SRW224G4: unable to setup simple VLAN

Answered Question
Jan 27th, 2010

Hi,

My knowledge about VLANs is somewhat limited, so please bear with me :-)

The situation is like this:

We have a small DMZ, where a (manageable) 3COM 3CDSG8 switch is used. Internally, we have the SRW224G4. Now what I need to achieve is a "safe" link from our internal network out to the 3COM switch.

So I configured the 3COM switch to have the management port use an internally routable IP address plus 55 as its VLAN ID.

Next I tried to configure Port 2 of the SRW224GP to also use 55 as its VLAN (this VLAN is the only one active, all other ports are set to "Access"):

* VLAN Management->Port Setting

e2 -> Mode "General" -> Frame Type "Admit All" -> PVID "55" -> ingress filtering active

* Ports2VLAN for VLAN 55

e2 -> "Untagged" (but does not work with "Tagged" as well)

If I then try to ping the 3COM switch from our internal network, is remains unreachable.

OTOH, if I change VLAN Management->Port Setting like this ...

e2 -> Mode "Access"

... I can access the 3COM switch from internally.

But if I understand it right now, that leaves my Port 2 open for any kind of data, regardless of any VLAN ID used.

... So where am I wrong? In my naive world this setup is the "most trivial" one but obviously I am missing something ...

Thanks in advance

I have this problem too.
0 votes
Correct Answer by alissitz about 6 years 11 months ago

Hello and good evening,

It is not so much guessing the vlan id as it is simply compromising a machine within the DMZ.  Since this is connected to your LAN, someone will find a way to hack in. It is possible to use a compromised machine to DOS the network, and as such service will be unavailable during an attack.

Another unfortunate, but all too common event, is people making a config or wiring mistake.  When this happens they end up giving access to parts of the network they did not intend to.

It is for this reason that you can configure your network this way, but I really cannot suggest it.

Is this question still open?  It has been a few days ... Thanks

Andrew Lissitz

Correct Answer by David Hornstein about 6 years 11 months ago

Hi

My appologies, i am not trying to insult you, but my SRW224G4  is a layer 2 switch only, it cannot 'route' IP packets over the VLAN barriers. It's not a layer three switch.  It would need something else like a router or Layer three switch to be able route between VLAN barriers. (if that is what you want)

So, the bottom line i guess is that you want the 3COM to be part of the intranet and managed from behind the private side of the firewall ?

If that is the case then;

In the 3COM switch

step 1.  if you made the 3com port 8 a untagged member of  VLAN 55, in other words no tag Ethernet frames will egress out the 3COM switch 8.

Step 2  then just make the management address of the 3COM switch say IP address 172.20.10.3 .

step 3. Attach the management interface of the 3COM switch away from the default VLAN and add it to VLAN 55.

In the SRW224G4

step 1  Then just connected a patch cable to e3 ( already untagged in Vlan 1 as it's in access mode) ,

My switch would not know that the untagged packets coming out of the 3com management interface  are not members of the default VLAN, as the Ethernet frames are not tagged.

These untagged ethernet frames  would mingle with  ethernet frames of VLAN1 packets in the SRW224G4.

My switch would only see untagged Ethernet frames coming into VLAN 1 from the 3COM and have to assume that those frames are also part of VLAN1.

The end result would be that the 3COM switch would be managed from;

1.  a 172.20.10.X network or from a

2. incoming VPN connection into the firewall .

I do hope this helps and  just confuse the topic, i thought you needed a approach and noticed that no one responded to your question.

if I'm  right,  you owe me a beer when we next meet face to face :).  If this is completely out of context with what you were asking, i can only ask for clarification or simplification of the question posed.

Regards Dave

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 5 (2 ratings)
Loading.
alissitz Thu, 01/28/2010 - 09:35

Hello, I hope you are well.

When you create a vlan and assign it to a port, then that port is part of that vlan.  Setting up trunk links between switches and configuring the trunk to tag packets, is needed when you are connecting two switches together and want to maintain vlan IDs.

On the SRW switch, you have configured port 2 to be part of vlan 55.  This is fine, from the switches perspective, everything off of port 2 is part of vlan 55. How can you get to vlan 55 and where should vlan 55 be reachable from?  These are questions you have to ask and understand.  It sounds like this is all fine, and that you know the answers.

You mentioned vlan 55 is the DMZ network.  Do you want the management interfaces of these switches to be on this same DMZ network?  Probably not ... it is a less secure network correct?

For installs like this, I might suggest to have the DMZ reside off of a router or firewall's port.  Make this network a DMZ network and do not integrate it with your internal network. Configure security as such that only allowed traffic is permitted in and out of this network.

If you allow external access into your DMZ, and then someone makes a wiring or config mistake in your network, then this network can have access to your internal network.  Not something you want to do.  In addition, any DOS attacks to your DMZ network would also affect your internal network since both are running over the same hardware / data paths.

Are you able to place the DMZ into it's own network and off of a firewall or router, or do you have to create multiple VLANs?

Do please let us know.

Also, I did a search on youtube and found plenty of videos on vlans.  Let me know what you think:

http://www.youtube.com/results?search_query=cisco+vlan&search_type=

Many thanks and kindest regards,

Andrew Lissitz

udotirol09 Fri, 01/29/2010 - 03:14

Thanks for your response, Andrew.

