Thank you for being a valued part of the CNET community. As of December 1, 2020, the forums are in read-only format. In early 2021, CNET Forums will no longer be available. We are grateful for the participation and advice you have provided to one another over the years.

Thanks,

CNET Support

Question

VLANs

Aug 17, 2017 6:30AM PDT

I was wondering if anyone could help me. I have 3 networks, Internal, Employee and Guest.

Internal = 192.168.1.x Employee = 192.168.2.x Guest = 192.168.3.x You can access 192.168.1.x devices from 192.168.2.x and 192.168.3.x devices, I do not want that.

To do this I have a internal VLAN (100), a Employee VLAN (200) and a Guest VLAN (300). There are two switches. The first one is a Netgear ProSafe switch. This switch has the uplink from the BT Hub (VLAN 100) and the port going to the other switch (Extreme Networks), with port 8 on the ProSafe switch and port 1 on the Extreme Switch being a trunk (tagged 100,200,300).

The internal DCHP and routing is done by the BT Hub, Port 1 on netgear. The Employee DCHP and routing is done by a Cisco router (uplink on the internal(100) and then goes into the Family(200). The Guest DCHP and routing is done by a Untangle router (uplink on the internal(100) and then goes into the Guest(300).

I can access devices on 192.168.1.x network from the Employee and Guest VLANs, but cannot access 192.168.2.x and 192.168.3.x devices on the internal network. I would like all 3 networks separated.

Thanks.

Discussion is locked

- Collapse -
Clarification Request
You stated....
Aug 17, 2017 7:23AM PDT

"To do this I have a internal VLAN (100), a Employee VLAN (200) and a Guest VLAN (300)."

You mention some switches so these switches will either have VLAN features or must only be used in the LAN segment you want.

I am going to upset you here. This is slightly advanced networking that I don't get into here. I send our network engineers out or have the client deal with the maker technical support.

-> In short, I think you need to sort out your wiring if you happen to use dumb switches.

- Collapse -
Switches
Aug 17, 2017 7:55AM PDT

All of our switches are VLAN capable with 802.1Q.

- Collapse -
Then configure as you want.
Aug 17, 2017 7:58AM PDT

I don't see the issue but I am not there to check your rules. There is a possibility the firmware is broken so be sure it's current.

My only advice is to not mix your LAN segments over the switches. Keep all the groups on their own switches.

- Collapse -
Lan
Aug 17, 2017 8:00AM PDT

All of the LAN's are not mixed.

Each network has its own router. The WAN cable for the router comes out of the internal VLAN and then the LAN for the router then goes back into the appropriate VLAN.

- Collapse -
The statement Each network has its own router.
Aug 17, 2017 8:10AM PDT

Means I could keep them physically separated. You state that each network has it's own router so take that to the switch that has the machines for that LAN.

Remember I don't know your cable plan or rules. It's either a bum rule, some defect in firmware or plan. It's not clear to me why it's broke yet.

-> ONE THING. Are you sure your server is handing out a netmask appropriate to your plan? Say 255.255.255.0? That way even if you broke it by some switch that had mixed clients the only way to see across 1.x and 2.x LANs is in the routing.

- Collapse -
netmask
Aug 17, 2017 8:12AM PDT

I am very sure that all the net masks are 255.255.255.0

- Collapse -
Since each network has it's own router.
Aug 17, 2017 8:33AM PDT

It must be a cable plant issue where there's a connection not in your diagrams. Again, I can't check your VLAN rules. You take that back to the router/smart switch support.

- Collapse -
Answer
(NT) How about using subnets?
Aug 17, 2017 6:59AM PDT
- Collapse -
(NT) I would like to completely separate the networks.
Aug 17, 2017 7:00AM PDT
- Collapse -
Answer
Let's focus on this statement.
Aug 17, 2017 9:12AM PDT

"You can access 192.168.1.x devices from 192.168.2.x and 192.168.3.x devices, I do not want that."

With a netmask of 255.255.255.0 then this can only happen if the router does this (or the VLAN rules.)

You do state some conflicting information but let's skip to how I might find where the leak is occurring. Use the TRACEROUTE command and see the path this leak occurs.

-> As I re-read your post I worry you are trying to create VLANs by using routers which may not give you the isolation you desire. One of these routers likely is smart enough to know that 192.168.1.x is reachable from 192.169.2.x and 3.x. Maybe the fix could be to build a 4.x network based on the design of the isolated LANs.

That is, you appear to be trying to build a VLAN without a managed switch.

-> READ THIS. The BT Hub (VLAN 100) as I see your design should be seen by all other networks since it's a LAN and not a VLAN.

Post was last edited on August 17, 2017 9:12 AM PDT

- Collapse -
Managed Switches
Aug 17, 2017 10:02AM PDT

Both my switches are managed. Extreme network summit and also a Netgear prosafe.

- Collapse -
That's another clue.
Aug 17, 2017 10:09AM PDT

"Both". So you have 2 of those but that first LAN is not managed. My bet is you need one more managed switch.

- Collapse -
I should not need another switch.
Aug 17, 2017 11:40AM PDT

I should not need another switch if I can put them into VLANs

- Collapse -
I see two managed lans.
Aug 17, 2017 12:16PM PDT

You want three. Where's the third managed LAN?

- Collapse -
I do not need three switches
Aug 17, 2017 12:17PM PDT

If the switches are managed then I should be able to segregate the networks using the VLANs on the managed switches.

- Collapse -
Where is the third vlan?
Aug 17, 2017 12:39PM PDT

I only see enough managed switches for two managed networks. The first one looks to be where your two managed switches connect to so it's going to be visible.

Why not call the product support and have them talk about this?

- Collapse -
Emailed netgear
Aug 17, 2017 12:40PM PDT

I emailed Netgear and they were no help. As long as I have at least one managed switch then I can have as many VLANs

- Collapse -
Yes, that's true for what's on the Netgear.
Aug 17, 2017 12:45PM PDT

The first LAN is not managed and you wrote "This switch has the uplink from the BT Hub (VLAN 100)" which is not a vlan but a lan you connect to your managed switch. What's on that lan should be available to the uplinked lans and this appears to be true.

Now if you move connections to the managed switches and create the VLANs there to manage then no issue as the unmanaged LAN which comes from the BT Hub has no clients to see.

Post was last edited on August 17, 2017 12:45 PM PDT

- Collapse -
Sad that Netgear didn't explain it all.
Aug 17, 2017 12:46PM PDT

What's before the Netgear is not managed by the Netgear.

- Collapse -
Netgear was first.
Aug 17, 2017 12:47PM PDT

Netgear is the first switch.

- Collapse -
I keep reading that
Aug 17, 2017 2:06PM PDT

"This switch has the uplink from the BT Hub (VLAN 100)"

Going to need a document about the system. Anything on the BT Hub should be visible as I see it now. If you have anything there, move it to the managed switch side.

- Collapse -
PS. I hope you see the problem now.
Aug 17, 2017 12:41PM PDT

I'm not there to re-review your plan but after more thought I hope you see it now.

If you do find a way without the third managed switch, I'd like to hear it.

- Collapse -
(NT) I will let you know
Aug 17, 2017 12:42PM PDT