Preview only show first 10 pages with watermark. For full document please download

Netgear Gs724tv4 Smart Switch A Tutorial On Use Ross Maloney

   EMBED

Share

Transcript

Netgear GS724Tv4 Smart switch A Tutorial on Use by Ross Maloney 4 October 2015 Contents 1 First steps 1 1.1 Necessary networking background . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1 1.2 Switch hardware . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2 1.3 Buttons to reset the switch . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2 1.4 Environment used in switch configuration examples . . . . . . . . . . . . . . . . . . . . . . 4 1.5 Basic control of the switch itself . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5 1.5.1 Access to the switch . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5 1.5.2 VLAN . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5 1.6 Initial switch configuration . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 6 1.7 Gateway from a simple network on the switch . . . . . . . . . . . . . . . . . . . . . . . . . 6 1.7.1 Implementation . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 7 Warnings . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 7 1.8 2 Layer 2 2.1 2.2 2.3 2.4 8 All devices on the default VLAN . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8 2.1.1 Implementation . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 9 2.1.2 Results from testing . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 9 A new VLAN holding all devices . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 9 2.2.1 Implementation . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 10 2.2.2 Results from testing . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 10 Two isolated LANs . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 10 2.3.1 Implementation . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 11 2.3.2 Results from testing . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 12 Dividing a LAN . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 12 2.4.1 A single network . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 13 2.4.2 Dividing the network into two parts . . . . . . . . . . . . . . . . . . . . . . . . . . . 14 i CONTENTS 2.5 Divided LAN sharing one Internet connection . . . . . . . . . . . . . . . . . . . . . . . . . 14 2.6 Ensuring only known devices can use a network . . . . . . . . . . . . . . . . . . . . . . . . 15 2.6.1 Security designed to give specific devices access to given devices . . . . . . . . . . 16 2.6.2 Aspects common to each implementation alternative . . . . . . . . . . . . . . . . . 16 2.6.3 Implementation Alternative 1 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 17 2.6.4 Implementation Alternative 2 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 18 2.6.5 Testing . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 19 3 Layer 3 3.1 3.2 20 Routing between LANs and to the Internet . . . . . . . . . . . . . . . . . . . . . . . . . . . 20 3.1.1 Implementation . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 21 3.1.2 Testing . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 22 3.1.3 Removing Internet access . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 22 3.1.4 Important to note from this example . . . . . . . . . . . . . . . . . . . . . . . . . . . 22 Securing the network . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 23 3.2.1 Implementation overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 23 3.2.2 Wireless and Internet . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 23 3.2.3 Allowing PC 1 access but with limitation . . . . . . . . . . . . . . . . . . . . . . . . 24 3.2.4 Allow PC 2 to access PC 1 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 25 ii Chapter 1 First steps This document is not a definative User Guide for the Netgear GS724Tv4 smart switch. It grow out of the observed lack of a User Guide as opposed to a number of good Reference Manuals. Those manuals showed how to perform operations on the switch but not the reason why they could be performed. The why is approached here by posing a problem, or an example situation, and then configuring the switch to provide a solution. Further detail of the how can be obtained from a Reference Manual. The application examples used have resulted from need. As the need to know more has grown so too this User Guide has evolved. This evolution is expected to continue resulting also in this document evolving. The examples are set up to show the switch setting used and the consequence of such setting on the behaviour of the network containing the switch. Not having knowledge of the consequence of a setting can make an appropriate switch selection setting time consuming. Emphasis is placed on the GS724Tv4 switch as a network element. Testing of the network resulting from each switch setting is described together briefly with how the switch can be configured to produce such a setting. Further detail of the mechanics of performing setting of this switch is contained in the switch’s manual. The majority of the information contained here should also apply to the GS716Tv3 smart switch, and maybe the GS748T5, although this has not been verified. The reader is assumed to have access to the Netgear GS716Tv3, GS724Tv4, and GS748Tv5 Smart Switches Sofware Adminstration Manual available from www.downloads.netgear.com/files/ GDC/GS716TV3/GS716Tv3_GS724Tv4_GS748Tv5_SWA_25Sept2013.pdf for information to suppliment that given here. 1.1 Necessary networking background The Open Systems Interconnection (OSI) model is a means of describing networks. That description is divided into 7 layers: physical, data link, network, transport, session, presentation, and application. The physical layer is layer 1, the application layer is layer 7, and the others are consecutively ordered between. For a device to take part in a network it must have an address on that network. This is its physical address and is considered part of layer 2 of the OSI model. This address is 6 bytes, or 48 bits, or 12 hex digits, in length. It is known as the Media Access Control, or MAC, address. Each network device in the world has at least one MAC address and that MAC address is unique no matter whether the device is a hardwired or wireless network component. Ethernet and WiFi operate at layer 2. Each uses MAC addressing, only. 1 1.3. Buttons to reset the switch Networking protocols are layer 3. TCP/IP is an example of a networking protocol. Each such protocol has its own addressing scheme. For example IPv4 uses a 24 bit address expressed by 4 decimal digit separated by a dot, for example 192.14.134.231. By constrast IPv6 uses a 128 bit address expressed as eight 16 bit blocks, each block expressed as 4 hex digits with blocks separated by a colon, an example being FE80:0000:0000:0000:0202:B3FF:FE1E:8329. These addressing schemes are different despite IPv4 and IPv6 both being TCP/IP protocols. Other networking protocols use different addressing schemes. But each network protocol addressing scheme needs to be converted to, and from, a MAC address. The GS724Tv4 switch uses TCP/IP network addressing. In this work IPv4 network addressing only will be used. The same techniques shown here also apply to IPv6. Each network element has fixed and changable addesss assignments. The MAC address is fixed in the hardware. The changable parts are in the software which implements the network protocol such as TCP/IP. These parts are the address of the device, its network mask, and the gateway to be used by data to get off the device. Some software implementations require the broadcast address and network address to be defined, but these can be calculated from the device address and network mask. The network address is calculated by applying the AND operation to the address and the netmask combination. The broadcast address is calculated by applying the OR operation to the combination of the network address with the bit inverse of the network mask. But contrast, the gateway address must be specified and is to where a TCP/IP packet is to be sent if the destination to which the packet is addressed cannot be found. 