2 XGS2210-52 and USG 310
Hello,
I need Yours help. I bought:
- 2 switch Zyxel XGS2210-52 (switch are stacking)
- 1 router model Zyxel USG 310
and I have problem with configuration.
I need to create 3 vlans (10 for computers, 20 for CCTV, 30 for wifi guest).
The Vlans should be isolated, but one computer form vlan 10 shoud manage CCTV and wifi (from vlan 20 and 30). In vlan 10 and 30 I need a Internet.
I need Yours help. I bought:
- 2 switch Zyxel XGS2210-52 (switch are stacking)
- 1 router model Zyxel USG 310
and I have problem with configuration.
I need to create 3 vlans (10 for computers, 20 for CCTV, 30 for wifi guest).
The Vlans should be isolated, but one computer form vlan 10 shoud manage CCTV and wifi (from vlan 20 and 30). In vlan 10 and 30 I need a Internet.
0
Comments
-
Looks like you're going to need some policies rules!
so to avoid confusion, let's first properly define your VLAN subnets.
VLAN 10 192.168.10.0 / 24
VLAN 20 192.168.20.0 / 24
VLAN 30 192.168.30.0 / 24
In order of priority,
1x ACL for your CCTV/Wifi management
source ip: <one computer from vlan 10> = allow
3x ACL to allow communication among similar VLANs
source ip: 192.168.10.0/24 dest ip: 192.168.10.0/24 = allow
source ip: 192.168.20.0/24 dest ip: 192.168.20.0/24 = allow
source ip: 192.168.30.0/24 dest ip: 192.168.30.0/24 = allow
2x ACL to allow vlan10/30 internet access
source ip: 192.168.10.0/24 dest MAC: <USG310 MAC> = allow
source ip: 192.168.30.0/24 dest MAC: <USG310 MAC> = allow
1x ACL for implicit deny
source port: 1-52 = deny
There are quite a lot of ways to go about this. Maybe someone out there has a better idea?0 -
Hi @artit ,
We will suggest below.
Use USG310 as gateway to do routing.
Create VLAN10, VLAN20 and VLAN30, and then enable DHCP Server on each VLAN so that USG310 can assign IP and default gateway to members of VLAN10, VLAN20 and VLAN30.
For settings of XGS2210-52:
VLAN settings:
Create 3 VLANs, which are VLAN10, VLAN20 and VLAN30.
Uplink port to USG should be member of VLAN10, VLAN20 and VLAN30, tagged.
Ports of end-devices belonging to VLAN10 should be set PVID 10, untagged
Same concept on VLAN20 and VLAN30.
For the purpose of "vlans should be isolated, but one computer form vlan 10 should manage CCTV and wifi (from vlan 20 and 30)".
Use ACL to accomplish only one PC from VLAN10 can access VLAN20 and VLAN30, but members in different VLANs will be isolated:
4 x ACL for CCTV/Wifi management:SrcMac = <Mac of PC>; DestIP = 192.168.20.0/24 = allowSrcMac = <Mac of PC>; DestIP = 192.168.30.0/24 = allow
SrcIP = 192.168.20.0/24; DestMac = <Mac of PC>= allowSrcIP = 192.168.30.0/24 ; DestMac = <Mac of PC>= allow
3 x ACL for isolating VLAN10, 20 and 30:SrcIP = 192.168.10.0/24; DestIP = 192.168.20.0/24 = denySrcIP = 192.168.10.0/24; DestIP = 192.168.30.0/24 = denySrcIP = 192.168.20.0/24; DestIP = 192.168.30.0/24 = deny
Wish it will help you!
Ryan0 -
Hi,
Thank you for your response.
Could you tell me, where in XGS2210-51 or USG310 I can find ACL?
Artur0 -
Hi,
I just have XGS2210 on hand.
ACL actually consists of two functions.
One is Classifier, another is Policy Rule. You can find them below and try to configure it as suggestion provided.
0 -
0
-
I apologize for the lack of answers, but I was on a poor journey.
I was able to configure the switches XGS2210-52 and the router USG310.
At this moment, the main VLAN is 1 - deafult, VLAN 10 - wifi, VLAN 20 - cameras.
I have one more problem. In VLAN1 (deafult), the network card generated 137 763 738 619 bytes sent in 10 hours. Is this normal? - Card 10 Gbps
0 -
Hi @artit,
How did you find this figure? (137 763 738 619 bytes sent in 10 hours)
How about checking the port status on your XGS2210-52 directly?
I usually use it to observe the traffic. (Management>Port Status)
Dylan0 -
Thanks for Dylan's advice!Besides, I would also like to know what the devices are in VLAN 1 and what are they used for?From the information you provided so far, I cannot judge if the traffic is normal or not.I need more details about your application so that we can provide our suggestion.Thanks!Best Regards,Ryan0
Categories
- All Categories
- 415 Beta Program
- 2.4K Nebula
- 149 Nebula Ideas
- 96 Nebula Status and Incidents
- 5.7K Security
- 262 USG FLEX H Series
- 271 Security Ideas
- 1.4K Switch
- 74 Switch Ideas
- 1.1K Wireless
- 40 Wireless Ideas
- 6.4K Consumer Product
- 249 Service & License
- 387 News and Release
- 84 Security Advisories
- 29 Education Center
- 10 [Campaign] Zyxel Network Detective
- 3.5K FAQ
- 34 Documents
- 34 Nebula Monthly Express
- 85 About Community
- 73 Security Highlight