2 XGS2210-52 and USG 310

artitartit Member Posts: 10  Freshman Member
Hello,
I need Yours help. I bought:
- 2 switch Zyxel XGS2210-52 (switch are stacking)
- 1 router model Zyxel USG 310
and I have problem with configuration.

I need to create 3 vlans (10 for computers, 20 for CCTV, 30 for wifi guest).
The Vlans should be isolated, but one computer form vlan 10 shoud manage CCTV and wifi (from vlan 20 and 30). In vlan 10 and 30 I need a Internet.
«1

Comments

  • CrazyTacosCrazyTacos Member Posts: 53  Ally Member
    Looks like you're going to need some policies rules! 

    so to avoid confusion, let's first properly define your VLAN subnets.
         VLAN 10  192.168.10.0 / 24
         VLAN 20  192.168.20.0 / 24
         VLAN 30  192.168.30.0 / 24

    In order of  priority,

    1x ACL for your CCTV/Wifi management
         source ip: <one computer from vlan 10>      =    allow     

    3x ACL to allow communication among similar VLANs
         source ip: 192.168.10.0/24     dest ip: 192.168.10.0/24     = allow
         source ip: 192.168.20.0/24     dest ip: 192.168.20.0/24     = allow
         source ip: 192.168.30.0/24     dest ip: 192.168.30.0/24     = allow

    2x ACL to allow vlan10/30 internet access
         source ip: 192.168.10.0/24     dest MAC: <USG310 MAC>    = allow
         source ip: 192.168.30.0/24     dest MAC: <USG310 MAC>    = allow

    1x ACL for implicit deny
         source port: 1-52                 = deny

    There are quite a lot of ways to go about this. Maybe someone out there has a better idea?
  • Zyxel_RyanZyxel_Ryan Zyxel Official Agent Posts: 66  mod
    Hi @artit ,

    We will suggest below.

    Use USG310 as gateway to do routing.
        Create VLAN10, VLAN20 and VLAN30, and then enable DHCP Server on each VLAN so that            USG310 can assign IP and default gateway to members of VLAN10, VLAN20 and VLAN30.
       
    For settings of XGS2210-52:
    VLAN settings:
        Create 3 VLANs, which are VLAN10, VLAN20 and VLAN30.
        Uplink port to USG should be member of VLAN10, VLAN20 and VLAN30, tagged.
        Ports of end-devices belonging to VLAN10 should be set PVID 10, untagged
        Same concept on VLAN20 and VLAN30. 
     
    For the purpose of "vlans should be isolated, but one computer form vlan 10 should manage CCTV and wifi (from vlan 20 and 30)".
    Use ACL to accomplish only one PC from VLAN10 can access VLAN20 and VLAN30, but members in different VLANs will be isolated:  

    4 x ACL for CCTV/Wifi management: 
        SrcMac = <Mac of PC>; DestIP = 192.168.20.0/24 = allow
        SrcMac = <Mac of PC>; DestIP = 192.168.30.0/24 = allow
        
    SrcIP = 192.168.20.0/24; DestMac = <Mac of PC>= allow
        SrcIP = 192.168.30.0/24 ; DestMac = <Mac of PC>= allow

    3 x ACL for isolating VLAN10, 20 and 30:
        SrcIP = 192.168.10.0/24; DestIP = 192.168.20.0/24 = deny
        SrcIP = 192.168.10.0/24; DestIP = 192.168.30.0/24 = deny
        SrcIP = 192.168.20.0/24; DestIP = 192.168.30.0/24 = deny

    Wish it will help you!



    Ryan
  • artitartit Member Posts: 10  Freshman Member
    Hi,
    Thank you for your response. 
    Could you tell me, where in XGS2210-51 or USG310 I can find ACL?

    Artur
  • DylanDylan Member Posts: 6  Freshman Member
    Hi, 

    I just have XGS2210 on hand. 
    ACL actually consists of two functions. 
    One is Classifier, another is Policy Rule. You can find them below and try to configure it as suggestion provided. 





  • Zyxel_RyanZyxel_Ryan Zyxel Official Agent Posts: 66  mod
    edited March 16, 2018 3:47PM
    Hi @artit

    Thanks for @Dylan's screenshots. That is the correct page to setup ACL. 
    For more details, you can refer to ZYXEL handbook as the attachment. 
    The settings of ACL are introduced in detail on topic 3.5 and 5.10.  

    Ryan
  • Zyxel_RyanZyxel_Ryan Zyxel Official Agent Posts: 66  mod
    Hi @artit

    I just want to follow up this topic.
    Do you succeed in configuring your devices? 

    Ryan
  • artitartit Member Posts: 10  Freshman Member
    I apologize for the lack of answers, but I was on a poor journey.
    I was able to configure the switches XGS2210-52 and the router USG310.
    At this moment, the main VLAN is 1 - deafult, VLAN 10 - wifi, VLAN 20 - cameras.

    I have one more problem. In VLAN1 (deafult), the network card generated 137 763 738 619 bytes sent in 10 hours. Is this normal? - Card 10 Gbps
  • DylanDylan Member Posts: 6  Freshman Member
    Hi @artit,

    How did you find this figure? (137 763 738 619 bytes sent in 10 hours)
    How about checking the port status on your XGS2210-52 directly? 
    I usually use it to observe the traffic. (Management>Port Status)


    Dylan
  • Zyxel_RyanZyxel_Ryan Zyxel Official Agent Posts: 66  mod
    Hi @artit and @Dylan,  

    Thanks for Dylan's advice!
    Besides, I would also like to know what the devices are in VLAN 1 and what are they used for? 
    From the information you provided so far, I cannot judge if the traffic is normal or not. 
    I need more details about your application so that we can provide our suggestion. 

    Thanks!

    Best Regards,
    Ryan
  • artitartit Member Posts: 10  Freshman Member
    Hi,

    @DylanI checking the port status the same us you.

    @Ryan this is my main server, but before the change of devices, I reached the number of packages after a month, not ten hours.

    Best Regards,
    Artur

Sign In to comment.