How to configure routing VLANs on a NETGEAR managed switch with shared internet access
Views - 2575  |  1 people found this helpful KBA-518

NETGEAR - Switches  

This article describes how to configure routing VLANs on a NETGEAR managed switch with shared access to the internet.

Note: The steps and screenshots in this article apply to NETGEAR managed switches running firmware version 11 and above.

In this example, there are three VLANs configured on the switch:

  • VLAN 10 / Network 192.168.10.0 (mask 255.255.255.0) / Ports 1 - 10

  • VLAN 20 / Network 192.168.20.0 (mask 255.255.255.0) / Ports 11 - 20

  • VLAN 30 / Network 192.168.30.0 (mask 255.255.255.0) / Ports 21 - 28

    The devices in each VLAN are allowed to communicate with devices in other VLANs because routing is enabled on the switch. This inter-VLAN communication can be restricted through the use of optional access control lists or ACLs (described later in this article).

    The devices in each VLAN access the internet through the internet gateway which is connected in VLAN 10. In this example, the internet gateway is not configured to be VLAN aware. The switch routes traffic between VLANs, from the devices in VLANs 10, 20 & 30 to the internet gateway and back.

    Below is a simple diagram presenting an overview of the network.

    Image

    Create the VLANs.

  1. Log in to the management page of the switch.
  2. Go to Routing - VLAN - VLAN Static Routing Wizard.
  3. Enter the VLAN ID, the IP Address and the Network Mask for the VLAN. In this example, these values are:
    VLAN ID: 10
    IP Address: 192.168.10.254
    Network Mask: 255.255.255.0
  4. Select the ports to add to the VLAN. Ports which connect to end devices such as PCs should be marked as untagged (U). Ports on which traffic for multiple VLANs is sent to other VLAN aware devices should be marked as tagged (T).
  5. Click Apply. Note this will remove the selected ports from the default VLAN (VLAN 1). If you are managing the switch through a port in VLAN 1, be careful not to re-configure the port through which you are managing the switch.
  6. When prompted with the Global IP routing mode window, click OK.
    Image
  7. Repeat steps 1 - 6 to create VLANs 20 and 30.

Configure the DHCP server (optional).

If you require the switch to function as a DHCP server for the VLANs, follow the steps in this section. If not, proceed to the Add a default route section.

  1. Log in to the management page of the switch.
  2. Go to System - Services.
  3. Under DHCP Server - DHCP Server Configuration, set Admin Mode to Enable and click Apply.
  4. Under DHCP Server - DHCP Pool Configuration, create a new DHCP pool for each VLAN. Refer to the screenshot below for an example of how to create a DHCP pool. The default router address used for each pool is the IP address of the corresponding VLAN interface, e.g. for VLAN 10, it is 192.168.10.254.


    Note: When Type of Binding is set to Dynamic, the association between a DHCP pool and a VLAN is based on the IP address and network mask assigned to the VLAN. To associate a DHCP pool to a VLAN, ensure that the network address of the pool matches the network address of the VLAN. For example, VLAN 10 in this example is assigned the IP address 192.168.10.254 and network mask 255.255.255.0. This has a network address of 192.168.10.0. When creating the DHCP pool for VLAN 10, ensure that the network address is 192.168.10.0 with network mask 255.255.255.0. The switch automatically assigns the DHCP pool to the corresponding VLAN (VLAN 10 in this case).
  5. Click Add.
  6. Repeat steps 1 - 6 to create DHCP pools for VLANs 20 and 30.
  7. Go to DHCP Server - DHCP Server Configuration.
  8. In the Excluded Address section, add the IPs which are in use and should not be offered by the DHCP server. In this example, the addresses we exclude are:
    192.168.10.1
    192.168.10.254
    192.168.20.254
    192.168.30.254

Add a default route.

This is necessary to instruct the switch to send any traffic not destined for the local VLANs to the internet gateway.

  1. Log in to the management page of the switch.
  2. Go to Routing - Routing Table - Basic - Route Configuration.
  3. In the Route Type drop down menu, choose Default.
  4. In the Next Hop Address, enter the IP address of the internet gateway (192.168.10.1 in this example).
  5. Click Add.

Add static routes on the internet gateway.

The addition of static routes to the internet gateway is necessary to ensure that the internet gateway is aware of how to return traffic to devices in VLANs not directly attached to it (VLANs 20 and 30 in this example). In this example, we demonstrate how to add static routes on a NETGEAR ProSAFE firewall. The configuration of other internet gateways will vary slightly. Refer to the vendor of your internet gateway for further information.

