My knowledge about VLANs is somewhat limited, so please bear with me :-)
The situation is like this:
We have a small DMZ, where a (manageable) 3COM 3CDSG8 switch is used. Internally, we have the SRW224G4. Now what I need to achieve is a "safe" link from our internal network out to the 3COM switch.
So I configured the 3COM switch to have the management port use an internally routable IP address plus 55 as its VLAN ID.
Next I tried to configure Port 2 of the SRW224GP to also use 55 as its VLAN (this VLAN is the only one active, all other ports are set to "Access"):
* VLAN Management->Port Setting
e2 -> Mode "General" -> Frame Type "Admit All" -> PVID "55" -> ingress filtering active
* Ports2VLAN for VLAN 55
e2 -> "Untagged" (but does not work with "Tagged" as well)
If I then try to ping the 3COM switch from our internal network, is remains unreachable.
OTOH, if I change VLAN Management->Port Setting like this ...
e2 -> Mode "Access"
... I can access the 3COM switch from internally.
But if I understand it right now, that leaves my Port 2 open for any kind of data, regardless of any VLAN ID used.
... So where am I wrong? In my naive world this setup is the "most trivial" one but obviously I am missing something ...
Thanks in advance
Hello and good evening,
It is not so much guessing the vlan id as it is simply compromising a machine within the DMZ. Since this is connected to your LAN, someone will find a way to hack in. It is possible to use a compromised machine to DOS the network, and as such service will be unavailable during an attack.
Another unfortunate, but all too common event, is people making a config or wiring mistake. When this happens they end up giving access to parts of the network they did not intend to.
It is for this reason that you can configure your network this way, but I really cannot suggest it.
Is this question still open? It has been a few days ... Thanks
My appologies, i am not trying to insult you, but my SRW224G4 is a layer 2 switch only, it cannot 'route' IP packets over the VLAN barriers. It's not a layer three switch. It would need something else like a router or Layer three switch to be able route between VLAN barriers. (if that is what you want)
So, the bottom line i guess is that you want the 3COM to be part of the intranet and managed from behind the private side of the firewall ?
If that is the case then;
In the 3COM switch
step 1. if you made the 3com port 8 a untagged member of VLAN 55, in other words no tag Ethernet frames will egress out the 3COM switch 8.
Step 2 then just make the management address of the 3COM switch say IP address 172.20.10.3 .
step 3. Attach the management interface of the 3COM switch away from the default VLAN and add it to VLAN 55.
In the SRW224G4
step 1 Then just connected a patch cable to e3 ( already untagged in Vlan 1 as it's in access mode) ,
My switch would not know that the untagged packets coming out of the 3com management interface are not members of the default VLAN, as the Ethernet frames are not tagged.
These untagged ethernet frames would mingle with ethernet frames of VLAN1 packets in the SRW224G4.
My switch would only see untagged Ethernet frames coming into VLAN 1 from the 3COM and have to assume that those frames are also part of VLAN1.
The end result would be that the 3COM switch would be managed from;
1. a 172.20.10.X network or from a
2. incoming VPN connection into the firewall .
I do hope this helps and just confuse the topic, i thought you needed a approach and noticed that no one responded to your question.
if I'm right, you owe me a beer when we next meet face to face :). If this is completely out of context with what you were asking, i can only ask for clarification or simplification of the question posed.