Setting up dedicated network for infected machines - who does this?

[geekgee]

The issue here could in fact be the router as it obviously doesn't support vlans natively.

I tend to agree and posted as much in another thread where allanc raised the issue. I think the VLANs are working properly; the configuration just has no means for inter-VLAN communications.

In this case inter-VLAN communications isn't desirable anyway, but access to the Internet is. If the router doesn't support VLANs, then it will only be able to talk to the VLAN which is defined in the PVID of whichever port it is plugged into. Any computers connected to other VLANs will be unable to access the router and consequently the Internet.

 

[Nerm]

The easiest way to find out if it is the router would be to have two uplink ports. One uplink for VLAN 1009 and another for VLAN 1010. If everything works like this then we know the router is the problem.

Even if the router doesn't support VLAN's natively at least one VLAN should work accessing the internet. The only time a Layer 3 device is even needed in a VLAN environment is when inter-communicating between VLAN's or Accessing the internet.

In my current office I have 5 VLAN's running on a D-Link DGS-1210-24 and an RV042 which doesn't officially support VLAN's and everything works fine even inter-vlan communication.

 

[TLE]

Layer 2 switches don't handle routing, and that is what seems to be the issue here. Here is what I based my VLANS on. You'll notice that the VLANS are duplicated on both the router and the layer 2 switch. Bearing in mind, I have a Cisco router and Netgear switch.

http://support.netgear.com/ci/fattach/get/32/1242903567/redirect/1

 

[OldSchoolPC]

About 1/2 my calls are virus/trojan/fave-AV related calls and I bring the machine back to my house to clean. I don't feel very comfortable putting these directly on my main network and I'm wondering if anyone esle feels the same way. I have a number of Linksys WRT54GL (With DDWRT on them) available to setup another network but I'm a little fuzzy on how to do it but I'm sure I can figure out how to do it.

So, how many of you have a dedicated network for putting questionable machines on?

This is a great thread! But seriously, I don't add any clients PC's to my network from the get-go. I simply do anti-virus and the like through UBCD4win. Else, I remove the harddrive and put it in a docking station (or external HD enclosure) of one of my PCs to run scans etc.. If I need to download anything from the internet, I download it on MY computer then save it to a thumb drive. I have autorun disabled so I can't transfer any viruses back that way. I hope that helps.

 

[geekgee]

The easiest way to find out if it is the router would be to have two uplink ports. One uplink for VLAN 1009 and another for VLAN 1010. If everything works like this then we know the router is the problem.

Even if the router doesn't support VLAN's natively at least one VLAN should work accessing the internet. The only time a Layer 3 device is even needed in a VLAN environment is when inter-communicating between VLAN's or Accessing the internet.

In my current office I have 5 VLAN's running on a D-Link DGS-1210-24 and an RV042 which doesn't officially support VLAN's and everything works fine even inter-vlan communication.

So how are your VLANs talking to each other?

 

[Nerm]

So how are your VLANs talking to each other?

The switch does all the work. The only time packets are even sent to the router is when accessing the internet.

VLAN's operate at the Layer2 level so a router(Layer3 device) technically isn't even needed except when trunking VLAN's from one switch to another or when accessing the internet.

 

[geekgee]

The switch does all the work. The only time packets are even sent to the router is when accessing the internet.

VLAN's operate at the Layer2 level so a router(Layer3 device) technically isn't even needed except when trunking VLAN's from one switch to another or when accessing the internet.

Correct... VLANs operate at the layer 2 level but do not talk to each other at the layer 2 level. You would need a layer 3 device (switch, router) for that.

You don't need a layer 3 device to trunk VLANs between switches... just when you want to communicate between the VLANs.

 

[Nerm]

Correct... VLANs operate at the layer 2 level but do not talk to each other at the layer 2 level. You would need a layer 3 device (switch, router) for that.

You don't need a layer 3 device to trunk VLANs between switches... just when you want to communicate between the VLANs.

If you have a layer 2 switch with VLAN 1, VLAN 2, and VLAN 3 setup and you have two PC's one connected to VLAN 1 and the other connected to VLAN 2 as well as a server connected to VLAN 3. You can configure it so that the PC's on VLAN 1 and VLAN 2 cannot communicate with each other but can both communicate with the server (or any other device) on VLAN 3 without the need for a layer 3 device.

EDIT: I am not trying to say layer 3 devices should not be used. I am just saying that from what I understand of allanc's setup a layer 3 device would not be required. Now it is entirely possible I am not understanding what it is he is wanting to do.

