Business CommunityGeneral Discussionvlan isolation
General Discussion

vlan isolation

12

vlan isolation

18 Reply
Re:vlan isolation
19 hours ago

  @ITV , 

 

This is getting complicated.  If there are two interfaces for each VLAN, then an ACL is needed for each interface.  A deny rule is needed to prevent the VLAN(s) from accessing other VLANs.  One rule should be sufficient to block traffic while two rules are needed to allow traffic.  If one of the interfaces is on a non-Omada device, then you will have to figure out the needed configuration.

1x ER7406 1x OC300 4x SG2008 1x EAP610 3x EAP650-Desktop 1x EAP772-Outdoor
1
1
#12
Re:vlan isolation
9 hours ago - last edited 9 hours ago

  @ITV 

 

I switch route all my vlans, and its very easy to isolate them with switch ACLs

 

Ignore the fact that mine are listed as "networks" since i use the gateway for DHCP and ARP scanning features, everything is still actually routed on the switches, the same methodology applied using ipgroups

 

 

Its simply a case of making sure you correctly isolate them from each other, but what you dont want to do is include what any of them use as a gateway IP or they cant route anywhere

 

Mine are structured in a way that allows a subset of the management vlan (where IT DHCP is for my laptop etc, nothing else goes in that range) to communicate out to other networks and back which is why the second rule is an IPGroup destination rather than the network as a whole, but otherwise, very simple.

 

One thing to not that might be tripping you up - switch rules are not stateful - if you block one direction it inherently block the other direction because you are either blocking the reach-out or the response, it doesnt track the state of "this ip reached out to here, so we will allow the response"

 

As for the routing tables question

 

Lets say you have these vlans as switch only, no gateway interfaces

192.168.10.0/24

192.168.20.0/24

192.168.30.0/24

 

and your management vlans (and main switch SVI) are on

192.168.0.0/24

 

For correct routing you only need this:

Gateway route - 192.168.10.0/24 + 192.168.20.0/24 + 192.168.30.0/24 > 192.168.0.250 (switch IP on management vlan)
Switch route - 0.0.0.0/0 > 192.168.0.254 (gateway IP on management vlan)

 

Technically you dont even need the second route on the switch if its gateway IP already points to the the actual gateway in its management vlan interface config

1
1
#13
Re:vlan isolation
7 hours ago - last edited 6 hours ago

  @jra11500 - below my 0,500 Euro...

 

To make sure we are on the same page:

By default, a vlan is nothing more then some number attached to an identifier.

Everything else is up to the vendor followed by the network administrator.

 

With that in mind (again - just to make sure we are on the same page):

The factory defaults for Omada devices is that vlan 1 is always the management vlan and attached to subnet 192.168.0.1/24.

In addition the system is not really designed to use a different vlan id for this - changing it is really challenging and not recommended.

However, using a different subnet for the management vlan is pretty straight forward.

 

All other vlans can be created with or without an interface - it is just used for (un)tagging packets depending on the port settings.

In my humble opinion: assigning an ip address to any other vlan interface of a switch makes only sense for L3 routing/switching.

 

So in terms of acl-rules on switches: by default any acl rule is applied to ports.

Meaning that it processes packets for each port based on source and destination ip details.

Alternatively there is the vlan option - which is confusing.

This is because the help-page talks about vlan interface assignments - which may not be the case.

Hence my choice to use the all-ports option.

 

*** making it run like clockwork ***
0
0
#14
Re:vlan isolation
6 hours ago - last edited 5 hours ago

  @GRL - thank you for your help.

 

Would you be in a position to post a screenshot of acl-rule index 1 and 2?

 

We are not very happy with having all packets routed to the management vlan.

By using a different (intermediate) vlan we have a more granular way of working with something called traffic scrubbing.

 

 

Thank you - Will

*** making it run like clockwork ***
0
0
#15
Re:vlan isolation
5 hours ago

  @ITV 

 

Ill post them later when home

 

It's easy to route packets on a dedicated transit vlan, you just need to point the next hop in the routes to the gateway and switch interfaces on that vlan (a transit vlan also needs to exist as a gateway interface or it won't work )

 

I even wrote a guide for this that was linked in the knowledge base somewhere

 

There isnt any issue routing on the management vlan as IP headers stay intact with the original source and destination IPs so switch rules still work on them if applied as ports type, there is no risk of data ingress to management vlan

1
1
#16
Re:vlan isolation
5 hours ago

  @ITV 

 

It is true that the factory defaults for Omada devices are to use VLAN 1 and the 192.168.0.1/24 subnet.  However, it is relatively easy to change this and the system works quite well as long as the default VLAN is also the management VLAN.

 

In my case, I changed the default VLAN ID to 10 and the gateway address to 192.168.10.1/24.  All my Omada devices reside in the management VLAN and have an IP address in the 192.168.10.x range.

 

If you look at the running config of an Omada switch in your network, you will still see VLAN 1 listed with a name of "System-VLAN" but in looking at the interfaces in the running config, you will find an entry that states "no switchport general allowed vlan 1".  VLAN 1 exists but is no longer used.

 

My network is relatively small and I don't use switch routing here. I did set up switch routing (for test purposes) last year but really saw no improvement as my gateway handles everything quite well.

 

 

 

1x ER7406 1x OC300 4x SG2008 1x EAP610 3x EAP650-Desktop 1x EAP772-Outdoor
1
1
#17
Re:vlan isolation
5 hours ago

  @GRL - yes - we have those things configured - see the screenshots of my earlier post here:

https://community.tp-link.com/en/business/forum/topic/863092?replyId=1687728

 

Looking forward to your acl-screenshots - thank you.

*** making it run like clockwork ***
0
0
#18
Re:vlan isolation
3 hours ago - last edited 3 hours ago

  @ITV 

 

1) this rule prevents clients in the selected networks, supernetted togther in the IP group, to communicate with HTTP/HTTPS ports of the target devices (SDN devices, Routing interfaces etc) so not even gateway / switch login pages for that vlan are accessible

 

 

2) this rule prevents the selected networks fro accessing the SDN and critical devices present in the management vlan, but does not encompass the DHCP range used by my IT devices (such as laptop) 

0
0
#19
12
About Us
Press
Copyright © TP-Link Systems Inc. All rights reserved.