  1. Log in to the management page of the ProSAFE firewall.
  2. Go to Network Configuration - Routing.
  3. Click Add.
  4. Enter a static route for VLAN 20 as shown below and click Apply.
  5. Repeat the process for VLAN 30. The required configuration for VLAN 30 in this example is:
    Destination IP Address: 192.168.30.0
    Subnet Mask: 255.255.255.0
    Interface: LAN
    Gateway IP Address: 192.168.10.254
    Note: It is not necessary to create a static route for VLAN 10 because the internet gateway in this example is connected directly to VLAN 10 on the switch.

 

Configure access control lists (optional).

Add access control lists (ACLs) to prevent unwanted inter-VLAN communication. For example, we want to allow the devices in VLAN 20 to communicate with the internet gateway but prevent communication with other devices in VLANs 10 and 30.

Create the ACLs.

  1. Log in to the management page of the switch.
  2. Go to Security - ACL - Advanced - IP ACL.
  3. Under IP ACL Table, enter an ID of 101 and then click Add. We will use ACL 101 for VLAN 10.
  4. Repeat steps 1 - 3 to add additional ACLs 102 and 103. We will use ACL 102 for VLAN 20 and ACL 103 for VLAN 30.

Add rules to ACL 101 (for VLAN 10).

  1. Go to Security - ACL - Advanced - IP Extended Rules.
  2. In the ACL ID/Name drop down menu, choose 101.
  3. Click Add.
  4. Configure the 1st rule as follows (ignore the fields not listed below):
    Sequence Number: 10
    Action: Deny
    Src: IP Address 192.168.10.0 0.0.0.255
    Dst: IP Address 192.168.20.0 0.0.0.255
  5. Click Apply.
  6. Click Add.
  7. Configure the 2nd rule as follows (ignore the fields not listed below):
    Sequence Number: 20
    Action: Deny
    Src: IP Address 192.168.10.0 0.0.0.255
    Dst: IP Address 192.168.30.0 0.0.0.255
  8. Click Apply.
  9. Click Add.
  10. Configure the 3rd rule as follows (ignore the fields not listed below):
    Sequence Number: 30
    Action: Permit
    Match Every: True
  11. Click Apply.

Add rules to ACL 102 (for VLAN 20).

  1. In the ACL ID/Name drop down menu, choose 102.
  2. Click Add.
  3. Configure the 1st rule as follows (ignore the fields not listed below):
    Sequence Number: 10
    Action: Permit
    Src: IP Address 192.168.20.0 0.0.0.255
    Dst: Host 192.168.10.1
  4. Click Apply.
  5. Click Add.
  6. Configure the 2nd rule as follows (ignore the fields not listed below):
    Sequence Number: 20
    Action: Deny
    Src: IP Address 192.168.20.0 0.0.0.255
    Dst: IP Address 192.168.10.0 0.0.0.255
  7. Click Apply.
  8. Click Add.
  9. Configure the 3rd rule as follows (ignore the fields not listed below):
    Sequence Number: 30
    Action: Deny
    Src: IP Address 192.168.20.0 0.0.0.255
    Dst: IP Address 192.168.30.0 0.0.0.255
  10. Click Apply.
  11. Click Add.
  12. Configure the 4th rule as follows (ignore the fields not listed below):
    Sequence Number: 40
    Action: Permit
    Match Every: True
  13. Click Apply.
  14. Click Add.

Add rules to ACL 103 (for VLAN 30).

  1. In the ACL ID/Name drop down menu, choose 103.
  2. Click Add.
  3. Configure the 1st rule as follows (ignore the fields not listed below):
    Sequence Number: 10
    Action: Permit
    Src: IP Address 192.168.30.0 0.0.0.255
    Dst: Host 192.168.10.1
  4. Click Apply.
  5. Click Add.
  6. Configure the 2nd rule as follows (ignore the fields not listed below):
    Sequence Number: 20
    Action: Deny
    Src: IP Address 192.168.30.0 0.0.0.255
    Dst: IP Address 192.168.10.0 0.0.0.255
  7. Click Apply.
  8. Click Add.
  9. Configure the 3rd rule as follows (ignore the fields not listed below):
    Sequence Number: 30
    Action: Deny
    Src: IP Address 192.168.30.0 0.0.0.255
    Dst: IP Address 192.168.20.0 0.0.0.255
  10. Click Apply.
  11. Click Add.
  12. Configure the 4th rule as follows (ignore the fields not listed below):
    Sequence Number: 40
    Action: Permit
    Match Every: True
  13. Click Apply.
  14. Click Add.

Add the ACLs to the ports.

  1. Go to Security - ACL - Advanced - IP Binding Configuration.
  2. In the ACL ID drop down menu, choose ACL ID 101.
  3. Select all ports in VLAN 10 (except for the port connecting to the internet gateway).