Creating a vlan on nortel 450

[bosr]

Hellow
I need to create a vlan to isolate a specific computer from our network. So the one who logs in on that computer can't see our network.

that computer is connected with our nortel 450 and that one is connected through fiber with our nortel 5510.

The default configuration of vlan 1 with all ports is still active through the entire network.

How do I need to configure both switches correctly with the device manager or cli?

I was thinking of a new vlan with the fiber port (25) and port 24 (the computer port) on the nortel 450. But do I have to change something else on this switch or also on the 5510. And should I add a new STG cause i don't know what role that plays.

 

[andy88]

Not sure what you want to do. Does the PC need to talk to another PC and or access the internet.

If you just need a vlan between switches for the PC to talk to another. you just need to do the following. There is no need to add a new STG.

On device manager go to vlans/create and add a new vlan on both switches.

add pc port on 450 to new vlan.

enable tagging on the ports that connect the 450 and 5510 by right clicking on the port and selecting edit.

add both port to the new vlan.

If you need to access the internet from the PC its a bit more tricky. You will need to add an IP interface on the new vlan on the 5510 to allow the PC off the vlan. You will then need to look at some method of securing the traffic as the PC has a way into your network.

Either add source/destination filters, or give the vlan its own port on you firewall to isolate the traffic.

 

[anthonyanderberg]

STG shouldn't be important unless there was some chance of the isolated user doing something malicious like purposely causing a loop on your network.

Its certainly possible to create a separate VLAN that doesn't communicate with your network, but remember that Murphy's Law always applies and nothing is as secure as separate physical cables. If the traffic really needs to be separate I always look for ways to physically separate it first, but budgets and time limitations apply too.

With that said what you're looking for on both switches will be under the Switch Configuration/VLAN Configuration menus. If the isolated PC will be talking to another isolated device on the 5510 your configuration is fairly straight forward - you'll want to make the configuration changes while being plugged directly into the two switches because you may loose the link between them during the change.

On both create a new port-based VLAN in the VLAN Configuration sub-menu, and move the isolated copper ports on both sides to it. For the fiber ports you'll want to change the fiber ports to be VLAN Tagged interfaces under the VLAN Port Configuration menu, and its usually best practice to set the filter untagged frames to 'true'. Then back in the VLAN Configuration you'll want to add the fiber ports to both VLAN 1 and your new VLAN.

 

[bosr]

I've changed switch 450.

In vlan1 I removed 2 ports, and added those 2 ports to vlan2

But do I have to add the fiber port to vlan1 and 2? and enable tagging on that one? Won't this mess with my network?
And for the switch 5510 do I really have to make the vlan in that one aswell?

 

[anthonyanderberg]

If the devices that are isolated from the rest of your network are all connected to the 450 then you don't need to do anything with the fiber port, VLAN tagging, or the 5510.

 

[bosr]

22 computers in vlan 1 on switch 450
2 computers in vlan 2 on switch 450

connected to

switch 5510


Everything works fine in the standard vlan 1
But the 2 computers i added to vlan 2 can't ping each other

and what i want to reach is that the 2 computers can see each other but nothing else off the entire network.


I'm making a vnc connection towards those pc, so an external company can remote control those computers without getting in our network. VNC works through firewall and all. Only need to configure the VLAN.

But do I have to change the PVID of both computers in VLAN 2 to pvid 2 cause they are all on pvid 1. And all ports are untagged

 

[andy88]

You need to change the PVID of the ports. If you didn't delete the ports from vlan 1 they will be in both with the PVID deciding which vlan to use.

Another thing to check is do the PC's have DHCP configured? If they do they will no longer be able to get an IP address as they cannot access the DHCP server.

With the 2 PC's isolated from the network in vlan 2 you will have no way for a remote VNC connection to them.

 

[bosr]

okay the pc's in vlan 2 can communicate with eachother. I changed the pvid.
But that brings me to my next problem, how can I remote vnc them

the firewall is configured that incomming vnc connection on a specific port are forwarded to the static ip from a pc in vlan 2. When it was in vlan 1 it worked so no problem there.

but i need to be able to control it in vlan2. How can it get the connection?

 

[andy88]

Vlan 2 is isolated from the network so you won't be able to fwd traffic from the firewall.

You have 2 options really.

1. If the firewall has a spare port on it. Add it to vlan 2 and make vlan 2 a DMZ. You would need to extend vlan 2 off the 450 to any other switches in the path to the firewall.

2. Add vlan2 to the 5510. Tag the uplink ports. Give vlan2 an IP address on the 5510. This would allow you to route traffic to the PC's. You would then need to add source/destination filters to the 5510 to only allow the PC's in vlan2 to talk to the firewall and not the rest of the network.

 

[bosr]

Ive redirected the firewall port from switch 5510 to 450

so the firewall is in vlan 1 on switch 450
vlan 2 is on switch 450 with 2 ports

I need to gain the outside connection from the firewall

but how do i configure that port?

port 23 and 24 are in vlan 2 both with pvid 2 and nothing tagged
port 1 to 22 (22 is firewall port) are in vlan 1 with pvid 1 and nothinig tagged.

If I add firewall port to both vlans it will get pvid 1 I think. I don't have automatic pvid on cause I don't know if that would mess up the network.

how do i need to configure the firewall port?

 

[andy88]

It depends on your firewall.

If it supports 802.1q you can create vlan1 and vlan2 on it then tag the port allowing the vlan2 PC's access to the FW.

You mentioned port forwading the VNC connections through the FW. Depending on your FW, some don't support port forewarding to hosts on a different subnet from the interface connfigured on the FW. Which could be a problem as the other option is to create vlan2 on 5510 and add an IP interface. Then enable tagging on the ports connecting the 450 and 5510. Then add vlan2 to the ports. This will give you a layer 3 connection between vlan 1 and 2 allowing you to access the FW.

You will then need to look at adding filters on the 5510 as the PC's in vlan2 will have full access to your network