3

I'm (still) trying to properly configure VLANs on a level 3 switch (Netgear GS516TP).

Basic scenario: there are three VLANs: VLAN 10, 11, and 12, with respectively three ports, and three machines.

  • 10.0.10.5, connected to port g10 and belonging to VLAN 10.
  • 10.0.11.5, connected to port g11 and belonging to VLAN 11.
  • 10.0.12.5, connected to port g12 and belonging to VLAN 12.

enter image description here

VLAN 10 has untagged ports g10, g11, and g12.

enter image description here

VLAN 11 has untagged ports g10 and g11. Similarly, VLAN 12 has untagged ports g10 and g12.

enter image description here

The goal is to be able for machines belonging to VLAN 11 and VLAN 12 to communicate with the machines in VLAN 10. However, a machine from VLAN 11 should know nothing about machines in VLAN 12 (and the other way around).

While all three machines are using the netmask 255.255.0.0, the routing configuration is set like this:

enter image description here

Now, the problem. When I send a TCP or UDP packet from 10.0.10.5 to 10.0.11.5 (for instance by doing nc -n 10.0.11.5 100), I can see this packet in Wireshark running on the machine which belongs to VLAN 12. It doesn't work the other way around, though, i.e. a packet sent from 10.0.11.5 is not visible in VLAN 12.

What should I do in order for the packets targeting machines from VLAN 11 to never reach the ports belonging to VLAN 12?

Arseni Mourzenko
  • 2,165
  • 5
  • 23
  • 41
  • 1
    I don't understand how port G10 can be untagged in three different VLANs at the same time. This may be a netgear oddity, or some very poor choice of name ? The cisco/juniper/procurve/nortel switches I've used only allow maximum of one untagged vlan on a port. – Criggie Jan 10 '21 at 21:57

2 Answers2

4

By default every port only uses L2 info to decide how to process packets (L2 == MAC == bridge). That decision doesn't respect L3, i.e. it doesn't know IP ranges of VLANs.

If you enable routing for the VLAN, and the MAC DA [destination address] of an inbound unicast packet is that of the internal bridge-router interface, the packet is routed.

The IP address that you assigned to VLANs (visible on your last screenshot) does not "catch" packets by itself. You need to set your servers up to actually send packets there to that "internal bridge-router interface"; normally, this is done by adding a route table entry on a server:

(on 10.0.10.5):
10.0.11.0/24 dev eth0 via 10.0.10.1

Only such packets destined to that "internal bridge-router interface" will move to another VLAN.

In my example, step by step:

  1. on 10.0.10.5 you do ping 10.0.11.5
  2. server asks "who has 10.0.10.1"
  3. switch says "MAC 10:da:12:34 has 10.0.10.1"
  4. server sends a packet SOURCE 10.0.10.5 DEST 10.0.11.5 MAC_DEST 10:da:12:34
  5. switch seeing such MAC_DEST decides to change the VLAN assigned to that packet
  6. switch also changes MAC_DEST to that belonging to 10.0.11.5

(It's just how any packet forwarding works on Ethernet - nothing specific to Netgear.)

Probably, you don't need a port to be in multiple VLANs (I didn't actually check).

Also, set Routing -> IP -> Routing Mode = Yes

Netgear Support: What is VLAN Routing

kubanczyk
  • 13,502
  • 5
  • 40
  • 55
  • @ilkkachu I didn't want to complicate the story and the user's of these kind of Netgear devices will think about them as switches. You are right that logically, it's a router. Also, for (6) I corrected myself, you got it wrong as well :P – kubanczyk Jan 10 '21 at 20:43
  • well, fair enough. and it seems I typoed it in the same way, mildly embarrassing... – ilkkachu Jan 10 '21 at 20:51
  • Indeed, if I `arp -s 10.0.11.5 10:da:12:34` on the host which belongs to VLAN 10, not only it still reaches the correct machine, but also the machine from VLAN 12 doesn't see the TCP packet any longer. Now, I'm absolutely unsure what exactly should I change in ARP configuration, but this is the subject of [a separate question](https://serverfault.com/q/1049293/39827) then. – Arseni Mourzenko Jan 10 '21 at 21:17
  • @ArseniMourzenko I'm afraid there is some misunderstanding. No need to play with MAC (or `arp`) manually! The `ip route add` will take care of that for you, like it always did. That command is the only step to do, other than removing g10 from VLAN 11 and 12 (possibly, as I wrote). – kubanczyk Jan 10 '21 at 22:25
  • 1
    I'm pretty sure it also changes the source MAC to the router. – Deduplicator Jan 11 '21 at 01:11
3

You can't do it like that, you need either special VLAN features (port isolation or such), or you need to do it with a router.

What happens here, is that as a packet (well, Ethernet frame) enters a port, it gets its VLAN id from that port's PVID. Then it is sent out from the other ports that are also on that same VLAN. (Except that a switch would of course only forward it to one particular port, if it has a port for the destination MAC stored for that particular VLAN. It might not, since all the ports are on different VLANs, so the destinations are not to be found in the VLANs the frames are sent from.)

This means, that everything sent to the switch via port 10, can appear on port 11 and 12, but anything sent via port 11 or 12 can only go to port 10.


What port isolation / protected ports / similar features would do, is that they block the forwarding of frames within a single VLAN, with the exception of some special ports. With that sort of feature, you'd put all the ports in one single VLAN, and mark port 10 as special, so it could send/receive traffic to/from 11 and 12. But the feature would isolate 11 and 12 from each other.


The other option is to bring both VLAN 11 and VLAN 12 to the machine on port 10 as tagged VLANs. Then, on that machine, you can make distinct IP interfaces for the VLANs, letting it communicate with both. Without routing set up on the machine, 11 and 12 can't communicate with each other. The machine would still need to VLAN-aware, of course.

Of course, if the Netgear itself can act as a router between VLANs, then that also works. You'll just need to set up VLANs for each machine, arrange the routing and add filtering (firewall) between 11 and 12.

ilkkachu
  • 306
  • 1
  • 8