Hi, OSI scares me, and this is my first foray into enterprise networking. I have lots of questions, but I’m only going to ask a few of them as they will most likely answer some others, but also create new ones.
I have a 2930f and I am making it overcomplicated on myself, because why not?
My questions stem mainly around VLANs, how they are managed/worked, and how ACLs function within them.
First, to set this up these are the VLANs I have created and an image of the desired ACL outcome of how these VLANs will talk with each other.
vlan 1
name "DEFAULT_VLAN"
ip address 192.168.1.2 255.255.255.0
vlan 5
name "Me"
ip address 192.168.5.2 255.255.255.0
vlan 10
name "Management"
ip address 192.168.10.2 255.255.255.0
vlan 20
name "Cameras"
ip address 192.168.20.2 255.255.255.0
vlan 30
name "Servers"
ip address 192.168.30.2 255.255.255.0
vlan 40
name "Wired"
ip address 192.168.40.2 255.255.255.0
vlan 50
name "Wireless"
ip address 192.168.50.2 255.255.255.0
vlan 60
name "Wireless Guest"
ip address 192.168.60.2 255.255.255.0
vlan 70
name "IoT"
ip address 192.168.70.2 255.255.255.0
access
Is that informative enough to understand my desires? I will also be utilizing a separate pfSense firewall, but only for higher level management. I will not be using pfSense in a router-on-a-stick fashion; all of the routing and intervlan routing will be done at the switch level. The ‘network’ itself is pretty bland: ISP Modem in bridge mode > pfSense Firewall > 2930f (One 48 port PoE) > everything else.
I would like the 2930f to handle DHCP.
Again, assume I have zero understanding of how this stuff works.
I know that part of it is that I need to enabled ‘ip routing’, and the plan was to have the upstream firewall at 192.168.10.1, so I would need to have a ‘ip route 0.0.0.0 0.0.0.0 192.168.10.1’ for that, correct?
Is there an issue with the firewall being in this vlan? Does it need to be in its owns separate vlan? VLAN10 will not have management mode enabled, it’s simply a VLAN for “backend” devices. Should this be done with the ‘no switchport’ option and just point it at the port it’s plugged in to?
What gateway should the vlans have? If one at all. Should they all point to the 192.168.10.1 address of the firewall, or should they be pointing to their own 192.168.x.1 “vlan specific firewall”? I suppose a further question would be – for the devices downstream in this vlan, what would their gateway be? Would it be the switch specific in their vlan: 192.168.x.2, the vlan specific firewall 192.168.x.1, or the actual firewall IP address of 192.168.10.1?
Moving on to the next can of worms – ACLs. I’m assuming that extended acls are the choice for this? Ideally, I would like to take advantage of the log feature, but I’m not married to it. On the onset I plan on just doing blanket allow/deny for all ports, but I may eventually get more specific with blocking certain ports, or only allowing certain ones.
For some reason, I can not wrap by head around the ACL in/out designation, and on what vlan they should be placed on. What is the standard practice? Should in or out be used? Should ACLs be based on the source or destination vlan? Are in rules on the destination vlan best? Our out rules on source vlan? Is there a need to have in on src, or out on dest ever?
ACLs are top>down first match, yes? When creating the ACL initially, is there a need to specify the sequence numbers, or only when I need to modify in the future and need to add something between two, and have to specific 12 or 15 or something?
Should I manage internet blocking at the switch level, or should I let the firewall do that part? From what I understand that firewall will still need to have an understanding of what VLANs the switch has, and will need to be created there to be able to send that internet request back to the source. I suppose it’s just a matter of reporting at that point? Do I want to see that deny on the switch or firewall?
The other question at the top of my head is access to switch management in each vlan. As it is, any vlan would have access to log in to the switch at 192.168.x.2. Enabling management mode on a separate vlan that only works on a specific port would stop that yes? Though I am not sure I want to do that As I would like to be able to access the switch management from some of the other vlans. Is there another way to achieve this? Or is the only other option to use port specific rules in ACLs to block 80/443 in each vlan to 192.168.x.2?
Lastly, one thing I have not ventured in to is how the wireless guest access will alter the current layout. I have a unifi AP I will be using, and plan to use the guest feature. While the AP does have two ports, the secondary is only a bridged port, and can not be configured as a separate “guest” port back to the switch. So, I think this means instead of two separate vlans for Wireless and Wireless Guest, they need to be on the same vlan, and be tagged ports, is that correct? I need to do some more reading up on this, but I should still be able to apply ACLs based on those tags? Or what would be the best way to handle that?
I would be grateful for anyone who could spend a bit of there time to assist me with these questions. I will be glad to fill in any blanks that I can. I do have some other questions, but this is the high-level stuff I have for the moment.
Thank you!