I'm trying to setup more efficient vlans on my network. When I inherited this network over a decade ago, it was a single broadcast domain on a single subnet with no VLANs. Over the years I've implemented IP cameras, IP telephones and better network equipment. I have an MX84 appliance with 3 Extreme X440-48p-G2 switches that are stacked. Technically the 3 Extremes are stacked as a single switch though. This is a single network (nothing remote I'm trying to connect between...yet).
In the last few years I've tried to segment devices by vlans. First my IP phone system, and most recently our virtualization host. Now I'm working on IP cameras but I'm running into issues. I'm not sure if it's the MX configuration or the extreme, or a mix of both. I'll try to be brief and concise, but please know my VLAN experience is minimal, though I've learned a lot recently.
My MX is configured with 4 subnets/vlans. Instead of typing them all, I'll provide this screenshot from my appliance.
As you can see, there are 4 subnets, each with an MX IP and VLAN ID. The 200 subnet is my main with all my workstations, clients, etc... The nutanix subnet (vlan 10) is where my virtualization host resides, though I should mention that the servers that it host are technically in the 200 subnet. Telephony and cameras are self explanatory. My domain controller provides DHCP to all these subnets (no dhcp requests are handled from the MX or my switches). You can also see that Port 3 is trunked to my switch stack (port 1 on the switch, vlan 200), and that it drops untagged traffic, but allows all VLANS. I'm not sure if this is the correct way to configure this or not. Right now I only have a couple rules setup on the meraki, which was setup with the help of my virtualization vendor when we setup the virtualization host and it's vlan. I believe they are used to allow traffic between the virtual server vlan (nutanix 10) to my inside vlan (inside 200) They look like this:
Now, I tried moving all my cameras to the camera 30 vlan (they have always resided on vlan200, with all my workstations and servers). They get a dhcp address, however the only way I can get them to connect to my camera server (which is on the inside 200 vlan, per manufacturer request) is to have Port 1 tagged on the camera vlan. But this unfortunately gives the vlan access outside to the internet and everything else on my network. I tried removing the port 1 tagged from the camera vlan and adding a rule on the meraki which allows traffic (only on ports needed) from the cameras the camera server in vlan 200 but that wouldn't work either. Even with InterVLAN routing turned on in the switch for the vlan 30, it won't work. I want this VLAN to only have camera traffic on it, and setup a rule to allow traffic from the cameras to the camera server (I did this, but never got hits on the rule). The same goes for my telephony vlan. Currently, all my IP phones (on telephony vlan 20) are pingable from all the other vlans, which I thought defeated the purpose of vlans. The telephony vlan also has port 1 tagged (as do all the vlans). If I remove port 1 tagged, I lose connectivity to the gateway which of course is needed for them to work. It's either all traffic, or nothing in regards to port 1 tagged on each vlan. I'd like the phones (as well as cameras) to be segmented off my other vlans.
Here's how the vlans are setup on the extreme switches. Instead of pasting each vlan config here I'll link to a text paste of them: https://pastebin.com/sn99iBAm
My question is (for starters) is this an effective setup? I was reading up on other vlans similar to this and they suggested NOT setting IP addresses on the vlan and instead use the meraki for routing. Currently, all my vlans have an IP address. Ideally I would like to move my virtual servers to their own VLAN as well, but I'm very confused about where routing should be setup for the vlans, on the switch or the firewall? How do I allow only specific traffic between the vlans when I need?
I apologize if this is enigmatic and all over the place. This has been a bit frustrating because the tagging isn't working as I expected. I also made a diagram of the network as it is (to the best of my ability). The only difference is that the cameras are currently connected to vlan 200 instead of being in camera vlan 30. Here is the diagram.
So I've been doing a lot of research on this since posting and came across something that made me think.
Should I be configuring the VLANs on the extreme switch, but removing the Port 1 Tagged from each vlan? Then use ports 4-12 on the MX to physically connect to the vlans? That would mean each vlan is completely segmented away from each other (intervlan off) on the extreme switch, but connected physically to the MX, where all routing is handled and rules are made? If so how do I properly setup the ports on the mx (native and allowed vlans)?
Does this make sense?
Just a few pointers:
The MX will, in common with layer-3 switches, permit traffic between VLANs, unless you specifically deny it. The MX's general deny relates to inbound sessions from the Internet (WAN).
You do indeed need to be clear about where you want to route between your VLANs. If you want to control inter-VLAN traffic via the GUI on the MX (which it sounds like you want, for enhanced security), then the Default Gateway, for each client in each VLAN, needs to use the MX's IP in that VLAN: x.x.x.1 (i.e. that's the gateway IP in your DHCP scope - and all your statically configured devices will need configuring to match, too)
What it looks like you've done is also configure VLAN interfaces, for each VLAN, on your switch stack. While the VLANs need to exist on the switch stack, I suspect not all the VLAN interfaces are needed (you may need one, to allow you to manage the switch stack - you'll need to consult Extreme documentation, to check on that). A VLAN interface is, for most switching OSes, only needed when you want to route in & out of that VLAN on the switch in question.