The situtation is a bit different. A bit simplified it looks like this:

      internet
          |
---------------------------
|  external int           |
| ** external firewall ** |
|  internal int/10.0.0.1  |
---------------------------
       |
       |
--------------------------------------------------------------------
|   port 1                                                         |
| 3COM "DMZ" switch/mgmt IP: 172.20.20.3 (!)                       |
|   port 8                  port 7                  ports 6 to 2   |
|   VLAN 55                 VLAN 1                    VLAN 1       |
--------------------------------------------------------------------
      |                        |                       |  |  |
      |                        |                       | -| -|
      |                        |                             |- various hosts in the DMZ, 10.0.0.3 ...
      |           -----------------------------
      |           | external int/10.0.0.2     |
      |           |  ** internal firewall **  |
      |           |  internal int/172.20.10.1 |
      |           -----------------------------
      |                        |
--------------------------------------------------------------------
|   e2/VLAN 55             e1/untagged                             |
| Cisco SRW224G4 "internal" switch/172.20.10.2                     |
--------------------------------------------------------------------

Now, the point is that within the DMZ we only have a very limited number of IPs available and thus I don't want to "waste" a DMZ-IP for the management interface of the DMZ switch.

That's why I thought of "breaking" the DMZ rules a bit and assign the DMZ switch an internal IP with the ports of both switches involved tagged with a specific VLAN id.

But for reasons literally beyond my knowledge, the SRW224G4 wont allow me to access the 3COM switch if enforce VLAN ID as shown in my original post.

Thanks for your response, it is highly appreciated :-)

Correct Answer
David Hornstein Tue, 02/02/2010 - 00:11

Hi

My appologies, i am not trying to insult you, but my SRW224G4  is a layer 2 switch only, it cannot 'route' IP packets over the VLAN barriers. It's not a layer three switch.  It would need something else like a router or Layer three switch to be able route between VLAN barriers. (if that is what you want)

So, the bottom line i guess is that you want the 3COM to be part of the intranet and managed from behind the private side of the firewall ?

If that is the case then;

In the 3COM switch

step 1.  if you made the 3com port 8 a untagged member of  VLAN 55, in other words no tag Ethernet frames will egress out the 3COM switch 8.

Step 2  then just make the management address of the 3COM switch say IP address 172.20.10.3 .

step 3. Attach the management interface of the 3COM switch away from the default VLAN and add it to VLAN 55.

In the SRW224G4

step 1  Then just connected a patch cable to e3 ( already untagged in Vlan 1 as it's in access mode) ,

My switch would not know that the untagged packets coming out of the 3com management interface  are not members of the default VLAN, as the Ethernet frames are not tagged.

These untagged ethernet frames  would mingle with  ethernet frames of VLAN1 packets in the SRW224G4.

My switch would only see untagged Ethernet frames coming into VLAN 1 from the 3COM and have to assume that those frames are also part of VLAN1.

The end result would be that the 3COM switch would be managed from;

1.  a 172.20.10.X network or from a

2. incoming VPN connection into the firewall .

I do hope this helps and  just confuse the topic, i thought you needed a approach and noticed that no one responded to your question.

if I'm  right,  you owe me a beer when we next meet face to face :).  If this is completely out of context with what you were asking, i can only ask for clarification or simplification of the question posed.

Regards Dave

udotirol09 Wed, 02/03/2010 - 03:50

Hi Dave,

thanks for the clarification.

I am indeed quite aware that the SRW224G4 is "just" a layer 2 switch and no router at all :-)

However, what I want to achieve is exactly what you have laid out in your description and it even works. As written in my original post, I had actually already discovered that myself as well, but now I start to understand, why it is working like this.

So, it all boils down to me having to connect the 3COM switch to a completely "untreated" port on the SRW224G4 side ...

Like I said in my OP, I am not too familiar with VLANs, so if you allow, another question, just to understand it a bit better:

My intention was to make it "as secure" as possible, of course, yet at the bottom line, setups like these are not really "secure", right?

Basically the only thing someone in the DMZ has to guess is the VLAN ID of the management port and then can access the internal network?

Sorry for my certainly naive questions, but I have to start somewhere :-)

[edit]: and about the beer, yes, I owe you one, even two, if you like ;-)

Correct Answer
alissitz Mon, 02/08/2010 - 20:58

Hello and good evening,

It is not so much guessing the vlan id as it is simply compromising a machine within the DMZ.  Since this is connected to your LAN, someone will find a way to hack in. It is possible to use a compromised machine to DOS the network, and as such service will be unavailable during an attack.

Another unfortunate, but all too common event, is people making a config or wiring mistake.  When this happens they end up giving access to parts of the network they did not intend to.

It is for this reason that you can configure your network this way, but I really cannot suggest it.

Is this question still open?  It has been a few days ... Thanks

Andrew Lissitz

udotirol09 Mon, 02/08/2010 - 23:34

Hi Andrew,

thanks for the clarification once more.

I've marked the question answered some days ago, so it is not open any more (unless I have to do something else to "close" it).

Regards

Udo Rader

alissitz Tue, 02/09/2010 - 06:22

It is very clear and yet late last night when I was looking over these posts, I did not see it. 

Have a great week!

Andrew Lissitz

Actions

This Discussion