1.2 Switch hardware The small brown coloured Philips head machine screws supplied with the switch are for attaching the supplied mounting brackets to the switch housing. Four screw holes threaded for those screws are provided at both ends of the switch housing. The larger, chrome plated screws are for attaching the mounting bracket to a mounting frame supplied by others. Two mounting brackets in the form of drilled right-angled brackets in a blue colour to match the switch housing are supplied with the switch. Power to the switch is through the socket on the back of the switch. A power cable is provided with the switch for that purpose. No isolating switch for that supply is provided on the switch. The factory reset button is located on the bottom right of the front housing of the switch. It is recessed from the surface. Use a straighted paper clip to depress this switch. 1.3 Buttons to reset the switch There are two reset buttons on the switch. The Reset button is on the far left-hand side of the face of the switch while the Factory Defaults button is on the right-hand side of the switch. Both buttons are resessed from the surface requiring them to be pressed using a straightened paper clip. The switch acknowledges the button as having been pressed by turning on all of the System LEDs. The reset process takes two or more minutes to complete. Upon completion of the reset process, the System LEDs are resturned to indicating the port usage. The switch documentation states pressing the Factory Defaults button removes any configuration on the switch and sets the address of the switch to 192.168.0.239. This proved untrue. 2 1.3. Buttons to reset the switch To determine the actual behaviour of the Reset and Factory Defaults buttons, a series of trials were performed. The results of those trial are contained in Table 1.1. Important to note: The address of the switch does not answer a ping. Trials were performed with firmware version 6.3.1.9 on the switch. To determine the address of the switch, version 1.1.3.2 of the Smart Control Center software running on a Windows 8.1 PC plugged into socket 11 of the switch was used. Switch ports 7 and 19 only were used in the trials. To each of those ports a PC running Linux was connected. Each trial consisted of exchanging ping packets between those PCs and observing the results produced. Between trials, the network addresses of each PC was changed. Table 1.1: Effects of switch reset buttons on switch content Addresses Before Button Addresses After gateway switch Pressed gateway switch gateway device 192.168.23.244 connected .23.244 static .23.105 reset .23.244 dynamic .23.105 .23.244 static .23.105 factory .23.244 dynamic .23.105 .8.254 static .8.78 reset .8.254 static .8.78 .8.254 static .8.78 factory .23.244 dynamic .23.105 .23.244 dynamic .23.105 reset .23.244 dynamic .23.105 .23.244 dynamic .23.105 factory .23.244 dynamic .23.105 .23.244 static .23.78 reset .23.244 static .23.78 .23.244 static .23.78 factory .23.244 dynamic .23.105 .23.2 static .23.78 reset .23.2 static .23.78 .23.2 static .23.78 factory .23.244 dynamic .23.105 gateway device 192.168.23.244 removed .23.2 static .23.78 reset 23.3 static .23.78 .23.2 static .23.78 factory 0.0.0.0 dynamic .0.239 .0.244 dynamic .0.239 reset 0.0.0.0 dynamic .0.239 .0.244 dynamic .0.239 factory 0.0.0.0 dynamic .0.239 0.0.0.0 dynamic .0.239 reset 0.0.0.0 dynamic .23.105 0.0.0.0 dynamic .0.239 factory 0.0.0.0 dynamic .0.239 gateway device 192.168.23.244 connected 0.0.0.0 dynamic .0.239 reset .23.244 dynamic .23.105 0.0.0.0 dynamic .0.239 factory .23.244 dynamic .23.105 Result I R I R I R I R I R I R I R I R I R With respect to the trials data reported in Table 1.1, Note: • all addresses shown are prefixed by 192.168, execpt 0.0.0.0 • no device corresponding to the switch gateway address 192.168.8.254 was attached • switch firmware required its gateway and its address be set on same network • only in static address mode could the switch address be set manually • gateway and switch before addresses were those set using the Smart Control Center software • the Result column shows results produced relative to the prior port configuration setting • Result indicators: I means intact (no change); R means reset(change) Behaviour patterns appear in Table 1.1. When the Factory reset button was applied: • removes all port behaviour configuration 3 1.4. Environment used in switch configuration examples • switch address set to dynamic 192.168.239 only if no gateway device was connected • switch gateway address before does not effect outcome gateway address When the Reset button was applied: • always leaves port behaviour configuration unchanged 1.4 Environment used in switch configuration examples Two networks were used; a hardwired network and a wireless network. The network address of the hardwired network was 192.168.14.0 and 192.168.8.0 for the wireless network. Table 1.2: Summary of devices connected to switch of the examples Port g1 g2 g7 g19 g23 Description of device HP Color Laserjet Pro M252dw printer Netgear ReadyNAS 316 Mac Pro server Linux Mac mini server Linux D-Link DAP-1650 wireless extender IP address assigned 192.168.14.31 192.168.14.107 192.168.14.9 192.168.8.7 192.168.8.240 MAC address d0:bf:9c:bd:4b:4d 28:c6:8e:d5:ed:08 00:3e:e1:c1:74:b3 c8:2a:14:56:3c:a2 c0:a0:bb:f7:44:c0 Table 1.2 shows the details of the devices used in the examples. The switch was set with address 192. 168.14.155, placing it on the hardwired ethernet. The netmask for each device was set to 255.255. 0.0. That mask enabled devices on both networks to communicate. This enabled that Mac mini with address 192.168.8.7 to act as controller for the switch. switch Internet gateway wireless network Figure 1.1: Model of the network visualizations used here Figure 1.1 shows the style of diagram used to depict the network of each example. In Figure 1.1 the switch is configured to have two networks with one device connected to the switch and the configured network. An internet gateway on a separated wireless network is also shown. A D-Link ASL-2900AL Viper wireless router with IP address on the wireless network of 192.168. 8.244 with corresponding MAC address e8:cc:18:f1:79:6f provided a link between the wireless network and the Internet. The D-Link DAP-1680 wireless extender provided the link between the hardwired and wireless networks. 4 1.5. Basic control of the switch itself The devices shown in Table 1.2 on the two networks are divided into two groups. The computers were used to configure the switch and test the behaviour of the resulting network. The printer and NAS acted as target addresses for testing the network. The wireless extender was used as an additional target address together with providing hardware coupling of the hardwired ethernet to the wireless network containing the Internet interface, which also provided additional address targets. The DSL-2900AL Viper router was part of the wireless network and not directly connected to the switch. The examples will show the usefulness of the switch comes from it being able to change relationships between connected devices without physically changing the connections. For example, without changing the physical connections to the network, the behaviour of this hardwired/wireless network is changed by re-configuring the switch. 1.5 Basic control of the switch itself The Netgear GS724Tv4 switch has network parameters which can be reset from their default values. Values selected for these parameters influence access to the switch and behaviour of the network formed using the switch. The network devices plugged into the switch ports form the network elements, but the switch is an active media connecting those devices. 1.5.1 Access to the switch Control of the switch is menu base accessed through a web browser. This menu system is only accessible after logging into the switch. The menu sequence System → IP Configuration enables the address of the switch, its network mask, and gateway can be reset. Assume the network address was assigned here to 192.168.8.155, replacing the default switch address. The network mask assigned here appeared not to have any effect. In a LAN-based network, the switch can only be logged into from a device having the same network component of its address as the address of the switch. For example, a device with address 192.168.8, 7 can log into the switch with address 192.168.8.155, but a device with address 192.168.14.10 cannot. 