I have a network that has 2 private IP subnets (192.168.1.0/24 and 192.168.50.0/24) using the same Ethernet wiring to connect to a single, common gateway which is a NetVanta 3120. Since they are sharing the wiring plant, I am unable to create segregated VLANS for different switch ports on the 3120. I would like to be able to restrict one subnet (192.168.50.0/24) to only be able to access the gateway in order to get to the Internet, and keep this subnet from being able to access the other private subnet (192.168.1.0/24). Is there a support article that documents how to do this, either through the GUI or the CLI?
The "V" in VLAN means "virtual", so if you choose you can indeed have two or more logical networks on the same wiring plant. Both networks can use the same switch port on the router if you make it a "trunk" meaning that it supports multiple VLANs.
This isn't needed but it scales better and makes the configuration more secure and flexible because you can put the different subnets in different security zones.
If you want to avoid creating VLANs, you can accomplish what you want as follows.
Create an access-list like this:
ip access-list extended private-block-list
permit ip 192.168.50.0 0.0.0.255 192.168.1.0 0.0.0.255
permit ip 192.168.1.0. 0.0.0.255 192.168.50.0 0.0.0.255
deny ip any any ! <- this is there by default but putting it in makes it easier to read
Then, in the policy-class applied to the inside interface you add the following as the first line:
discard list private-block-list
followed by your NAT rules and the like.
Beware that without using VLANs you will have the following issues:
The "V" in VLAN means "virtual", so if you choose you can indeed have two or more logical networks on the same wiring plant. Both networks can use the same switch port on the router if you make it a "trunk" meaning that it supports multiple VLANs.
This isn't needed but it scales better and makes the configuration more secure and flexible because you can put the different subnets in different security zones.
If you want to avoid creating VLANs, you can accomplish what you want as follows.
Create an access-list like this:
ip access-list extended private-block-list
permit ip 192.168.50.0 0.0.0.255 192.168.1.0 0.0.0.255
permit ip 192.168.1.0. 0.0.0.255 192.168.50.0 0.0.0.255
deny ip any any ! <- this is there by default but putting it in makes it easier to read
Then, in the policy-class applied to the inside interface you add the following as the first line:
discard list private-block-list
followed by your NAT rules and the like.
Beware that without using VLANs you will have the following issues:
Jayh, thanks for the reply. Sorry I have taken so long to get back to you.
So, if I understand you correctly, the simpler method (and better practice) is to create a VLAN for each of these networks: VLAN1 192.168.1.0/24 and VLAN2 192.168.50.0/24.
So, using the GUI, I created VLAN2, naming it Guest. I enabled this VLAN2 as a Static VLAN, and configured it as an IP interface. Its mode is IP routing, and I assigned it the IP address of 192.168.50.2.
I then assigned all switch ports on the 3120 to Trunk Membership.
Then, still using the GUI, I created a 3rd security zone called Guest and I added a single Filter Policy for this security zone called Guest Deny. For the Filter Data, the source IP address is 192.168.50.0/24, and the Destination IP address is 192.168.1.0/24. I set the Protocol to any, and I set the Ports to Any.
My public WiFi access will be on the 192.168.50.0/24 network, with DHCP being served by the wireless access point. The intent is for traffic from this subnet to access only the Internet (from the Eth 0/1 port) and its own subnet.
My internal, private subnet (192.168.1.0/24) should be able to communicate with the Internet over the Eth 0/1 port. I don't care if VLAN1 can get to VLAN2 or not. DHCP for this VLAN1 will be provided by the 3120.
I would appreciate your confirmation of my understanding of your suggestions and letting me know if I have successfully implemented them. Thanks again!
Yes, you're doing it right. The last step is to assign the proper VLANs on the distribution switches. You mentioned that there is a common wiring plant, here's where the advantage of VLANs comes into play.
The switches that connect to endpoint devices need to be configured appropriately. On the distribution switches, the interfaces that go back to the 3120 also need to be set as trunk ports with both VLANs allowed.
Any port that goes to a private workstation should be configured as an access port on VLAN 1, which will typically be the default.
The ports that connect to the guest access points (or a guest jack in a conference room, for example) needs to be configured as an access port on VLAN 2. Anything plugged into those interfaces will only see the guest VLAN and NAT to the Internet, it won't see your private corporate network.
Note that once you've done this, the switch ports matter. It is no longer acceptable to just plug in to a vacant port. You'll need to label them as to their function and advise your staff that "Ports 1 through 4 are for access points, port 24 must be the one connected back to the Adtran", etc.
Again, thanks for the reply.
Unfortunately (or fortunately, depending on how you look at it), the 3120 is the only VLAN aware device for all of these connections. The wireless access points are consumer grade, and it is their switch ports that are connected to the 3120. So, as I see it as long as I have all 4 switch ports on the 3120 members of a Trunk, I should be good. Thanks again for the help.
Gary
OK, you're almost there and this is actually easier. Configure the 3120 switch interfaces that are connected to the access points as access ports on VLAN 2 and the 3120 interface(s) connected to your coroprate LAN as access ports on VLAN 1. No trunks needed.