2 Network Security issues
I have 3 Vlans, Lan (10.0.0.x) , Lan10 (10.0.10.x), and iot20 (10.0.20.x).
In my network security, "switch acl" i have blocked the iot20 VLan from the Lan and Lan10 Vlans.
I was trying to setup a rule to let me cross access the Lan and Lan10 Vlans but i'm not having any luck with this. Is this possible since they are on different subnets?
2nd thing is in my switch settings if i select a port, say port 8 and change the profile from all to "Lan" or Lan10 or iot20, the connected device does not pick up the new VLan ip address, IE if i set it to Lan10 the computer connected to port 8 does not get a 10.0.10.x IP address.
Any help would be appreciated. This is a basic setup for home. I was trying to keep all my wired desktops on Lan10 and every thing else as Iot20 and only use a main computer on Lan.
Thanks
Doug
- Copy Link
- Subscribe
- Bookmark
- Report Inappropriate Content
if its a windows pc. run ipconfig /release && ipconfig /renew. if this does not work. make sure you select the lan interfaces on network setup and dhcp server is enable.
here is a sample.
- Copy Link
- Report Inappropriate Content
Hey
I have 3 Vlans, Lan (10.0.0.x) , Lan10 (10.0.10.x), and iot20 (10.0.20.x).
In my network security, "switch acl" i have blocked the iot20 VLan from the Lan and Lan10 Vlans.
I was trying to setup a rule to let me cross access the Lan and Lan10 Vlans but i'm not having any luck with this. Is this possible since they are on different subnets?
Could you elaborate a bit more on what you mean by "cross access", not sure what you are trying to accomplish. If its to allow traffic between IOT20 and LAN10 then the switch ACL you set will block that. If you can clarify what you mean I will try and help :)
2nd thing is in my switch settings if i select a port, say port 8 and change the profile from all to "Lan" or Lan10 or iot20, the connected device does not pick up the new VLan ip address, IE if i set it to Lan10 the computer connected to port 8 does not get a 10.0.10.x IP address.
Can you give us a run down on what hardware you are using and perhaps post a screenie of the VLAN config you setup for IOT20 or LAN10. That will let us see what is going on here for you.
If this is configured on the controller correctly as an interface, it should hand you out a DHCP ok.. curious
- Copy Link
- Report Inappropriate Content
For your first question, two separated networks on different subnets can only communicate in Layer 3, if you have an L2+ Managed switch you can enable VLAN interface for the communication between your subnets, then with ACL you block the VLAN that you don't want to be part of that cross access.
- Copy Link
- Report Inappropriate Content
Thanks for the help / information every one. Based on the reply's I believe i won't be able to access other devices on different subnets, so I will abandon that idea for now.
The equipment was a tl-sg2210p switch, er602v2 router.
I was hoping to access another computer on a different vLan (HB-vLan10) then my main computer (vLan) but it isn't that important.
As for the switch, if I set port 8 to be on HB-vLan10 and connect a "windows10" computer to it. I would think the router should assign a Vlan10 ip address, but it isn't even after doing a release and renew. I even tried to assign an ip address to the computer as well. The only way I can get the router to assign a vLan ip address is going to the client list, selecting "config" and using a fixed ip address there. So I'm a bit stumped on that one. While you can't see it very well here, port8 is set to HB-VLan10 and a win10 computer is connected to it but it won't get a HB-Vlan10 ip address, only the main Vlan. Yes the computers nic card is set to get an assigned static ip adress from the router.
vLan = 10.0.0.10-256 (oc200 controller plus 1 main computer)
HB-vLan = 10.0.10.10-256 (Computers / Ipads ect, connected here)
HB-Iot20 = 10.0.20.10-256 (iot devices connected here)
The overall goal was to have one main computer on vLan and the oc200 and every thing else on different vLans with the hopes to make the setup a bit more secure.
Thanks again all and Happy New years!
- Copy Link
- Report Inappropriate Content
Hi,
TL-SG2210P has L2+ features so you can do it
sorry that I cannot write the guide for you now, happy to do it on Monday if you haven't figured it out until then :)
- Copy Link
- Report Inappropriate Content
First create 3 vlans, select Purpose->"Interface", define numbers and then click "Update DHCP Range"
When you set the profile of the ports, Controller and Router should be in "All" profiles
Even for the EAPs you should keep the profiles as "All", then when you set the SSID you can set the Vlan ID
For the port that is connected directly to the computer, change the profile, and set the egress rule as "Untagged"
For security, set the ACL rule to "Deny" a "Bi-Directional" connection between IoT and your other lan, keep the Binding Type as "Ports". Repeat the same for the main PC vlan.
With this config, you can separate your 3 VLANs IoT network, your 1 main PC, and all other computers and laptops. So the controller and the router cannot be separated as they should be in all networks. Although you can have the OC200 on a different subnet with option 138 DHCP, but you cannot separate the access as it doesn't make sense to have a controller that cannot see all the devices.
- Copy Link
- Report Inappropriate Content
Information
Helpful: 0
Views: 724
Replies: 6
Voters 0
No one has voted for it yet.