 

[allanc]

If you have a layer 2 switch with VLAN 1, VLAN 2, and VLAN 3 setup and you have two PC's one connected to VLAN 1 and the other connected to VLAN 2 as well as a server connected to VLAN 3. You can configure it so that the PC's on VLAN 1 and VLAN 2 cannot communicate with each other but can both communicate with the server (or any other device) on VLAN 3 without the need for a layer 3 device.

EDIT: I am not trying to say layer 3 devices should not be used. I am just saying that from what I understand of allanc's setup a layer 3 device would not be required. Now it is entirely possible I am not understanding what it is he is wanting to do.

I apologize if I was not clear as to my requirements.
I have a LinkSys WRT54G2 router and a CISCO SG 200-18 switch.

The router is connected to port 1 of the switch.
The switch has a static IP of 192.168.1.20

I would like ports 2-8 to be for our in-house lan.
These ports should be visible to each other (networked), have access to each others' resources and the Internet.
I would like to be able to manage the switch from these ports.

I would like ports 9-16 to be configured for clients' computer which may be infected.
They should have Internet access.
They should not be visible to any other ports 2-16 on the switch or any other subnet that may be connected to the router.

I hope this clears up what I would like to accomplish.

 

[Nerm]

I apologize if I was not clear as to my requirements.
I have a LinkSys WRT54G2 router and a CISCO SG 200-18 switch.

The router is connected to port 1 of the switch.
The switch has a static IP of 192.168.1.20

I would like ports 2-8 to be for our in-house lan.
These ports should be visible to each other (networked), have access to each others' resources and the Internet.
I would like to be able to manage the switch from these ports.

I would like ports 9-16 to be configured for clients' computer which may be infected.
They should have Internet access.
They should not be visible to any other ports 2-16 on the switch or any other subnet that may be connected to the router.

I hope this clears up what I would like to accomplish.

In that case the list below would be your configuration. (You would create another VLAN for management eg. 1008)

VLAN1 = Internet Access
VLAN 1008 = Management
VLAN 1009 = Workstations
VLAN 1010 = Workbench

g1: VLAN 1 / VLAN 1009 / VLAN 1010 untagged, PVID 1
g2: VLAN 1 & VLAN 1008 & VLAN 1009 untagged, PVID 1009
g3: VLAN 1 & VLAN 1008 & VLAN 1009 untagged, PVID 1009
g4: VLAN 1 & VLAN 1008 & VLAN 1009 untagged, PVID 1009
g5: VLAN 1 & VLAN 1008 & VLAN 1009 untagged, PVID 1009
g6: VLAN 1 & VLAN 1008 & VLAN 1009 untagged, PVID 1009
g7: VLAN 1 & VLAN 1008 & VLAN 1009 untagged, PVID 1009
g8: VLAN 1 & VLAN 1008 & VLAN 1009 untagged, PVID 1009
g9: VLAN 1 & VLAN 1010 untagged, PVID 1010
g10: VLAN 1 & VLAN 1010 untagged, PVID 1010
g11: VLAN 1 & VLAN 1010 untagged, PVID 1010
g12: VLAN 1 & VLAN 1010 untagged, PVID 1010
g13: VLAN 1 & VLAN 1010 untagged, PVID 1010
g14: VLAN 1 & VLAN 1010 untagged, PVID 1010
g15: VLAN 1 & VLAN 1010 untagged, PVID 1010
g16: VLAN 1 & VLAN 1010 untagged, PVID 1010
g17: none
g18: none

You also mentioned that you didn't want ports 9-16 to communicate to any other device so I am assuming you mean even port 9 cannot communicate with port 14 correct? If that is the case then ports 9-16 would each have to be on their on VLAN

For Example:
g1: VLAN 1 / VLAN 1009 / VLAN 1010 untagged, PVID 1
g2: VLAN 1 & VLAN 1008 & VLAN 1009 untagged, PVID 1009
g3: VLAN 1 & VLAN 1008 & VLAN 1009 untagged, PVID 1009
g4: VLAN 1 & VLAN 1008 & VLAN 1009 untagged, PVID 1009
g5: VLAN 1 & VLAN 1008 & VLAN 1009 untagged, PVID 1009
g6: VLAN 1 & VLAN 1008 & VLAN 1009 untagged, PVID 1009
g7: VLAN 1 & VLAN 1008 & VLAN 1009 untagged, PVID 1009
g8: VLAN 1 & VLAN 1008 & VLAN 1009 untagged, PVID 1009
g9: VLAN 1 & VLAN 1010 untagged, PVID 1010
g10: VLAN 1 & VLAN 1011 untagged, PVID 1011
g11: VLAN 1 & VLAN 1012 untagged, PVID 1012
g12: VLAN 1 & VLAN 1013 untagged, PVID 1013
g13: VLAN 1 & VLAN 1014 untagged, PVID 1014
g14: VLAN 1 & VLAN 1015 untagged, PVID 1015
g15: VLAN 1 & VLAN 1016 untagged, PVID 1016
g16: VLAN 1 & VLAN 1017 untagged, PVID 1017
g17: none
g18: none

