Home Network Revamp

[jasonreg]

So, I want to say just adding the DNS to the DHCP pools solved most of the issues. Wired devices are all getting the appropriate IP addresses and the devices hanging off of the downrange switches are all connecting to the internet now. Good Call.

I googled IPTV and read about IGMP Snooping and TV Multicast. I enabled both and set the Multicast to VLAN 50 and all the TVs now work. Not sure if it was DNS or Multicast - they work so taking the win there as well.

Main WAP works really well - everything connecting and getting the appropriate IP address. The other two WAPs are not so I am going to reset them and set them back up via the cluster. Hopefully that will fix that issue.

The only other thing I have noticed and what I was worried about is that the SONOS devices (All wired on VLAN 50 with wireless disabled) cannot be controlled via PC on VLAN 1. Will check my iPhone later on when I have more time and report back.

 

[coxhaus]

OK let's start with wireless. 3 ports for wireless? How many wireless devices? Why is there a LAG defined on port 10 with no operational VLANs. I think this would be simpler if you turned off LAG? The wireless devices need to be connected all the same way. The cluster controller does not need to have more bandwidth than the other 2 wireless devices. Why are you complicating this setup? Let's get rid of all the LAGs.

DNS needs to be defined in the DHCP scope if you are not getting DNS.

I think your SG200-8 uplink port is defined as a 1 port LAG?

You can do POE+ and data on the same port. Sounds like you are trying to separate the 2?

There are YouTube videos on how to setup SONOS using Cisco small business switches. I have never used SONOS.

So, it looks like you have every access port in VLAN1 in the SG350X switch. Are the other VLANs only used in the other switches and wireless?

This setup is very goofy.

 

[coxhaus]

Also the switch (SG200-08) is still handing out IP addresses on VLAN 1 vice VLAN 50 - all ports are assigned (I think) to VLAN 50

This is because all the access ports are in VLAN1. They need to be VLAN50 to receive the correct IP. Change the access port to VLAN50 for it to receive an IP in network 50.

 

[jasonreg]

This is because all the access ports are in VLAN1. They need to be VLAN50 to receive the correct IP. Change the access port to VLAN50 for it to receive an IP in network 50.

So this was me forgetting to add the VLAN 50 as a tagged VLAN on the TRUNK. I had not posted a picture of the SG200 Port VLAN but all the ports are listed as 50U with the trunk listed as 1U, 50T. I am now getting the VLAN 50 IP addresses.

3 ports for wireless? How many wireless devices?

I have three WAPs. One port per WAP with allocation for LAGs - only the main WAP is using a LAG at the moment. I know I do not get additional speed but it the goal is to not limit bandwidth - anyway it is configured and working well. I was not trying to separate POE and data, was just referring to the port naming (they are specific on the 571)

Also, related to the WAPs, it seems the Single Point Set up copies all settings EXCEPT any additional VLANs from the VLAN setting table. As soon as I added the VLANs manually to each additional WAP in the cluster everything works as advertised.

So, As far as I am aware, I need to solve the SONOS issue - it seems that SONOS does not support controllers and devices on different VLANs. With an iPhone on VLAN 20 I cannot connect but on VLAN 50 I can. My main PC is on VLAN 1 so without configuring a number of access rules and permissions it seems that I will just need to work on VLAN 50 for now.

So, it looks like you have every access port in VLAN1 in the SG350X switch. Are the other VLANs only used in the other switches and wireless?

Yes, for now that is the case. Not sure it will always be that way as the network continues to grow but it is for now.

Last thing is to isolate Guest VLAN 66. I have created an ACL called Guest. Now for the ACE I need some guidance. Almost there I think.

 

[coxhaus]

I would use an ACL not ACE. Very early on many years ago Cisco had an issue with applying ACLs. but that is not the case anymore. Look in the link I posted for setting up an L3 switch, it has what you need for a guest ACL.

 

[jasonreg]

So I have reviewed the link you posted and I just want to make sure I have this figured out before I add the rules to the Switch.