If you want to route solely on your MX, it's only important that all your VLANs are 802.1Q trunked between the MX and the switch stack (appropriately configured at both ends).
I'm wondering if your camera system relies on the cameras and server being in the same VLAN, for discovery purposes; possibly because the cameras use broadcast or multicast frames to search for a local server? (such frames don't flow between VLANs). You'll need to look into the camera system documentation - or maybe run a packet capture on the LAN side of your MX, to see what the cameras are doing?
Thank you so much for your response! I've been working on this all morning testing configurations. I actually discovered I could block all traffic from my camera VLAN to the default VLAN, and then only allow traffic I want (a rule for all cameras to be able to hit the camera server) and it worked! Thank you for clearing up that internal LAN traffic is generally allowed unless denied by a rule. That makes things much easier to understand now and I can work forward with that knowledge.
You're also correct that each VLAN has a protocol address on the switch. I assumed it was needed for each VLAN. I removed them from the camera VLAN, and I went ahead and removed it from my telephony VLAN as well with no impact on my network connectivity. I always use the default vlan protocol address for management (192.168.200.2) so that one will stay. And yes, my DHCP scope for each subnet is currently setup to point to the gateway (MX IP) of each VLAN, but thank you for clearning all this up as well.
As for the camera server (affectionately called a CK), I read from an employee of the manufacturer that they can be on separate subnets and vlans. Here is the post. You just have to allow the appropriate ports.
My concern still is that if all my VLAN's have Port 1 Tagged (which goes to my MX) then traffic will still broadcast to all vlans. Is this the case? Or is it better to configure another port on on the MX with the Native VLAN and physically connect it to the VLAN ?
Thank you SO MUCH for your reply. You've helped considerably!
Your port 1 on the MX (presumably the only port on your MX linked to the switch stack) NEEDS to have all the VLANs tagged, if you want to allow any traffic between those VLANs.
Think of it this way; when you tag a VLAN onto the link between the MX and the switch stack, you're building a link from any ports in that VLAN, on the switch stack, to their Default Gateway on the MX.
If a device is on a VLAN that isn't tagged across the uplink it won't be able to communicate with its gateway - and thus with any of the other VLANs.
A broadcast frame, issued by a device on a VLAN, will be forwarded to all switch ports that are members of the VLAN. That includes the uplink. But the MX won't forward it to other VLANs (unless under special circumstances). While your uplink should carry all broadcast frames, for all VLANs, the switch will only replicate broadcasts tagged with a VLAN to any access ports that are members of that VLAN.
Remember too that, as I mentioned in my last reply, if a client sends unicast IP traffic to a device in a different VLAN, the MX will allow that traffic by default.
If you don't want any communication in or out of any VLAN (highly secure), then remove the VLAN from the MX and disallow that VLAN on the downlink to the switch stack. In the latter case, make sure you deleted the relevant VLAN interface from the switch stack too!
The port connected to to my switch stack from the MX is port 3 and looks like this:
When I say Port 1 Tagged, I mean on the switch stack. Every VLAN on the switch stack has Port 1 Tagged assigned to it, with the exception of the camera vlan, because I made the change above by physically connecting it to port 4 of the MX and setting the native vlan.
As far as I can tell, you'd only want one port linking the MX to the stack - that should indeed be set as a Trunk, probably with Drop untagged traffic. If you are want to be more secure, configure only the VLANs you are using as Allowed on that trunk.
I assumed that Port 3 (the first LAN port) formed the only link between your MX and your stack. You probably want to disconnect any other links between your MX and your stack; the MX does not support link aggregation, so you're best not introducing any potential loops. Any unused ports, you probably want to revert to default setup (or Drop untagged) and disable.
Ok so I removed the physical link between the camera vlan and the stack. But in order to get connectivity I had to go into the camera VLAN on the stack and add Port 1 (on the switch, that connects to MX port 3) as tagged. This is what the vlan on the switch looks like now.
VLAN Interface with name cameras created by user Admin State: Enabled Tagging: 802.1Q Tag 30 Description: None Virtual router: VR-Default IPv4 Forwarding: Disabled IPv4 MC Forwarding: Disabled Primary IP: 0.0.0.0/0 IPv6 Forwarding: Disabled IPv6 MC Forwarding: Disabled IPv6: None STPD: None Protocol: Match all unfiltered protocols Loopback: Disabled NetLogin: Disabled OpenFlow: Disabled QosProfile: None configured Egress Rate Limit Designated Port: None configured Flood Rate Limit QosProfile: None configured Ports: 7. (Number of active ports=3) Untag: 1:11, 1:12, 1:13, 1:14, *1:15, *1:16 Tag: *1:1
All the cameras are plugged into ports 11-16. Port 1:1 is connected to my MX (Trunked, Drop all Untagged, Allow All VLANS)