 

[allanc]

In that case the list below would be your configuration. (You would create another VLAN for management eg. 1008)

VLAN1 = Internet Access
VLAN 1008 = Management
VLAN 1009 = Workstations
VLAN 1010 = Workbench

g1: VLAN 1 / VLAN 1009 / VLAN 1010 untagged, PVID 1
g2: VLAN 1 & VLAN 1008 & VLAN 1009 untagged, PVID 1009
g3: VLAN 1 & VLAN 1008 & VLAN 1009 untagged, PVID 1009
g4: VLAN 1 & VLAN 1008 & VLAN 1009 untagged, PVID 1009
g5: VLAN 1 & VLAN 1008 & VLAN 1009 untagged, PVID 1009
g6: VLAN 1 & VLAN 1008 & VLAN 1009 untagged, PVID 1009
g7: VLAN 1 & VLAN 1008 & VLAN 1009 untagged, PVID 1009
g8: VLAN 1 & VLAN 1008 & VLAN 1009 untagged, PVID 1009
g9: VLAN 1 & VLAN 1010 untagged, PVID 1010
g10: VLAN 1 & VLAN 1010 untagged, PVID 1010
g11: VLAN 1 & VLAN 1010 untagged, PVID 1010
g12: VLAN 1 & VLAN 1010 untagged, PVID 1010
g13: VLAN 1 & VLAN 1010 untagged, PVID 1010
g14: VLAN 1 & VLAN 1010 untagged, PVID 1010
g15: VLAN 1 & VLAN 1010 untagged, PVID 1010
g16: VLAN 1 & VLAN 1010 untagged, PVID 1010
g17: none
g18: none

You also mentioned that you didn't want ports 9-16 to communicate to any other device so I am assuming you mean even port 9 cannot communicate with port 14 correct? If that is the case then ports 9-16 would each have to be on their on VLAN

For Example:
g1: VLAN 1 / VLAN 1009 / VLAN 1010 untagged, PVID 1
g2: VLAN 1 & VLAN 1008 & VLAN 1009 untagged, PVID 1009
g3: VLAN 1 & VLAN 1008 & VLAN 1009 untagged, PVID 1009
g4: VLAN 1 & VLAN 1008 & VLAN 1009 untagged, PVID 1009
g5: VLAN 1 & VLAN 1008 & VLAN 1009 untagged, PVID 1009
g6: VLAN 1 & VLAN 1008 & VLAN 1009 untagged, PVID 1009
g7: VLAN 1 & VLAN 1008 & VLAN 1009 untagged, PVID 1009
g8: VLAN 1 & VLAN 1008 & VLAN 1009 untagged, PVID 1009
g9: VLAN 1 & VLAN 1010 untagged, PVID 1010
g10: VLAN 1 & VLAN 1011 untagged, PVID 1011
g11: VLAN 1 & VLAN 1012 untagged, PVID 1012
g12: VLAN 1 & VLAN 1013 untagged, PVID 1013
g13: VLAN 1 & VLAN 1014 untagged, PVID 1014
g14: VLAN 1 & VLAN 1015 untagged, PVID 1015
g15: VLAN 1 & VLAN 1016 untagged, PVID 1016
g16: VLAN 1 & VLAN 1017 untagged, PVID 1017
g17: none
g18: none

The 'default VLAN' is 1, correct?
I will try this set-up later tonight or tomorrow and post results.
Thank you.

Correct in terms of ports 9-16.
I would like each client computer to be isolated from everything else on the switch, all other subnets (that are not part of the switch). These ports needs to be able the access the Internet.

