Setting up dedicated network for infected machines - who does this?

[allanc]

So the default VLAN1 includes ports 1 - 8 (excludes ports 9- 16)

If you want each client PC to be seperate, you need to place each one in a vlan.

So VLAN 1009 includes ports 1(tagged),9
VLAN 1010 includes ports 1(tagged), 10

Port 9 would have PVID set to 1009
Port 10 would have PVID set to 1010

Thats basically how mine is set up off the top of my head.
What router do you have?

See attachment for my VLAN config.
Right now, the computer on VLAN 1009 can not see VLAN 1010 (which is correct, it cannot see the router either.
Enabling PVID for port 1 on this screen does not resolve the issue.

 

[TLE]

See attachment for my VLAN config.
Right now, the computer on VLAN 1009 can not see VLAN 1010 (which is correct, it cannot see the router either.
Enabling PVID for port 1 on this screen does not resolve the issue.

Going from that picture G9 should be untagged. Only the G1 should be tagged.

What is the VLAN type set too? General or Access. From memory it should be set to General so that it handles both tagged and untagged frames.

 

[allanc]

Going from that picture G9 should be untagged. Only the G1 should be tagged.

What is the VLAN type set too? General or Access. From memory it should be set to General so that it handles both tagged and untagged frames.

It is set to general.
I changed the VLAN (see attachment) tagged/untagged on both VLANs.
Now the router can been 'seen' but the two VLAN are also visible to each other.

 

[TLE]

It is set to general.
I changed the VLAN (see attachment) tagged/untagged on both VLANs.
Now the router can been 'seen' but the two VLAN are also visible to each other.

PVID should be ticked for G9.

It took me ages to get mine working correctly, turned out my original router didn't like the VLAN frames.

 

[allanc]

PVID should be ticked for G9.

It took me ages to get mine working correctly, turned out my original router didn't like the VLAN frames.

Ticking PVID results in no access to the router again.
I have attached 3 jpg.
VLAN 109
VLAN 1
Interface settings

 

[TLE]

That looks ok to me allanc, One of the issues I had was my D-Link router. For what ever reason it didn't like VLANs.

I would suggest you go onto the Cisco Community website and post your set up there. I found them to bea great resource.

I had simliar issues even with the Cisco router. I had to have the same VLANS configured on both the Cisco and the Netgear switch in order for mine to work correctly.

 

[Nerm]

Ticking PVID results in no access to the router again.
I have attached 3 jpg.
VLAN 109
VLAN 1
Interface settings

In order for this setup to work you need to have g1 and g9 both untagged to VLAN 1009, g1 and g10 untagged to VLAN 1010, as well as g1(if uplink port) being untagged to all three vlans. Your config should look something like this:

g1: VLAN 1 / VLAN 1009 / VLAN 1010 untagged, PVID 1
g2: VLAN 1 untagged, PVID 1
g3: VLAN 1 untagged, PVID 1
g4: VLAN 1 untagged, PVID 1
g5: VLAN 1 untagged, PVID 1
g6: VLAN 1 untagged, PVID 1
g7: VLAN 1 untagged, PVID 1
g8: VLAN 1 untagged, PVID 1
g9: VLAN 1 & VLAN 1009 untagged, PVID 1009
g10: VLAN 1 & VLAN 1010 untagged, PVID 1010
g11: VLAN 1 untagged, PVID 1
g12: VLAN 1 untagged, PVID 1
g13: VLAN 1 untagged, PVID 1
g14: VLAN 1 untagged, PVID 1
g15: VLAN 1 untagged, PVID 1
g16: VLAN 1 untagged, PVID 1
g17: VLAN 1 untagged, PVID 1
g18: VLAN 1 untagged, PVID 1

 

[allanc]

In order for this setup to work you need to have g1 and g9 both untagged to VLAN 1009, g1 and g10 untagged to VLAN 1010, as well as g1(if uplink port) being untagged to all three vlans. Your config should look something like this:

g1: VLAN 1 / VLAN 1009 / VLAN 1010 untagged, PVID 1
g2: VLAN 1 untagged, PVID 1
g3: VLAN 1 untagged, PVID 1
g4: VLAN 1 untagged, PVID 1
g5: VLAN 1 untagged, PVID 1
g6: VLAN 1 untagged, PVID 1
g7: VLAN 1 untagged, PVID 1
g8: VLAN 1 untagged, PVID 1
g9: VLAN 1 & VLAN 1009 untagged, PVID 1009
g10: VLAN 1 & VLAN 1010 untagged, PVID 1010
g11: VLAN 1 untagged, PVID 1
g12: VLAN 1 untagged, PVID 1
g13: VLAN 1 untagged, PVID 1
g14: VLAN 1 untagged, PVID 1
g15: VLAN 1 untagged, PVID 1
g16: VLAN 1 untagged, PVID 1
g17: VLAN 1 untagged, PVID 1
g18: VLAN 1 untagged, PVID 1

Unfortunately, I have found where to checkmark the PVID but not where to actually enter the PVID #.

 

[Nerm]

Unfortunately, I have found where to checkmark the PVID but not where to actually enter the PVID #.

You don't have an option to enter the PVID # manually? What switch is this?

EDIT: After thinking about it just checking the PVID for a specific VLAN to a specific port should work the same as if you entered it manually in a text box. For example if you are in the console for vlan 1 and you untag port 1 to vlan 1 and check the PVID box it should essentially set that port to be vlan 1, PVID 1.

 

[allanc]

You don't have an option to enter the PVID # manually? What switch is this?

EDIT: After thinking about it just checking the PVID for a specific VLAN to a specific port should work the same as if you entered it manually in a text box. For example if you are in the console for vlan 1 and you untag port 1 to vlan 1 and check the PVID box it should essentially set that port to be vlan 1, PVID 1.

