range for things to work properly.

If the switch were one of Cisco's Catalyst 3550/3750 family (possibly even a 2950, I can't recall for sure now), or were a Cisco Catalyst 2948G-L3, or 4008, (or possibly some other models as well), then there is a built in feature for just this kind of restriction, to block ports from talking directly to each other but allow them to talk to selected other ports.

There is, though, a possibility to keep in mind, which is that one of the machines on a port might "bounce" a packet off something that it is allowed to talk to, to have the packet go to a different port that it would not normally be allowed to reach. This would be able to happen in your case if the domain controller were configured to allow packets to be routed between interfaces.

Reply to
Walter Roberson

You don't say exactly which '16 port Linksys' ypu have, but the smarter Linksys boxes (e.g. the SRW2016) can do this using PVE (Private VLAN Edge).

Put the ports in a PVE group and designate port 16 as the uplink.

Regards,

Marco.

Reply to
M.C. van den Bovenkamp

Marco,

It's exactly a SRW2016 box we have. I will check tomorrow at work.

So I just erase all the VLANs that I created (or reset everything) and go to the PVE mapping page, select port 1-15 as a group and assign port

16 as uplink? Anything else? How secure is this solution? Any possibility for a creative soul to access another port in the 1..15 range?

Thanks a lot for the hint ;-) Will get back with the results ;-)

regards

Geir

Reply to
Geir Holmavatn

Looking at the docs, you need to assign the PVE Type on a per-port basis on gigabit switches. It's page 26 & 27 in the User Guide for the SRW2016.

Glad it helped.

As for the security bit, it looks like it's pretty secure. Barring bugs and unintended behaviour from whatever is connected to the uplink port, there shouldn't be any way for devices on edge ports to talk to each other. All traffic from edge ports gets forwarded only to the uplink port and nowhere else.

Regards,

Marco.

Reply to
M.C. van den Bovenkamp

Hi again,

Unfortunately in this case the map is not completely in accordance with the terrain. There is no PVE Mapping tab at the Switch config page for my SRW2016. However the Interface settings (page 26-27 in the manual) contains a PVE dropdown box listing: , g1-g16 and LAG1-LAG8.

First I selected g16 in this PVE box (I hoped that this would be the uplink port). However I received an error complaining that I could not do this because the selected port I was editing (g1) also was a member of the default VLAN ID 1.

I tried to create a second VLAN with ID 10 and assigned ports g1..g10 to this VLAN. Then I was able to set g16 as PVE port for g1. However I have no idea if this is the way it is supposed to be done. I haven't found a way to assign as VLAN ID for the ports g1 .. g10 so I just have the PVE stuff enabled and no other 'normal' VLAN ID.

There is no indication in the manual (as far as I can see) that the PVE mapping stuff only is available for the 48 port model. My SRW2016 switch has the latest firmware version according to the official Linksys site.

Any suggestions or comments...?

regards

geir

Reply to
Geir Holmavatn

Since the thread ran out of juice, I have another question:

Does it exist other 16port gigabit switchec with the PVE (private VLAN edge) feature in the same price segment as the SRW2016?

Thanks for hints on this

regards Geir

Reply to
Geir Holmavatn

Geir Holmavatn skrev:

Hi,

I take the chance of restarting this thread as I have still no working solution. I tried with the PVE feature of the SRW2016 and I was able to connect to the internet, but very intermittently. It seemed that the workstation had trouble selecting which uplink port to select to get to the internet and which one to use for getting to the domain controller.

But let me rephrase the question a bit:

Does it exist (a) more 'general' solution(s) for our problem..?

We have several classrooms which need continous access to the domain controller subnet and in addition, internet access only when needed.

How can we avoid connecting ALL classrooms to the internet once the gateway cable is connected to the domain controller net in one classroom?

The router / firewall IP is on the same subnet as the domain controller. A small sketch of a similar system is available here (with separate switches for internet and domain controller):

formatting link
Connecting / disconnecting the internet is classrooms would be by connect/disconnect the blue connection in the above sketch.

Thanks if someone have some bright ideas ;-)

/geir

Reply to
Geir Holmavatn

Looking at the picture, I think your only option is to use a router. You will need the router to the east of the switches.

Reply to
Hansang Bae

Hansang Bae skrev:

I.e. one router in the domain controller cable for each classroom. Gigabit router... sigh.

Though I have *no* other options...?

/geir

Reply to
Arne Hvoslef

So there is absolutely no other options for this than one router in the domain controller cable for each classroom??

Router with gigabit throughput ...

...will monitor this for some days if someone gets a bright idea...

/geir

Reply to
Geir Holmavatn

Cabling-Design.com Forums website is not affiliated with any of the manufacturers or service providers discussed here. All logos and trade names are the property of their respective owners.