1.5.2 VLAN A basic unit for the switch is a Virtual LAN or VLAN. Devices connected to the ports on the switch are assigned to one or more VLANs. This port/VLAN correspondence can be configured. A device assigned to a VLAN behaves within the behaviour characteristics configured for that VLAN. All ethernet ports of the switch are Untagged (U) members of VLAN 1 by default. However only devices with the same network component of their address can communicate. For example address 192.168. 14.9 can ping address 192.168.14.107 but not 192.168.8.7. The menu command sequence Switching → VLAN → Advanced → VLAN Membership accesses the port connections on a VLAN. Clicking the box under a particular port number through the sequence U → blank → T changes the type of connection between the VLAN and the port. The blank 5 1.7. Gateway from a simple network on the switch removes the connection. Once the connection type is selected, the Apply button in the bottom right hand corner of the screen is clicked to have the switch perform the change. The port to VLAN connection types are: T U blank trunk untagged not connected carrying traffic for more than one VLAN When a port box is shown as blank, the device connected to that port is no longer accessible from other devices on the VLAN having the same network address. 1.6 Initial switch configuration Default address of the switch was 192.168.0.239 and default switch gateway address 192.168.0. 254. These defaults were changed by logging into the switch using a PC whose ethernet address is 192.168.0.x where x is a value in the range 1 to 253, excluding 239 (which would give a conflict with the default network address of the switch). The value of x chosen was 7. This PC was connected to the switch via any of the RJ45 ethernet ports on the switch. Putting the address 192.168.0.239 into the address field of a web broswer running on the PC opened the login page of the switch. Using the default password password enabled logging into the switch and enabling the PC’s web browser to be used to set up the switch. The address of the switch is required to configure the switch. It is a good idea to have the switch address laying on one of the LANs the switch is handling. To change the switch address, log into the switch, and then use the switch command sequence System > Management > IP Configuration to bring up the page containing the current network settings of the switch. It is a good idea to have the switch of a fixed address. So set the Current Network Configuration Protocol radio button Static IP Address to on. Then assigned an address to the switch by changing the IP Address field on the page to contain that selection. Then press the Apply button in the bottom right of the command screen. The switch address should not be on a VLAN to be handled by the switch. This is particularly true if VLANs are to be routed. The address 192.168.10.60 and default gateway 192.168.10.244 were assigned to the switch for this work. 1.7 Gateway from a simple network on the switch A LAN was created by plugging network components into the switch. This LAN is shown in Figure 1.2 as containing a PC and a wireless extenter which were physically plugged into the switch. The switch thus became an active part of the LAN. The LAN required a gateway to access the Internet and this was to be provided by the wireless extender which had been configured to route any data sent to it out onto the wireless network. Without changing the addresses of the LAN devices, the gateway was to be produced. 6 1.8. Warnings switch 192.168.8.7 192.168.8.240 PC wireless extender Figure 1.2: Switch forming a LAN with an internet gateway 1.7.1 Implementation Only a standard network is required with the switch only performing the function of a plug-board into which the network components are physically connected. The simple rule (which cna be broken as shown in Section!2.1.2) is on a LAN, the network address of all connected devices should be the same. The wireless extender was configured to act as a repeater; the hardwired and wireless LANs had the same network address. It provided connection between the hardwired LAN contained by the switch to the wireless network which contained the Internet connection. The Internet connection had the address 192.168.8.244. In the /etc/network/interfaces file on the PC, the gateway address was set as 192.168.8.244 and then the PC restarted. From the PC, Internet connection could be demonstrated. An alternate to the above procedure might be to change the gateway address of the switch and leave the gateway address of the PC pointing somewhere else. The switch gateway was set to 192.168.8.244 using the System > Management > IP Configuration command menu sequence on the switch. When this gateway address was filled in, and pressing the Apply button on the switch command page, the PC could not access the Internet. 1.8 Warnings • Don’t remove the control port from VLAN 1. If you do, then use the Reset button on the switch to restore the switch. So never use the Remove All option in the Group Operation of the VLAN Configuration for VLAN 1. • Dynamic address assignment using DHCP (Dynamic Host Configuration Protocol) is not used. Only static/direct address assignment is used in all the work here. • The address of the switch must not be on a VLAN which is to be routed. 7 Chapter 2 Layer 2 Layer 2 configuration of the switch uses MAC addresses of the attached network devices. This layer enables the 24 ports on the switch to be grouped into virtual logical area networks (VLANs). Such VLANs can a connected together using functions of the switch enabling data to move between these VLANs. In using VLANs it is important to remember what they are. A VLAN is a Virtual LAN. A LAN is at OSI Layer 2, meaning it is a physical link. The broadcast and multicast network packets generated by devices contained on the LAN when trying to establish a communication path between devices remain on the LAN. This means a device and only communicate with another device on the LAN on which it is located. The Virtual LAN (VLAN) also has those properties. For a device to communicate across a LAN or VLAN, a network link, or OSI Layer 3 connection is required. In the following, two networks are used. The behaviour of two networks was taken as being able to be generalized to many networks implemeneted on a switch. 2.1 All devices on the default VLAN The five device tabulated in Table 1.2 form a single physical LAN. Those devices have two network addresses 192.168.14.0 and 192.168.8.0. A LAN as shown in Figure 2.1 was formed by using the ports on the switch. The two networks formed by the two network addresses co-existed on the switch. switch 192.168.14.9 192.168.8.7 PC 2 192.168.8.240 192.168.14.31 PC 1 g7 192.168.14.107 NAS g19 g23 wireless extender g1 g2 printer Figure 2.1: A single VLAN containing all devices 8 2.2. A new VLAN holding all devices 2.1.1 Implementation In the default switch configuration, all ports on the switch are linked to the VLAN with VLAN ID 1. This association on the switch is viewed using the switch menu sequence: Switching → VLAN → VLAN Membership in which the box under each port label contains a U. 2.1.2 Results from testing Testing was done by issuing ping commands from the two PCs. Table 2.1 shows the results. In this table, the ⇐⇒ symbol indicates a successful ping while the symbol indicates an unsuccessful ping. It is taken as given that each PC could ping itself with the corresponding entry in Table 2.1 shown as a ‘x’. Table 2.1: Ping exchange betwenn devices on one VLAN g1 g2 g7 g1 g2 g7 g23 g19 g23 g19 255.255.255.0 255.255.255.0 255.255.255.0 255.255.0.0 255.255.0.0 255.255.0.0 255.255.255.0 255.255.255.0 255.255.0.0 255.255.0.0 g7 192.168.14.9 255.255.255.0 255.255.0.0 ⇐⇒ ⇐⇒ ⇐⇒ ⇐⇒ x x ⇐⇒ ⇐⇒ ⇐⇒ ⇐⇒ x x ⇐⇒ ⇐⇒ g19 192.168.8.7 255.255.255.0 255.255.0.0 ⇐⇒ ⇐⇒ ⇐⇒ ⇐⇒ ⇐⇒ ⇐⇒ x x ⇐⇒ ⇐⇒ x x Each device was set to have a network mask of 255.255.255.0 then 255.255.0.0. With each network mask setting pings between the PCs and devices were exchanged. In this switch network configuration, an unsecure isolation of the two networks was obtained. By changing it’s network mask, a PC on one network could access devices not only on it’s onw network, but also on another. Only partial isolation of network devices is shown in Table 2.1 as being achieved by setting the network masks on the devices. 