I have created an ACL called "Guest". I will plan to bind the ACL to the Guest VLAN 66. I select Guest under IPv4-Based ACE. I then:

Action - Select the "Deny" Radio Button
Source IP Address - "User Defined"
Source IP Address Value 192.168.66.0
Source IP Wildcard Mask 0.0.0.255
Destination IP Address - "User Defined"
Destination IP Address Value 192.168.1.2 (i.e. everything above the Router on 192.168.1.1)
Destination IP Wildcard Mask 0.0.0.255
Type of Service - "Any"
all the other options are greyed out

1. Is this correct? I then need to add same info to block the Guest VLAN from the other VLANS and other than changing the Destination Address Accordingly (192.168.10.0, etc. (i.e. bock the whole VLAN)) there are no other changes?
2. Do I apply the same rules to my Internet of Things VLAN (iPhones, SONOS, Light Switches, Alexa etc.) as they do not need to connect to anything other than each other and the internet with perhaps one exception we can work out later?
3. When I bind the VLAN 66 to the Guest ACL I select "Permit Any" - Correct?
4. If I am applying the same rules to another VLAN, can I just bind the same rule to a separate VLAN then instead of recreating the IofT ACL and associated rules?

Let's stop there and get this correct before moving onto locking down the Office VLAN while still allowing access to a shared printer and a shared server.

Lastly, I assume the rules they become active right away as soon as I hit "Apply" (so I van test pings etc.) but as long as I do not hit "save" I can easily delete the rules or worst case reboot the switch and delete them that way - correct?

Thanks in advance - Jason

 

[coxhaus]

Sounds right as I don't remember your IPs. I denied the guest VLAN to my main VLAN. I then applied guest as an ACL with a permit at the end.

The best way to handle ACLs is to use super scopes so you don't have to write a lot of rules. But it takes some planning when setting networks numbers.

The simple way to know if it works is test it. You won't hurt anything if it doesn't work.

If dot 1 is giving you a problem then you might have to add a permit with a 0.0.0.0.248 mask first before your deny. This will work real well for sharing a printer and server. Of course your printer IP and server IP needs to fall in the range of the 248 mask. It has been to many years since I ran your setup. I have been running a router VLAN for many years now and it is defined to a separate network so I do not route to dot 1 of VLAN1.

The way testing is done in Cisco land is you make changes but do not save them. That way you can reboot if you need to go back. There is a remote timer you can set for automatic reboot in case you lose the Cisco device. Once you are satisfied then save the changes.

I think dot 2 should now that I think about it. I keep all my main devices with low IPs in the scope so I can use a small mask if I need to. Sometimes you find where you need to shift IPs around so you can come up with a mask that will work.

If you start your guest DHCP at 120 or so and use a 128 mask that would leave the lower IP available for sharing devices. I don't know what works best for you but you should be able to make it work. Practice and test. You don't want to subnet to where your broadcast IP for a network aligns on a router IP.

 

[jasonreg]

The simple way to know if it works is test it. You won't hurt anything if it doesn't work.

So, did not work. When I set up as I described earlier I can still ping devices on VLAN 1 from a laptop on VLAN 66.

But it takes some planning when setting networks numbers.

Agree and this is what I am attempting. So here is what I am trying to do. I have 5 VLANs 1-Management (192.168.1.125-185), 10-Server (192.168.10.125-185), 20-Office (192.168.20.75-95), 50-IofT (192.168.50.10-225), 66-Guest (192.168.66.125-175). Router in on 192.168.1.1 Main Switch is 192168.1.254

1. I want to isolate VLAN 66 from everything other than internet access.
2. I want to isolate VLAN 50 from everything other than internet access. At some point I may want to open up access to VLAN 10 but not quite yet.
3. I want to access the server on VLAN 10 from computers on VLAN 1 (they are not currently on fixed IPs but could be)
4. I want to access the server on VLAN 10 from computers on VLAN 20 (they are not currently on fixed IPs but could be)
5. VLAN 20 needs internet and the Server Access. Isolated form VLANs 50/66
6. VLAN 10 needs internet access and access to Computers as above. Isolated from VLAN 66 and 55 for now
7. VLAN 1 needs access to internet and VLAN 10 (Server). Isolated from VLAN 20/50/66

Can anyone point me to a reference or guide to creating these rules? I am a fish out of water here and need to get smarter as I am finding it difficult to follow the guidance offered.

