Reyee - Layer 3 switch - VLAN setup
- Setup:
- Router - Default VLAN setup router
- SWITCH - VLAN setup
- SWITCH - routing setup
- Router - routing setup
- SWITCH - ACL to Block inter-VLAN traffic for VLAN 70
Setup:
Reyee router : EG105G-V2
Reyee layer 3 switch : CS83-48GT4XS-P
- Router with default VLAN; ip 192.168.110.1
- Switch with 4 VLAN's
- VLAN 50 -> 10.10.50.1
- VLAN 60 -> 10.10.60.1
- VLAN 70 -> 10.10.70.1
- VLAN 80 -> 10.10.80.1
- There should be inter-VLAN access on the router, but VLAN 70 we will setup to block inter VLAN traffic with ACL rules and just allow traffic inside the VLAN 70 and outgoing internet traffic
Router - Default VLAN setup router
Setup VLAN, in this case we setup ip 192.168.110.1, with DHCP pool from 192.168.110.1 to 192.168.110.99, as I will use 192.168.110.100 as interface address for the switch.
SWITCH - VLAN setup
Go to the web interface of the switch, from the cloud select the device and click eWeb.
Go to Network->Port Config->Port Management
Add the VLANs by clicking + Add SVI Interface, add them 1 by 1 to create 4 VLANs
Then select + Configure Ports
Select the ports you want to assign to VLAN 50, you can select multiple ports at once, click them 1 by 1 or drag with the mouse) and configure with Port Mode : Access Port, Access VLAN : 50
Repeat steps to assign ports for VLAN 60, 70 and 80
Finally on the switch configure the uplink port as layer 3 interface port with ip address 192.168.110.100.
In the example we used port 47 on the switch:
You can setup DHCP if needed, for this go to Network->Advanced Configuration->DHCP Service
In the example we have the DHCP setup for every VLAN for the address 1 to 99 and leave the remaining for static IP addresses :
SWITCH - routing setup
To allow Internet access from devices connected to the switch we need to setup a default route to the IP address of the router.
Go to Network->Route Configuration->Static Route
And select Add Default Route, for the Administrative Distance as this is a static route, use 1 and fill in the ip address of the router as next hop, 192.168.110.1
So the switch knows to send any trafic it cannot route inside the switch to the connected router through the uplink.
You will see this routing added:
Router - routing setup
As the VLANs 50, 60, 70 and 80 only exist in the switch we will need to add routing in the router also to allow internet traffic to go back to the devices on the switch.
For this you can do it directly in the cloud
Go to Devices, select the router, go to Configuration->Routing and add 4 static routings, 1 for every VLAN to route traffic back to the switch (ip address 192.168.110.100)
SWITCH - ACL to Block inter-VLAN traffic for VLAN 70
We can use ACL rules from the switch to eg restrict traffic from VLAN 70 to any other VLAN on the switch, but allow internet traffic.
go to Security->ACL->ACL->ACL List
Select Add ACL and make a new one with type Extended ACL (flow-based control) and name the ACL
Now we will add the rules for this ACL:
Add these 5 rules:
- block 70 to 50 , protocol ip, from Src IP/Wildcard 10.10.70.0/0.0.0.255 to Dest IP/Wildcard 10.10.50.0/0.0.0.255 , deny -> to block traffic from vlan 70 to vlan 50
- block 70 to 60 , protocol ip, from Src IP/Wildcard 10.10.70.0/0.0.0.255 to Dest IP/Wildcard 10.10.60.0/0.0.0.255 , deny -> to block traffic from vlan 70 to vlan 60
- block 70 to 80 , protocol ip, from Src IP/Wildcard 10.10.70.0/0.0.0.255 to Dest IP/Wildcard 10.10.80.0/0.0.0.255 , deny -> to block traffic from vlan 70 to vlan 80
- allow traffic to router , protocol ip, from Src IP/Wildcard Any to Dest IP/Wildcard 192.168.110.1/0.0.0.0 , permit -> to allow traffic from vlan 70 to internet
- catch all, protocol ip, from Src IP/Wildcard Any to Dest IP/Wildcard Any , permit -> final implicit “permit all”
It will look like this:
And we'll need to apply this ACL rule to vlan 70
Security->ACL->ACL->ACL Application
click Add Port
Select your ACL from the list
Direction : inbound
And select the VLAN in the layer 3 list:
Keep in mind, this specific ACL rules are one-directional (source = VLAN 70).
Meaning:
VLAN 70 → VLAN 50/60/80 = blocked
VLAN 50/60/80 → VLAN 70 = ALLOWED, unless blocked elsewhere
If you need full isolation, you must also block the reverse direction on those VLANs’ ACLs.
Was this article helpful?
Bu bilgiler sorununuzu çözmeye yardımcı oldu mu?
Still need help?
Uzman ekibimiz size yardımcı olmak için burada.