2.2 A new VLAN holding all devices For this configuration the five devices of Figure 2.1 occupy a VLAN on their own, separate from VLAN 1. VLANs are assiged identification when they are set up. This new VLAN is to be given the VLAN ID of 12 and named VLAN-A-12. 9 2.3. Two isolated LANs 2.2.1 Implementation A new VLAN was created on the switch by the switch menu sequence: Switching → VLAN → VLAN Configuration In the screen resulting, 12 was typed into the VLAN ID box, and VLAN-A-12 into the VLAN Name box. The VLAN Type was set to Static. Then the ADD button at the bottom right-hand of the screen was clicked to create the new VLAN. Once created, the new VLAN with the ID, name, and type appeared in the VLAN Configuration table. The ports with devices connected were then assigned to this new VLAN. The initial switch menu sequence Switching → VLAN → Advnaced → VLAN Membership brought up the screen showing the ports associated with VLAN 1, the default VLAN. All port boxes contained a U, indicating all ports of the switch were connected to this VLAN, no matter if a device is plugged into the corresponding switch port or not. For ports 1, 2, 7, 19, and 24 the contents of their corresponding port box containing a U was replaced with a blank by repeatedly clicking the port box until the blank appeared. After all ports were reset, the APPLY button in the bottom right-hand side of the screen was clicked. Note: The PC connected to port 19 was also used to control the switch, i.e. to configure the switch. This necessary control connection must be on VLAN 1. Any port showing a U in the display of VLAN Membership for VLAN 1 could be selected. Socket 13 was selected. The netword address of the switch was 192.168.8.155. So the PC having address 192.168.8.7 which lies on the network of the switch could be unplugged from port 19 and plugged into port 13 to control the switch. From the VLAN Membership screen, the ID (12) of the new VLAN was selected from the selection available on the VLAN ID window. The screen for VLAN ID 12 which resulted had blank in all the port boxes. For each of the port boxes, 1, 2, 7, 19, and 24 a U was set into the box by repeated clicking the box until the U appeared. Then the APPLY button in the bottom right-hand side of the screen was clicked. This new VLAN was then assigned a PVID (Port Vlan ID). The menu sequence Switching → VLAN → Advnaced → Port PVID Configuration provided the needed screen. The small box on the left of ports labelled g1, g2, g7, g19, and g24 were clicked resulting in a ticket appearing in the small box and the line being highlighted in orange. In the widow labelled Configured PVID the value 12 was entered and the APPLY button on the botton right-hand side of the screen clicked. Highlighting of the lines disappeared, and the value 12 assigned was shown on those previsously highlighted lines under the Configured PVID, Current PVID, and VLAN Member columns. 2.2.2 Results from testing A ping command issued from each of the two PCs to test connectivity between the two networks. Network masks 255.255.255.0 and then 255.255.0.0 were applied to each PC and device. Table 2.1 shows the results. Since all devices were on the same VLAN, the results are identical to those obtained in Section 2.1. The difference here is the single VLAN was manually defined while that in Section 2.1 was the default VLAN. 2.3 Two isolated LANs Two LANs were to co-exist on a single switch. Although the two LANs were on the same media (the switch), they were to be isolated, i.e. not allowing data to be transferred between each. One LAN 10 2.3. Two isolated LANs contained only one network address while the other contained two. This is the ideal situation for using two VLANs. Multiple VLANs can be setup on the switch. 2.3.1 Implementation Figure 2.2 shows the implementation of the required two LANs. Each LAN is implemented as a separate VLAN. Collected on each VLAN are devices having a common network address. The ports used to house each device are the same as in Section 2.1 and in Table 1.2. VLAN−B−22 switch VLAN−A−12 192.168.14.107 NAS 192.168.14.9 PC 2 g2 192.168.8.7 192.168.14.31 wireless extender PC 1 g7 192.168.8.240 g19 g23 g1 printer Figure 2.2: Switch forming two LANs Initially all five network devices connected to the switch were connected to the default VLAN, having the default name VLAN 1. Two VLANs having names VLAN-A-12 and VLAN-B-22 with identifications 12 and 22, respectively, were used to form the LANs. The switch menu sequence: Switching → VLAN → VLAN Configuration gave the VLAN creation screen. For VLAN-A-12, the value 12 was typed into the window labelled VLAN ID and VLAN-A-12 into the window labelled VLAN Name. Then the ADD button at the bottom of the right-hand side of the screen was clicked to create the new VLAN. By typing 22 into the VLAN ID window, and VLAN-B-22 into the VLAN Name window, followed by clicking the ADD button, the other VLAN was created. The two new VLANs appear in the VLAN Configuration tabulation. Next, the devices connected through the ports of the switch were assigned to each VLAN. The PC on port 19 was moved to port 13 of the switch to act as the control. The menu sequence: Switching → VLAN → Advnaced → VLAN Membership gave the screen which enabled such assignments. First VLAN 1 was called up on screen using the pulldown list of the VLAN ID window. The U which appears under each port label indicated that port was attached to this VLAN. The U of ports 1, 2, 7, 19, and 23 were set to blank, then the APPLY button clicked to disconnect those ports from VLAN 1. Having freed the ports to be used, those freed ports were then connected to the two newly created VLANs. VLAN 12 was then called up using the VLAN ID pull-down list. A U was set under port labels 2, and 7, before clicking the APPLY button. VLAN 22 was then called using the VLAN ID window and a U set under port labels 1, 19, and 23 before clicking the APPLY button. To activate the two VLANs, the menu sequence: Switching → VLAN → Advnaced → Port PVID Configuration was used to enable setting a PVID for each VLAN. In the Configured PVID the value 12 was entered for VLAN 12. The box at the left of the g2, and g7 port labelled lines were clicked resulting in a tick appearing in that box and each line being displayed in orange. Then the APPLY button was clicked. This sequence was repeated for VLAN 22 using the value 22, then ports 1, 19 and 23 were ticked to link them into VLAN 22. 11 2.4. Dividing a LAN Note: If a port is moved from one VLAN to another, the port PVID Configuration procedure needs to be applied to both VLANs. The rule is: If the ports on a VLAN are changed, update the PVID configuration. 2.3.2 Results from testing For testing, the control PC was removed from port 13 of the switch and installed in port 19, becoming g19. A ping was used to indicate two isolated LANs had been produced on the two VLANs. PC 2 (g7) could only ping the devices of ports 1 and 2. PC 1 (g19) could ping port 23, and via port 23 the Internet. Table 2.2: Ping exchange between devices on isolated VLANs, one VLAN with two networks g2 g7 g2 g7 g1 g23 g19 g1 g23 g19 255.255.255.0 255.255.255.0 255.255.0.0 255.255.0.0 255.255.255.0 255.255.255.0 255.255.255.0 255.255.0.0 255.255.0.0 255.255.0.0 g7 192.168.14.9 255.255.255.0 255.255.0.0 ⇐⇒ ⇐⇒ x x ⇐⇒ ⇐⇒ x x g19 192.168.8.7 255.255.255.0 255.255.0.0 ⇐⇒ ⇐⇒ x x ⇐⇒ ⇐⇒ ⇐⇒ x x The rows in Table 2.2 collect together the ports/devices which were configured on the switch into the two VLANs. A indicates the ping was blocked, a ⇐⇒ indicates a successful ping, and a x indicates a successful ping of the test PC itself. Symmetry can be seen in the behaviours of the pings. The top two left-hand groupings in Table 2.2 show similar behaviour to the botton two right-hand groupings. In those two groupings, the PC sending the ping, g7 and g19 respectively, were in the VLAN represented by the group. In particular the behaviour of the g19 and g1 is noted. In this case, g19 and g1 had different network addresses although contained on the same VLAN. The other symmetry is between the bottom two left-hand groupings and the top right-hand groupings. These indicate VLAN containing ports/devices g2 and g7, and that containing g1, g23, and g19 were isolated from one another. 