I have a situation with my VLAN's and cannot see the light:
In order to simplify i will talk about 2 VLAN's instead of 10+. In a L2 switch i have VLAN 100 and VLAN 200. Using 802.1Q VLAN:
- VLAN 1 (all ports System-VLAN - Management VLAN).
- VLAN 100 (port 4,6 - connected to computers & port 15 connected to router).
- VLAN 200 (port 10,12 - connected to computers & port 15 connected to router).
The ports are configured as:
- ports 4,6 (general untagged - PVID 100)
- ports 10,12 (general untagged - PVID 200)
- port 15 (general untagged - PVID 1).
The result is correct: i have internet in all ports and cannot communicate between VLANs. Ping from port 1 to port 4,6 or 10,12. No communication between port4,6 - 10-12. And yes i have ping betweeen 4,5 and 10-12. So right now everything is ok.
My PROBLEM IS: - I connect a pc (10.20.30.187) in port10 (VLAN 200) and launch wireshark looking for ICMP. - A laptop (10.20.30.190) is connected in port 4 (VLAN 100) and i launch a ping to 8.8.8.8. --> In the PC in VLAN 200 i can see all packets being sent from 8.8.8.8 to the the laptop (10.20.30.187). I cannot see the packets being sent from PC, since the source in IN another VLAN, but the internet responses can be seen.
Since all VLAN are passing through VLAN 15 and the router does not understand VLAN', can i separate this traffic FROM internet to VLAN's, and avoid this situation? I've been thinking on ACL but nothing comes to my mind. It's been a couple days...I even tried a "stupid" thing like creating an extended ACL denying traffic from PC IP to LAPTOP IP, but of course, the SOURCE IP is 8.8.8.8.
So is there any ideas from you guys?
I've been checking this forum (some examples: VLANS and Public/Private Traffic VLAN sending data to ports it shouldnt have to Tagged Packets on native VLAN General Port 802.1q VLAN echo replies do not include VLAN ID) and of course many other but nobody seems to have this situation, or already know how to solve it, so no need to ask. Hope you can give me a solution.
Many thanks. Best regards Portuguevos.
First of all thanks for yours answer.
So the only way to separate the traffic from internet to any VLAN is to use a Router with VLAN. But is there any other possibility? Maybe ACL? I want to learn this since is something i like, but i have been searching and cannot find something similar. And not use a router with VLAN, since is something i do not have at my home ;-)
Just in case let me re explain the situation: I must say that the description of my VLANs are not the actual scenario. Until now i've been using VLANs to separate traffic between departments. Recently a colleague used a L2 switch to distribute several Internet connections with public IPs to severall offices. So in a 24 port L2 switch he is using port 24 connected to a router (do not have specific information on this device) where he receives around 20 public IP from an ISP. So he creates VLAN 20 with port 2 +24. Vlan 20 port 3+24 and so on. Whenever an office of his building needs internet connection, he deploys a ethernet cable from port 2 or 3 or 4 , etc to a router installed in the office. So each office has is own internet and supposly nobody can see each other. So he believes everything is separated. This idea was strange and new to me so i build a little scenario at my home. I have a SG3216 TP-Link switch, one ADSL (port 15 - 192.168.100.0/24) and one 4G router (port 16 - 192.168.200.0/24). I have VLAN 100 port 4,6,15,16 (general untaged) and vlan 200 with ports 10,12,15,16 (general untagged). The VLANs are working correctly. There is no traffic between VLANs, but all of them have internet. (I've checked using IP's on same range in differente VLANs, and there is no communication). But the thing is using Wireshark i can capture all traffic from the internet to whatever VLAN. I cannot capture traffic from other VLANs to internet.
If someone have an idea on what to use in order to avoid seeing DATA from internet to a VLAN not yours, i appreciate. Many thanks.
