|
Posted by Geir Holmavatn on August 3, 2006, 10:24 am
If you were Registered and logged in, you could reply and use other advanced thread options
Hi,
We have a Linksys managed 16 port switch with VLAN capability. There
are unmanaged switches connected to each port of this Linksys switch.
The domain controller (DHCP+DNS) is connected to port 16.
A separate internet feed (on the same subnet) might be connected to any
of the unmanaged switches. However if one of the unmanged switches is
connected to the internet this should not influence on the internet
connectivity of the other unmanaged switches.
I.e. port 1-15 of the managed switch should always be able to talt to
port 16 and vice vera. However none of the ports 1-15 should be able to
talk to each other.
How do I program this using VLANs?
I have tried to create VLAN ID of 11 assigned to port 1, 12 to port 2
etc up to port 15 and none to port 16, but I don't get the desired results.
Any VLAN guru here who is willing to help me out..?
regards
/geir
each port of this switch
|
 
| |
Posted by Walter Roberson on August 3, 2006, 1:00 pm
If you were Registered and logged in, you could reply and use other advanced thread options
>I.e. port 1-15 of the managed switch should always be able to talt to
>port 16 and vice vera. However none of the ports 1-15 should be able to
>talk to each other.
>How do I program this using VLANs?
>I have tried to create VLAN ID of 11 assigned to port 1, 12 to port 2
>etc up to port 15 and none to port 16, but I don't get the desired results.
You make port 16 a trunk port that has membership in each of the
other VLANs.
> The domain controller (DHCP+DNS) is connected to port 16.
You would either need to have the domain controller have 15
802.1Q VLANs on the single ethernet interface, or else you would
have to add a router with an 802.1Q VLAN trunk port and then add
15 physical interfaces, one for each of the IP ranges. Either way,
each of the other ports would need to be in a different IP range
for things to work properly.
> We have a Linksys managed 16 port switch with VLAN capability.
If the switch were one of Cisco's Catalyst 3550/3750 family
(possibly even a 2950, I can't recall for sure now), or were
a Cisco Catalyst 2948G-L3, or 4008, (or possibly some other models
as well), then there is a built in feature for just this kind
of restriction, to block ports from talking directly to each other
but allow them to talk to selected other ports.
There is, though, a possibility to keep in mind, which is that one of
the machines on a port might "bounce" a packet off something that it is
allowed to talk to, to have the packet go to a different port that it
would not normally be allowed to reach. This would be able to happen
in your case if the domain controller were configured to allow
packets to be routed between interfaces.
|
|
Posted by M.C. van den Bovenkamp on August 3, 2006, 1:28 pm
If you were Registered and logged in, you could reply and use other advanced thread options
Geir Holmavatn wrote:
> I.e. port 1-15 of the managed switch should always be able to talt to
> port 16 and vice vera. However none of the ports 1-15 should be able to
> talk to each other.
>
> How do I program this using VLANs?
You don't say exactly which '16 port Linksys' ypu have, but the smarter
Linksys boxes (e.g. the SRW2016) can do this using PVE (Private VLAN Edge).
Put the ports in a PVE group and designate port 16 as the uplink.
Regards,
Marco.
|
|
Posted by Geir Holmavatn on August 3, 2006, 5:51 pm
If you were Registered and logged in, you could reply and use other advanced thread options
M.C. van den Bovenkamp wrote:
> Geir Holmavatn wrote:
>
>> I.e. port 1-15 of the managed switch should always be able to talt to
>> port 16 and vice vera. However none of the ports 1-15 should be able
>> to talk to each other.
>>
>> How do I program this using VLANs?
>
> You don't say exactly which '16 port Linksys' ypu have, but the smarter
> Linksys boxes (e.g. the SRW2016) can do this using PVE (Private VLAN Edge).
>
> Put the ports in a PVE group and designate port 16 as the uplink.
<sigh of relief>
Marco,
It's exactly a SRW2016 box we have. I will check tomorrow at work.
So I just erase all the VLANs that I created (or reset everything) and
go to the PVE mapping page, select port 1-15 as a group and assign port
16 as uplink? Anything else? How secure is this solution? Any
possibility for a creative soul to access another port in the 1..15 range?
Thanks a lot for the hint ;-) Will get back with the results ;-)
regards
Geir
|
|
Posted by M.C. van den Bovenkamp on August 3, 2006, 6:24 pm
If you were Registered and logged in, you could reply and use other advanced thread options
Geir Holmavatn wrote:
> So I just erase all the VLANs that I created (or reset everything) and
> go to the PVE mapping page, select port 1-15 as a group and assign port
> 16 as uplink? Anything else? How secure is this solution? Any
> possibility for a creative soul to access another port in the 1..15 range?
Looking at the docs, you need to assign the PVE Type on a per-port basis
on gigabit switches. It's page 26 & 27 in the User Guide for the SRW2016.
> Thanks a lot for the hint ;-) Will get back with the results ;-)
Glad it helped.
As for the security bit, it looks like it's pretty secure. Barring bugs
and unintended behaviour from whatever is connected to the uplink port,
there shouldn't be any way for devices on edge ports to talk to each
other. All traffic from edge ports gets forwarded only to the uplink
port and nowhere else.
Regards,
Marco.
|
| Similar Threads | Posted | | Re: Restart: VLAN question... | August 26, 2006, 10:50 am |
| VLAN/Broadcast Question | March 10, 2007, 2:50 pm |
| Question about VLAN tagging for packets | March 21, 2007, 2:43 pm |
| VLAN Help (for a Vlan newbie) | November 6, 2006, 12:09 pm |
| port-based vlan and tag-based vlan | October 21, 2008, 2:03 pm |
| port-based vlan and tag-based vlan | October 21, 2008, 2:03 pm |
| Question regarding 802.1x | March 2, 2005, 4:32 pm |
| A question for the NG | November 28, 2006, 4:37 pm |
| another LAN monitoring question | June 16, 2005, 8:13 am |
| question about 100mbits/sec | June 25, 2005, 9:32 am |
|
|
Yahoo! 
Google 
Windows Live 
del.icio.us 
digg 
Netscape 
XML site map