2.4 Dividing a LAN A LAN is a network with a single network address. For the network of Figure 2.3 this network address is 192.168.8.0. Al devices on a LAN have access to all other devices on that LAN for they are in the same address space, meaning they have the same network address. Note: same network address not the same IP address. In its default, or initial configuration a GS724Tv4 switch implements a single LAN in the default VLAN, ID 1. All ports of the switch are initially members of VLAN 1. It is good practise not to use VLAN 1 as 12 2.4. Dividing a LAN an operational VLAN. VLAN−B−22 switch VLAN−A−12 192.168.8.31 192.168.8.107 NAS 192.168.8.9 PC 2 g2 g1 192.168.8.7 192.168.8.240 g7 wireless extender g23 PC 1 g19 printer Internet gateway wireless network Figure 2.3: Two VLANs dividing a single LAN into two unconnected parts The LAN devices were plugged into ports 1, 2, 7, 19, and 23 of the switch. This forms a LAN using VLAN 1 as its container. To create a new VLAN to contain each of these devices, a new VLAN was created. The sequence of events to create a VLAN is: • create a VLAN giving it a ID number and a name; • assign ports to the created VLAN; • remove those ports from their previous position (maybe from VLAN 1); and • set the PVID of all ports assigned to the VLAN the value of the VLAN’s ID 2.4.1 A single network Starting with one VLAN containing all the devices which were plugged into the switch. This is to be a new VLAN having an ID of 12 and a name of VLAN-A-12. The switch menu sequence: Switching → VLAN → Basic → VLAN Configuration resulted in the VLAN Configuration screen. Into the VLAN ID field the value 12 was typed and then VLAN-A-12 into the VLAN Name field. The ADD button at the bottom of the screen was then clicked to create the VLAN. The switch menu sequence: Switching → VLAN → Advnaced → VLAN Membership was used to bring up the VLAN Membership screen. The value 12 was typed into the VLAN ID field to bring up the display of the ports assigned to VLAN 12. This was blank. Under ports 1, 2, 7, 23, and 23 their input pad was clicked until a U was produced. This indicated the port was to be connected to the VLAN as an untagged member. When all ports had been assigned, the APPLY button at the bottom of the screen was clicked. Then VLAN 1 was selected. This showed all 24 ports of the switch as being untagged members of it. The input pad under each port 1, 2, 7, 19, and 23 were clicked until the pad was cleared. The APPLY button was clicked to tell the switch those ports were no longer assigned to VLAN 1. The switch menu sequence: Switching → VLAN → Advnaced → Port PVID Configuration was used to bring up the Port PVID Configuration screen. The little square adjacent to Interfaces 13 2.5. Divided LAN sharing one Internet connection g1, g2, g7, g19, and g23 were clicked and then 12 entered in the Configured PVID field. The APPLY button at the bottom of the screen was cliked to finish the configuration. At this point the switch supported a single LAN in a signe VLAN. All devices could be pinged. If 192. 168.8.244 which was the modem on the wireless past of the network produced by 192.168.8.240 (port 23), and the url 192.168.8.244 was specified in the configuration of a device, then that device could access the Internet. Note: • If the PVID part of the configuration is not down, then the apparently connected devices do not ping; • Gateway configuration is not part of the switch configuration. 2.4.2 Dividing the network into two parts It may be desired for all devices be on the same network but to have some network devices isolated from others. Figure ?? shows such a situation where all devices belong to the same 192.168.14.0 network. The starting point was the single VLAN network configured above. The single VLAN is to be split into two VLAN, the additional VLAN was to have ID 22 and name VLAN-B-22. A new VLAN is created using the switch menu sequence: Switching → VLAN → Basic → VLAN Configuration resulted in the VLAN Configuration screen. Into the VLAN ID the value 22 was typed, then the value VLAN-B-22 in the VLAN Name field before clicking the add button. The switch menu sequence: Switching → VLAN → Advnaced → VLAN Membership was used to bring up the VLAN Membership screen. The value 12 was typed into the VLAN ID field. The ports 19 and 23 were removed from this list and the APPLY button clicked. The value 22 was typed into the VLAN ID field and ports 19 and 23 were added as untagged members before clicking the APPLY field. The switch menu sequence: Switching → VLAN → Advnaced → Port PVID Configuration was used to bring up the Port PVID Configuration screen. The little square opposite the g19 and g23 entries were clicked, the value 22 typed into the Configured PVID field, then the APPLY button clicked. With the two VLAN configuration completed, the two VLANs were tested. The devices on both VLANs could be picged from devices in the VLAN, but not from the other VLAN. Now, only VLAN 22, which contained the wireless network with it’s router could access the Internet. 2.5 Divided LAN sharing one Internet connection The two VLAN network of Figure 2.3 was modified to that shown in Figure 2.4. In this configuration, the two VLANs share the wireless network with its router allowing all members of each VLAN access to the Internet. The wireless extender connected to the switch at port was the be shared by VLANs 12 and 22. It was already a member of VLAN 12. To added it to VLAN 12 the switch meenu sequence: 14 2.6. Ensuring only known devices can use a network Switching → VLAN → Advnaced → VLAN Membership was used to show the VLAN Membership screen. The value 12 was typed into the VLAN ID field and port 23 was added as an untagged member before the APPLY button was clicked. VLAN−B−22 switch VLAN−A−12 192.168.8.31 192.168.8.107 NAS PC 2 g2 g1 192.168.8.9 g7 192.168.8.240 wireless extender g23 192.168.8.7 PC 1 g19 printer Internet gateway wireless network Figure 2.4: Two VLANs dividing a LAN but sharing an Internet access Because a new distribution of ports to VLANs had been introduced, the PVID of both VLANs needed revision. The switch menu sequence: Switching → VLAN → Advnaced → Port PVID Configuration was used to bring up the Port PVID Configuration screen. First PVID 12 was applied to ports 1, 2, 7, and 23 before clicking the APPLY button. Then PVID 22 was applied to ports 19 and 23 (despite these ports not having been changed on VLAN 22). With URL 192.168.8.244 set in the configuration of the devices on both VLANs 12 and 22, all members of each VLAN could access the Internet. However, members of one VLAN could not access the other. Any device connected to the switch could be shared by one or more VLANs on a switch by following the above configuration appoach. The problem with this technique of sharing is there is no control over access: any device on either VLAN can access the shared device or devices. This contrasts to using ACL which can be applied to routing VLANs as described in Section ??. This is an advantage provided by the Layer 3 attributes of the GS724Tv4 switch. 2.6 Ensuring only known devices can use a network There is an opinion that only complex, or important, networks warrant the expense of network security or network protection. But network security is available on a GS724Tv4 switch. This availability makes assessment of what warrants securing an easier matter to decide. Small networks become candidates for using network security. Consider the network of Figure 2.5. It is a small network similar to that of Figure 2.1 but here all devices having the same network address 192.169.14.0 on a single VLAN named VLAN-FRED. There is no Internet connection. However, the existence of the wireless extender means the network is composed of hardwired and wireless parts, i.e. wireless devices can connect onto the network as can devices which plug into ports on the switch. 