Just now, I started the changes with VLAN 1009.
As soon as I apply the changes to VLAN 1009, I loose the connection to the switch on the PC doing the mods and I cannot reestablish.
This PC is on a different subnet and not even physically connected to the switch.
I also loose the connection from the PC on VLAN 1009.
I have to reboot the switch, it looses the newest change of setting and connections are reestablished.

 

[Nerm]

Just now, I started the changes with VLAN 1009.
As soon as I apply the changes to VLAN 1009, I loose the connection to the switch on the PC doing the mods and I cannot reestablish.
This PC is on a different subnet and not even physically connected to the switch.
I also loose the connection from the PC on VLAN 1009.
I have to reboot the switch, it looses the newest change of setting and connections are reestablished.

So making the settings changes I suggested you lose connection from the PC connected to port g9? Sounds like something not right with that switch. Does the switch have the latest firmware installed?

 

[allanc]

So making the settings changes I suggested you lose connection from the PC connected to port g9? Sounds like something not right with that switch. Does the switch have the latest firmware installed?

I never got past the VLAN 1009 change.
Firmware 1.1.0.73 was release yesterday.

EDIT: 1.0.0.19 which was the previous (and loaded on my switch) was released in January 2011.

 

[Nerm]

I never got past the VLAN 1009 change.
Firmware 1.1.0.73 was release yesterday.

EDIT: 1.0.0.19 which was the previous (and loaded on my switch) was released in January 2011.

You might try upgrading to that new firmware then try making your settings changes again.

 

[allanc]

You might try upgrading to that new firmware then try making your settings changes again.

Test 1:
on VLAN 1009 & 1010 - leave PVID unchecked and untag ports 1/9 and 1/10.
Ran a network scanner and computer connected to port 9 can see devices on ports 9, 10, router and switch. Can browse.

Test 2:
CheckMark PVID on ports 1/9 and 1/10 in addition to untagging 1/9 and 1/10.
Ran a network scanner and computer connected to port 9 can only see itself and the router. Can browse. (all good).
However, computers on a different subnet *or* connected anywhere on the switch can no longer access the switch.
In other words, the switch can no longer be managed.
Need to reboot to put configuration back to where it was before test started.

Doesn't it seem like there is an incorrect setting for port 1?

 

[Nerm]

Test 1:
on VLAN 1009 & 1010 - leave PVID unchecked and untag ports 1/9 and 1/10.
Ran a network scanner and computer connected to port 9 can see devices on ports 9, 10, router and switch. Can browse.

Test 2:
CheckMark PVID on ports 1/9 and 1/10 in addition to untagging 1/9 and 1/10.
Ran a network scanner and computer connected to port 9 can only see itself and the router. Can browse. (all good).
However, computers on a different subnet *or* connected anywhere on the switch can no longer access the switch.
In other words, the switch can no longer be managed.
Need to reboot to put configuration back to where it was before test started.

Doesn't it seem like there is an incorrect setting for port 1?

Does the switch have a dedicated management vlan? A lot of them have a default management vlan already setup, so you may need to change that setting to be vlan 1 or create another vlan just for management which is how I normally do it. Here is an example of a typical setup when I do them.

VLAN 1 - Internet/Uplink
VLAN 10 - Management
VLAN 20 - Data
VLAN 30 - Voice
VLAN 40 - Wifi
and so on...

 

[allanc]

Does the switch have a dedicated management vlan? A lot of them have a default management vlan already setup, so you may need to change that setting to be vlan 1 or create another vlan just for management which is how I normally do it. Here is an example of a typical setup when I do them.

VLAN 1 - Internet/Uplink
VLAN 10 - Management
VLAN 20 - Data
VLAN 30 - Voice
VLAN 40 - Wifi
and so on...

Yes, it does and the attached is the configuration.

 

[Nerm]

Yes, it does and the attached is the configuration.

Since VLAN 1 is set as the management VLAN and if you want to manage the switch from any computer on the network then all the ports on the switch would need to be a member of VLAN 1. In my opinion I would create another VLAN just for management and then just assign the ports you want to be able to manage the switch from.

 

[allanc]

Since VLAN 1 is set as the management VLAN and if you want to manage the switch from any computer on the network then all the ports on the switch would need to be a member of VLAN 1. In my opinion I would create another VLAN just for management and then just assign the ports you want to be able to manage the switch from.

Of course I want your opinion!

First, I changed the interface of ports 2-8 to be 'general' from 'trunk'.
Then, As soon as I create a new VLAN with ports 1-8, untagged and PVID checkmarked and 'apply' ... I loose contact with the switch from a PC connected to port 8 and the PC that is doing the mods which is on another subnet.

 

[TLE]

Of course I want your opinion!

First, I changed the interface of ports 2-8 to be 'general' from 'trunk'.
Then, As soon as I create a new VLAN with ports 1-8, untagged and PVID checkmarked and 'apply' ... I loose contact with the switch from a PC connected to port 8 and the PC that is doing the mods which is on another subnet.

Feels like you’re going round in circles allanc. The issue here could in fact be the router as it obviously doesn't support vlans natively. I think if I was you I would head over to the Cisco Support Community and post what equipment you have, and what you are trying to achieve.

https://supportforums.cisco.com/index.jspa

 

[wtigger]

If I had more business I would definately have a dedicated network and DSL/cable connection but at this point I can't really justify it. So do you not even connect from one to the other at ANY point - using a secure VPN or whatever?

Nope, the two networks NEVER meet when any customer systems are in-house.

When I don't have any customer systems in-house, I use the two networks for VPN testing..