 

[allanc]

In that case the list below would be your configuration. (You would create another VLAN for management eg. 1008)

VLAN1 = Internet Access
VLAN 1008 = Management
VLAN 1009 = Workstations
VLAN 1010 = Workbench

g1: VLAN 1 / VLAN 1009 / VLAN 1010 untagged, PVID 1
g2: VLAN 1 & VLAN 1008 & VLAN 1009 untagged, PVID 1009
g3: VLAN 1 & VLAN 1008 & VLAN 1009 untagged, PVID 1009
g4: VLAN 1 & VLAN 1008 & VLAN 1009 untagged, PVID 1009
g5: VLAN 1 & VLAN 1008 & VLAN 1009 untagged, PVID 1009
g6: VLAN 1 & VLAN 1008 & VLAN 1009 untagged, PVID 1009
g7: VLAN 1 & VLAN 1008 & VLAN 1009 untagged, PVID 1009
g8: VLAN 1 & VLAN 1008 & VLAN 1009 untagged, PVID 1009
g9: VLAN 1 & VLAN 1010 untagged, PVID 1010
g10: VLAN 1 & VLAN 1010 untagged, PVID 1010
g11: VLAN 1 & VLAN 1010 untagged, PVID 1010
g12: VLAN 1 & VLAN 1010 untagged, PVID 1010
g13: VLAN 1 & VLAN 1010 untagged, PVID 1010
g14: VLAN 1 & VLAN 1010 untagged, PVID 1010
g15: VLAN 1 & VLAN 1010 untagged, PVID 1010
g16: VLAN 1 & VLAN 1010 untagged, PVID 1010
g17: none
g18: none

You also mentioned that you didn't want ports 9-16 to communicate to any other device so I am assuming you mean even port 9 cannot communicate with port 14 correct? If that is the case then ports 9-16 would each have to be on their on VLAN

For Example:
g1: VLAN 1 / VLAN 1009 / VLAN 1010 untagged, PVID 1
g2: VLAN 1 & VLAN 1008 & VLAN 1009 untagged, PVID 1009
g3: VLAN 1 & VLAN 1008 & VLAN 1009 untagged, PVID 1009
g4: VLAN 1 & VLAN 1008 & VLAN 1009 untagged, PVID 1009
g5: VLAN 1 & VLAN 1008 & VLAN 1009 untagged, PVID 1009
g6: VLAN 1 & VLAN 1008 & VLAN 1009 untagged, PVID 1009
g7: VLAN 1 & VLAN 1008 & VLAN 1009 untagged, PVID 1009
g8: VLAN 1 & VLAN 1008 & VLAN 1009 untagged, PVID 1009
g9: VLAN 1 & VLAN 1010 untagged, PVID 1010
g10: VLAN 1 & VLAN 1011 untagged, PVID 1011
g11: VLAN 1 & VLAN 1012 untagged, PVID 1012
g12: VLAN 1 & VLAN 1013 untagged, PVID 1013
g13: VLAN 1 & VLAN 1014 untagged, PVID 1014
g14: VLAN 1 & VLAN 1015 untagged, PVID 1015
g15: VLAN 1 & VLAN 1016 untagged, PVID 1016
g16: VLAN 1 & VLAN 1017 untagged, PVID 1017
g17: none
g18: none

I assume that all entries are untagged, correct?

I am having an issue with the PVID.
No matter how I slice it and dice it the following happens:
As soon as I assign a PVID that is not 1, the port is automatically removed from VLAN 1.
This happens in the 'interface setting' screen or the 'port to lan screen'.
As a result, either the port is isolated from other VLANs and has no Internet access (because it has been removed from VLAN 1) or it is visible to other VLANs and has Internet access.
I have spent many hours on this problem and either I am missing something very basic or I do not understand this at all.

 

[allanc]

Correct... VLANs operate at the layer 2 level but do not talk to each other at the layer 2 level. You would need a layer 3 device (switch, router) for that.

You don't need a layer 3 device to trunk VLANs between switches... just when you want to communicate between the VLANs.

I just had a lengthy discussion with Cisco tech support who were extremely helpful.
According to Cisco, I cannot do what I have been trying to accomplish - with the hardware that I have.
I need either a layer-3 switch or a VLAN capable router.
Their SMB routers can only accommodate 4 VLANs.
So, the most cost effective configuration for up to 8 VLANs each with 1 PC that cannot access each other but can access the Internet is a 8 port layer-3 switch which is their SG300-10.
It is about the same price as their 16 port layer-2 switch SG200-18 (which I bought).
I would need to use other device for my inhouse network.

 

[geekgee]

I just had a lengthy discussion with Cisco tech support who were extremely helpful.
According to Cisco, I cannot do what I have been trying to accomplish - with the hardware that I have.
I need either a layer-3 switch or a VLAN capable router.
Their SMB routers can only accommodate 4 VLANs.
So, the most cost effective configuration for up to 8 VLANs each with 1 PC that cannot access each other but can access the Internet is a 8 port layer-3 switch which is their SG300-10.
It is about the same price as their 16 port layer-2 switch SG200-18 (which I bought).
I would need to use other device for my inhouse network.