15 2.6. Ensuring only known devices can use a network switch 192.168.14.9 192.168.14.7 PC 2 192.168.14.240 192.168.14.31 PC 1 g7 192.168.14.107 NAS g19 g23 wireless extender g1 g2 printer Figure 2.5: Two VLANs dividing a private LAN Are parts of the network of Figure 2.5 worth protecting so as not to allow access by everybody? Everybody on the network should be able to print using the printer. But should everybody be able to access the printer itself. Such access allows hanging of the printers address. Change that and the printer is no longer a resource available to everybody. The netwok interface of the printer is not even password protected. The NAS is the storage on the network. In contrast to the printer, it’s web interface is password protected. However, if an unwarranted person was to access this device they might delete, overwrite, or take a copy files which are important, personal, or secret. There is a case for protecting such devices on this network. The switch can provide protection to devices network connected to it. 2.6.1 Security designed to give specific devices access to given devices The secturity/protection design aim for the network of Figure 2.5 was: • PC 1 only was allowed access to the NAS, and • PC 2 only was allowed access to the printer. The specific hardware devices PC 1, PC 2, the NAS, and the printer. Although each device has a given IP address, each such address could be changed resulting in the corresponding rule would no longer operating. A more secure approach was to use the hardware address (MAC address) of each device. The MAC addresses of the devices and port on the switch are given in Table 2.3, having been taken from Table 1.2. Table 2.3: Addresses needed to implement the required MAC address security Port g1 g2 g7 g19 2.6.2 Device printer NAS PC 2 PC 1 MAC address d0:bf:9c:bd:4b:4d 28:c6:8e:d5:ed:08 00:3e:e1:c1:74:b3 c8:2a:14:56:3c:a2 Aspects common to each implementation alternative Two alternate routes to implementing the security design were followed. There are, however, common threads. 16 2.6. Ensuring only known devices can use a network Configuration of protection by the switch is via it’s Security tab. With respect to the GS724Tv4 switch: • Actions are implemented by rules • A rule can either allow an incoming network packet access or deny access to a device • Rules are executed in the numerical order of the order number assigned when the rule was created until one is satisfied • Rules can be based either on IP address or device MAC address • Every rule can only perform one action • A rule can either IP address or MAC address directed When security is configured on the switch, each network packet arriving at the switch is checked against the rules. If the packet matches a rule, the action assicated with the rule is performed. If not, then the next rule is checked. If no match is obtained, the packet is discarded by the switch. Important to remember: Switch based network security is device centred. A device has a MAC address and a IP address, and it is those addresses which the switch uses to implement security. If a user can access the device, then that user can use the security assigned to the device. Each security rule is implemented through through an ACL (Access Control List). Each ACL is given an action, and a name, ID, match criteria, destination and mask address when it is created. This ACL is linked to one or more ports on the switch and the VLANs on which the port or ports reside, i.e. each ACL is bound to one or ports. This binding is done after creation of the ACL. When a ACL is applied to a port on a VLAN, that port is automaticly denied access to all other devices connected to that VLAN. So if a port is to only access one device, the ACL should indicated the address of that device with the action of permit. The starting point with each alternative was the switch configured to provide the network shown in Figure 2.5. The VLAN was named VLAN-FRED and it’s ID was set to 12. In that configuration PC1 and PC 2 were verified to ping the NAS and printer using their IP addresses. 2.6.3 Implementation Alternative 1 The ACL Wizard alternative uses defaults supplied by the switch. It was invoked by using the switch menu sequence: Security → ACL which resulted in the ACL Wizard screen. From the ACL Type pull down menu ACL Based on Destination MAC was selected (this was the default on the menu). In the table titled ACL Based on Destination MAC the value 2 was typed into the Rule ID window, from the Action pull down menu Permit was selected, and False from the Every Match pull down menu. Then the address d0:bf:9c:bd:4b:4d was typed into the Destination MAC window and 00:00:00:00:00:00 into the Destination MAC Mask window. Finally the value 12 was entered into the VLAN window. This had set up the ACL for accessing the printer. Under the Binding Configuration part of the ACL Wizard screen, the Unit 1 label was clicked. Since the device at port 7 (PC 2) was the access the printer, the small box under port 7 was clicked, which produced a tick mark in that box. The configuration of this ACL and assigning it to a port was then complete, so the ADD button at the bottom of the screen was clicked to activate that ACL. 17 2.6. Ensuring only known devices can use a network The switch menu sequence: Security → ACL → Basic → MAC Rules could be used to check the ACL. In the resulting MAC Rules screen the switch assigned name ACL Wizard MAC 0 appeared in the ACL Name pull down menu. The Rule Table part of the screen showed details of the ACL entered. The switch menu sequence: Security → ACL → Basic → MAC Binding Configuration produced the MAC Binding Configuration screen, the Interface Binding Status part of which verified the port assignment of the ACL. The other ACL required for this security design again was commenced using the switch menu sequence: Security → ACL The same entries were again used but 4 was assigned to the Rule ID and the Destination MAC was set to 28:c6:8e:d5:ed:08 which corresponded to the NAS. Under the Binding Configuration part of the screen, the port assignment to 19 was made under Unit 1 tag. This new ACL was verified as before usin the switch menu sequences: Security → ACL → Basic → MAC Rules and Security → ACL → Basic → MAC Binding Configuration In each of these screens the switch defined name ACL Wizard MAC 1 of the second ACL was used to reference the ACL information. The security design was then complete. 2.6.4 Implementation Alternative 2 In this alternative more detail could be provided if required. As this exercise shows such detail can be little more than required with Alternative 1. The switch menu sequence: Security → ACL → Basic → MAC ACL brought up the MAC ACL screen. Into the Name field of the MAC ACL Table on that screen the text nas-pc1 was typed. This was to be the title for the PC 1 to NAS rule. The ADD button at the bottom of the screen was then clicked to register this title. The text printer-pc2 was then typed into the Name field and the ADD key clicked to register this title as that of the PC 2 to printer rule. After pressing the ADD key, the new title was added to the list below the MAC-ACL Table label. For creation of the rules for the ACLs just formed the switch menu sequence: Security → ACL → Basic → MAC Rules brought up the required MAC Rules screen. From the ACL Name pull down menu the printer-pc2 was selected ((this was the default). The value 2 was typed into the ID window of the Rule Table and Permit selected from the pull down menu of the Action window. Then Falsewas selected from the pull down menu of the Match Every window. The printer’s MAC address d0:bf:9c:bd:4b:4d was typed into the Destination MAC window and 00:00:00:00:00:00 into the Destination MAC Mask window. Finally the value 12 was typed into the VLAN window before clicking the ADD button at the bottom of the screen. For the next rule the name nac-pc2 was selected from the ACL Name pull down menu. The value 4 was typed into the ID window, Permit was selected from the Action window’s pull down menu, and False was selected from the Match Every pull down menu. The URL 29:c6:8e:d5:ed:08 of the NAS was typed into the Destination MAC window and 00:00:00:00:00:00 typed into the Destination MAC Mask. The value 12 was typed into the VLAN window before clicking the ADD button. This completed the rule creation required for this security design. 