 

[coxhaus]

Why don't you try to get the guest network isolated? Get it working first so you get a feel for how it works. There are not going to be rules for your network. It seems like you have too much blocking going on in my mind but it is your network.

You don't necessarily need to have rules in both directions. If you block IPs in 1 direction then the communication is broken. Decide which is the best side to block from.

The other thing in the back of my head is you have LAGs without VLANs defined and I am not sure what is going on with that. Is it passing default VLAN traffic, I don't know without testing. Did you pull all the LAGs as I asked? I assume your default VLAN is VLAN1 so you might try testing when blocking using a different VLAN other than 1. This may have an impact on your ACLs.

The other thing I don't understand is why are using a LAG on only the master controller AP? All AP can end up being the master controller. If the master controller goes down then another controller will be automatically promoted to the master controller. The Cisco APs are self-healing in this way. It is not like other brands where if you lose the controller you are in trouble. The master controller is not special in the Cisco small business world.

 

[jasonreg]

So I am trying to isolate VLAN 66 from the rest of the network - it needs internet connectivity. I understand how to isolate it from a single VLAN but when I try to add additional rules it says the rule already exists. What am I doing wrong?

 

[jasonreg]

This block off internet from VLAN 66:
Action - Select the "Deny" Radio Button
Source IP Address - "User Defined"
Source IP Address Value 192.168.66.0
Source IP Wildcard Mask 0.0.0.255
Destination IP Address - "User Defined"
Destination IP Address Value 192.168.1.2 (i.e. everything above the Router on 192.168.1.1)
Destination IP Wildcard Mask 0.0.0.255
Type of Service - "Any"

 

[coxhaus]

Why not write the rule so guest only has internet rather trying to block all the other random networks. If you plan your IP networks so you can use superscopes then it will not be so hard to write rules. So you write a permit with a deny at the end.

You know ACLs work sequentially so you can stack them. You should be able to stack deny ACLs with a permit at the end. It may require command line I don't know as I have not done it with GUI. You need to play around with it.

I just looked at the GUI on my L3 switch and there is an add button to stack ACLs.

So I just stacked ACLs on my L3 switch. You need to delete the bind before it will let you add an additional ACL. Then reapply the bind, ACL. This is not hard. Start testing stuff as that is all I do.

 

[jasonreg]

So that sounds much easier for sure. To be clear I would permit 192.168.66.254 to 192.168.1.1. ?What would the deny rule look like? This is making much more sense.

 

[coxhaus]

No rule for deny. When you apply the bind use deny at the end.

 

[jasonreg]

Ahh - got it. Let me give that a try in the am. Many thanks.

 

[coxhaus]

I think you want to permit the whole network 66, 192.168.66.0 0.0.0.255. dot 0 is the network IP address. 192.168.66.254 is the gateway IP address. They may both work as a TCP header with 192.168.66.254 is added as it is routed. I always use 192.168.66.0 the network IP. I am just a creature of habit.

 

[jasonreg]

Got it. Thx. Will report back in the am.

 

[jasonreg]

Hmm - so when I bind this rule to the VLAN 66 I lose internet.

 

[coxhaus]

Did you pull all the Laggs? Your Laggs could be breaking this. I think the destination should be 192.168.1.0 0.0.0.7 You may have to adjust the mask when you setup sharing.

 

[jasonreg]

What would the destination be if they only thing I want to share with the VLAN 66 Guest network is the internet access - would 192.168.1.0 not share the entire VLAN 1 minus whatever is blocked off by the mask?