Great!!! I think you will be happy with the 300 series... you can do so much more with them than the 200 series.

The beauty of a layer 3 switch is it will give you layer 3 functionality to your whole switch "stack". You can just trunk your VLANs between the SG300-10 and the SG200-18 and be able to route between VLANs for devices on both switches. I am doing that with a SG300-28 in Layer 3 mode, a SG300-10P in Layer 2 mode and a couple older Linksys/Cisco layer 2 managed switches.

Also, have a look at the "Protected Ports" feature. I have never used it but it looks like it could allow you to have one VLAN for all your client computers while prevent them from talking to each other. If it works, it would reduce the number of VLANs/subnets you would require.

 

[allanc]

Great!!! I think you will be happy with the 300 series... you can do so much more with them than the 200 series.

The beauty of a layer 3 switch is it will give you layer 3 functionality to your whole switch "stack". You can just trunk your VLANs between the SG300-10 and the SG200-18 and be able to route between VLANs for devices on both switches. I am doing that with a SG300-28 in Layer 3 mode, a SG300-10P in Layer 2 mode and a couple older Linksys/Cisco layer 2 managed switches.

Also, have a look at the "Protected Ports" feature. I have never used it but it looks like it could allow you to have one VLAN for all your client computers while prevent them from talking to each other. If it works, it would reduce the number of VLANs/subnets you would require.

I was thinking of getting an RMA for the SG200 and 'trading' it in for the SG300. The 8 port SG300 is about the same price as the 16 port SG200.

 

[geekgee]

I was thinking of getting an RMA for the SG200 and 'trading' it in for the SG300. The 8 port SG300 is about the same price as the 16 port SG200.

That works too assuming 10 ports is sufficient.

 

[allanc]

That works too assuming 10 ports is sufficient.

Well the SG300-20 is less than the SG300-10 and SG200-18 combined.

That gives me 18 ports all together (all layer-3) which is 2 more than I thought that I was getting with the SG200-18 alone.
Maybe that makes more sense?
Or, are there advantages to have 8-layer-3 ports and 16-layer-2 ports on two devices ... other than the total number of ports itself?

 

[Nerm]

I just had a lengthy discussion with Cisco tech support who were extremely helpful.
According to Cisco, I cannot do what I have been trying to accomplish - with the hardware that I have.
I need either a layer-3 switch or a VLAN capable router.
Their SMB routers can only accommodate 4 VLANs.
So, the most cost effective configuration for up to 8 VLANs each with 1 PC that cannot access each other but can access the Internet is a 8 port layer-3 switch which is their SG300-10.
It is about the same price as their 16 port layer-2 switch SG200-18 (which I bought).
I would need to use other device for my inhouse network.

It is strange that the SMB layer 2 cisco cannot do what you were trying to do but SMB layer 2's from other brands can, specifically a $200 24-port D-Link. You would think if any brand would be more robust it would be the cisco.

If you can return the SG200-18 and get an SG300-20 for less than the combined price of the sg200-18 and the sg300-10 then that is the way to go I think.

 

[allanc]

It is strange that the SMB layer 2 cisco cannot do what you were trying to do but SMB layer 2's from other brands can, specifically a $200 24-port D-Link. You would think if any brand would be more robust it would be the cisco.

If you can return the SG200-18 and get an SG300-20 for less than the combined price of the sg200-18 and the sg300-10 then that is the way to go I think.

You have piqued my interest
Which specific model of D-Link? ... please.

 

[geekgee]

Well the SG300-20 is less than the SG300-10 and SG200-18 combined.

That gives me 18 ports all together (all layer-3) which is 2 more than I thought that I was getting with the SG200-18 alone.
Maybe that makes more sense?
Or, are there advantages to have 8-layer-3 ports and 16-layer-2 ports on two devices ... other than the total number of ports itself?

Ya... I think the SG300-20 is the model I suggested in the other thread as it was the closest port count to the SG200-18. If you scan swing it with your supplier, I would go that route.

You will actually have all 20 ports available... the combo ports can be used for copper when fiber GBICs aren't installed.

The only advantages of two switches worth mentioning, other than the one you stated, is it will give you some exposure to switch VLAN trunking, if that is of interest to you, and with two switches if one fails you won't lose all your ports.

That said, I would still go with the SG300-20. It will give you better overall performance between switch ports and if that "Protected Port" feature works out for you, you will be able to configure it on more ports as it doesn't appear to be available on the 200 series.