18 2.6. Ensuring only known devices can use a network Notice in creating these rules some fields were not used. They could be used to refine or narrow the focus of the rule. Finally the ACLscreated were bound to ports on the switch. This was done using the switch menu sequence: Security → ACL → Basic → MAC Binding Configuration to bring up the MAC Binding Configuration screen. The ACL name pinter-pc2 was selected from the ACL ID pull down menu. The Unit 1 tag of the Port Selection Table was clicked, then the selection box under port 19 was clicked resulting in a tick mark being inserted. Then the APPLY button at the bottom of the screen was clicked. The ACL name nac-pc1 was then selected from the ACL ID pull down menu and port 7 selected from the Port Selection Table before clicking the APPLY button. After each click of the APPLY button an entry was added under the heading Interface Binding Status briefly describing the ACL to port binding. The security design was then complete. 2.6.5 Testing Testing was performed using ping. Before any ACLs were configured and applied, PC 1 and PC 2 could ping all devices on the network of Figure 2.5. After application of the first ACL, PC 1 could ping all devices of the network. PC 2 could only ping the printer (d0:bf:9c:bd:4b:4d. After application of the second ACL, PC 1 could only ping the NAS (28:c6:8e:d5:ed:08 and PC 2 only the printer. The security design was working. 19 Chapter 3 Layer 3 The Netgear GS724Tv4 smart switch is level 3 device. In the ISO stack, level 3 is the Network Layer which is concerned with movement of network data between networks. To do this, the networks, which are VLANs on the GS724 switch, are assigned TCP/IP addresses just like the individual devices connected to the ports which from the VLANs. The network containing the switch cannot be routed. Thus if the switch address is 192.168.23.105, then the network 192.168.23.x cannot be routed. Layer 3 capability on the switch 3.1 Routing between LANs and to the Internet Two LANs, each having different network addresses, are to be able to use the devices on their LAN and also the other LAN. Each of those LANs is to be implemented as a VLAN on the switch. Further, all members of each LAN are to have Internet access through a router on one of those VLANs. In effect, the two LANs are to be joined into one LAN. VLAN−B−22 192.168.8.1 switch VLAN−A−12 192.168.14.1 192.168.8.240 192.168.14.31 192.168.14.107 NAS g1 192.168.14.9 wireless extender g23 PC 2 g2 192.168.8.7 PC 1 g19 g7 printer 192.168.8.244 Internet gateway wireless network Figure 3.1: Routing between two then out onto the Internet Figure 3.1 shows the arrangement. Internet access is to be through the Internet router with address 192. 168.8.244. This router is connected to the switch by the wireless extender at address 192.168.8.240 through a 2.4GHz wireless network. The 192.168.14.1 and 192.168.8.1 are gateway addresses for 20 3.1. Routing between LANs and to the Internet each of the two LANs. VLAN-A-12 and VLAN-B-22 are names assigned to the network but those names appear to have no influence on the handling of the VLANs by the switch. 3.1.1 Implementation This design is implemented by routing VLANs and a default gateway through the Internet router. The address of the switch was 192.168.10.60 which was not on the VLANs which were to be created. Routing VLANs are setup using a different mechanism on the GS724Tv4 switch than that used to setup standard VLANs. The switch menu sequwnce: Routing → VLAN → VLAN Routing Wizard brought up the VLAN Routing Wizard display. The value 12 was typed into the Vlan ID field. This was an arbitrary selected value. Then value 192.168.14.1 was typed into the IP Address field. This 192.168.14.1 was the address for the switch to use as the gateway for the VLAN having the ID of 12. Next the value 255.255.255.0 was typed into the Network Mask field. Finally, the Unit 1 text was clicked to bring up the Ports list with 26 items. From Figure 3.1, ports 1, 2, and 7 were used on VLAN 12. So the entries under Ports 1, 2, and then 7 were clicked until a U appeared. Each port was to be an untagged member of the VLAN. Once this was done, the APPLY button in the bottom right-hand corner of the screen was clicked. The APPLY button both saves the previously entered VLAN information in the switch for subsequent routing use and also brought up another VLAN Routing Wizard display. Into this disply the Vlan ID was given the value 22, the IP Address was assigned the value 192.168.8.1, and the Network Mask was assigned as 255.255.255.0. Ports 19 and 23 were assigned as Untagged members of this VLAN. The APPLY button was again clicked. Routing between VLANs 12 and 22 had now been setup. The routing configured was displayed using the menu sequence: Routing → Routing table which brought up the Route Configuration display. The Route Status part of that display showed to routing which had been setup. The Internet access was setup as the default gateway for the routing VLANs. This was done using the Configure Routes part of the Route Configuration display, the Route Status part of which showed the VLAN routes which had been setup. From the Static and DefaultRoute options available under the Route Type label, the DefaultRoute was selected. Then the value 192.168.8.244 was typed into the Next Hope IP Address field. This is the network address of the Internet router. When the APPLY button was clicked, an entry in the Route Status part of the display appeared denoting this route. An option was to apply the VLAN labels of Figure 3.1 to the routing VLANs implemented on the switch. This was done by considering the routing VLANs as normal VLANs. The switch menu sequence: Switching → VLAN → Basic → VLAN Configuration produced the VLAN Configration screen listing all VLANs on the switch. First VLAN 12 was labelled. The box next to 12 under the VLAN ID heading was clicked. This put a tick into that box, colour highlighted the line in the listing, and entered 12 in the VLAN ID field at the top of the table. The label VLAN-A-12 was then typed into the VLAN Name field and the APPLY button at the right-hand bottom of the screen clicked. That name, together with the ID of 12 appeared in the configuration listing. This process was repeated for VLAN 22 using the label VLAN-B-22. Such labels are only of use to describe the VLANs on the switch, but are not used by the switch in its operation. 21 3.1. Routing between LANs and to the Internet 3.1.2 Testing PCs g7 and g19 could ping devices on their own VLAN. Each could ping the VLAN gateway addresses 192.168.14.1 and 192.168.8.1. Each PC running the Firefox web browser could brows the Internet. The D-Link devices used as the wireless extender and Internet router are setup not to respond to pings from any address other than those coming from their home network, in this case 192.168.8.0. 3.1.3 Removing Internet access For the network of Figure 3.1 and using the configuration process described, there are two ways of removing Internet access from both VLAN networks. One method would be not to provide a default gateway when configuring the routing VLANs. The alterate was to remove, or turn off the default gateway. This was done using the switch menu sequence: Routing → Routing table which produced the Route Configuration display. Under the Configure Routes heading the DefaultGateway was shown. By clicking the small square box on the left of this DefaultGateway, a tick appeared in that square box and the entry was colour highlighted. By clicking the DELETE button at the bottom of the screen, the entry, together with the default gateway was removed. No members from VLANs could then access the Internet. The alternate, but more drastic, method method is to remove the wireless range extender from VLAN 22 of the network of Figure 3.1. This removed the wireless network from being accessed by the switch. This was done by removing VLAN 22, since individual ports cannot be removed from a VLAN. The switch menu sequence: Switching → VLAN produced the VLAN Configuration screen which listed all VLANs on the switch. The square box next to VLAN 22 was clicked and the DELETE button at the bottom of the screen clicked. VLAN 22 disappeared. It was then necessary to reconfigured VLAN 22 as a routing VLAN with members as before, minus port 23 which contained the wireless extender. This would be done using the switch menu sequence: Routing → VLAN → VLAN Routing Wizard as above. 3.1.4 Important to note from this example • The gateway address set into the configuration of each device on a routing VLAN must match the gateway address assigned to the VLAN in which it is set in the switch. • The network mask of each device on a routing VLAN must be the same as the network mask on the routing VLAN’s gateway. • Any network activity on routing VLANs is seen by all routing VLANs on the switch. • Every device on each VLAN is accessible by any other device on any VLAN. • The network mask on each device must be set the same, for example to 255.255.255.0. This is ignored by all references seen. 22 3.2. Securing the network 3.2 Securing the network Consider the network of Figure 3.1 where the switch is used to route between two VLANs. Routing allows all devices on each network to access all other devices, i.e devices on one routing VLAN can access all devices on it’s routing VLAN partner. This may not be desired. In the network of Figure 3.1 VLAN-B-22 was a wireless LAN. An exception was PC 1 on that VLAN which was physically connected to switch port 19. Despite this wireless network having WPA2 protection, it was vulnerable to unauthorized and physically unseen connection of devices. However, it was through this VLAN all devices accessed the Internet. Configuration of the switch was to allow such Internet access while denying any access off the wireless network to VLAN-A-12. The design of the switch configurations was: 1. No device on the wireless network was to have access to any device on VLAN-A-12 2. All devices on the network of Figure 3.1 were to have Internet access 3. PC 1 was to have access to all devices on VLAN-A-12 except PC 2 4. PC 2 was to have access to PC 1 Item 1 was, at least, inhibit access by the wireless network to the printer and NAS of VAN-A-12 Item 2 allows all devices access to the Internet through the wireless network throug the wireless extender at port 23 of the switch. Items 3 and 4 were of a less significant nature. 3.2.1 Implementation overview A combination of IP and MAC address based ACLs provided switch configuration solutions to the design requirements. Because the configuration of the wireless network established by the Internet gateway of Figure 3.1, a wireless device needed to have an IP address of the form 192.168.8.x. This wireless network entered the switch through the wireless extender at port 23. An ACL based on source IP addresses provided a solution to Item 1. The wirelesss network also provided the Internet connection not only for the devices on the wireless network and the VLAN-B-22 VLAN, but for devices on VLAN-A-12. This was the way routing had been set up on the switch. So care was needed in setting up the configuration for supporting Item 1 so as not to prohibit Internet connection for the VLAN-A-12 based devices. Since PC 1 and Pc 2 were know devices, their MAC address was also know. Hence a MAC bases was used to produce Items 3 and 4 of the design. 3.2.2 Wireless and Internet Since the wireless network connected to the switch through port, all packets arriving on that port were to be discarded by the switch. To do this an ACL was created using the swtch menu sequence: Security → ACL → ACL Wizard to bring up the ACL Type Selection screen. From the ACL Type pull down menu ACL Based on Source IPv4 was selected, resulting in a ACL Based on Source IPv4 being displayed. Into this set of entry windows, the value 5 was typed into the Rule ID window, Deny from the Action pull down menu, False from the Match Every pull down menu, 192.168.8.16 was typed into the 23 3.2. Securing the network Source IP Adress window, and 0.0.0.255 into the Source IP Mask window. This ACL was then assigned to port 23 of the switch using the Binding Configuration part of the screen. By clicking the Unit 1 label port selection was shown. Clicking the small box under port 23 resulted in a tick mark appearing in that box. The APPLY button at the bottom of the screen was clicked to apply this defined ACL combination. In this configuration the source address 192.168.8.16 was a dummy address. The mask 0.0.0.255 selected the 192.169.8 part of the address as significant. The deny meant all address of the form 192.168.8.x would be discarded by the switch. The implicit deny would discard all othe packets arriving on port 23 of the wswitch, the port connecting the wireless extender. Because PC 1 did not go through the wireless network despite having an address on the wireless network, it was not effected by the port 23 configuration. The problem was this configuration provented the VLAN-A-12 devices access to the Internet. Those devices had their Internet request routed onto the wireless network and through the Internet gateway, but the reply was blocked by the installed security configuration. This installed security configuration allowed 192.168.8.x packets but the implicit deny all stopped all other packets. The solution was to change the deny all to permit all and combine it with the above 192.168.8.x rejection. This was done by applying the 192.168.8.x rejection as configured above first, then applying a permit all ACL. The switch provides such ordering of ACL execution. The implicit deny all still existed but the existence of the permit all above it meant it was never reached for execution. This second tier was created by using the switch menu sequence: Security → ACL → ACL Wizard brought up the ACL Type Selection screen. From the ACL Type pull down menu ACL Based on Source IPv4 was selected, resulting in a acl based on source ipv4 screen being displayed. Into this set of entry windows, the value 10 was typed into the Rule ID window, Permit from the Action pull down menu, False from the Match Every pull down menu, 192.168.78.90 was typed into the Source IP Adress window, and 255.255.255.255 into the Source IP Mask window. This ACL was then assigned to port 23 of the switch using the Binding Configuration part of the screen. By clicking the Unit 1 label port selection was shown. Clicking the small box under port 23 resulted in a tick mark appearing in that box. The ADD button at the bottom of the screen was clicked to apply this defined ACL combination. The address 192.168.78.90 was not important. The mask 255.255.255.255 meant ignore all parts of the address. It was the mask which was the significant part of this ACL. This ACL was associated with switch port 23 as was the previously created ACL. The value given as the ACL’s Rule ID was not significant. That this ACL was created after the perious was significant. Being created after the previous meant it was automaticly given in next sequence number, and ACL are executed by the switch in reverse numerical order; the lowest sequence number is executed first. 3.2.3 Allowing PC 1 access but with limitation It was assumed PC 1 was stable device on the network and it’s MAC address could be used to define it. The switch menu sequence: Security → ACL → ACL Wizard brought up the ACL Type Selection screen. From the ACL Type pull down menu ACL Based on Destination IPv4 was selected, resulting in a ACL Based on Destination IPv4 screen being displayed. Into this set of entry windows, the value 2 was typed into the Rule ID window, Deny from the Action pull down menu, False from the Match Every pull down menu, 192.168.78.90 was typed into the Destination IP Address window. Then 0.0.0.0 was typed into the Destination IP Mask window. The Unit 1 tag was clicked and the small box under port 19 was clicked resulting in a tick mark appearing in that box. Then the APPLY button at the bottom of the screen was clicked. 24 3.2. Securing the network The ACL Based on Source MAC was selected from the ACL Type pull down menu on this ACL Type Selection screen, which brought up the ACL Based on Source MAC screen. The value 3 was typed into the Rule ID window, Permit was selected from the Action pull down menu, c8:2a:14:56:3c:a2 was entered into the Source MAC window, 00:00:00:00:00:00 entered into the Source MAC Mask window, and the vale 22 into the VLAN window. The Unit 1 tag was clicked and the small box under port 19 was clicked resulting in a tick mark appearing in that box. Then the APPLY button at the bottom of the screen was clicked. 3.2.4 Allow PC 2 to access PC 1 This condition was enabled by the original routing configuration. To access anything, PC 2 presented network packets to switch port 7. No security ACL had been applied to port 7, so no implicit deny all had been automaticly applied. The original routing configuration remained. 25