Implementing IP-based ACLs on D-Link DGS-1210 series smart switches

I discussed earlier how to create a set of asymmetric VLANs on a D-Link DGS-1210 series smart switch, and how to extend these VLANs on a second DGS-1210 series smart switch, with a single link or multiple aggregated links. On this page, I discuss how to restrict traffic to/from a DGS-1210 switch port on the basis of the originating and/or destination IP addresses. Although VLANs already can provide isolation between different switch ports, known attacks against VLANs are possible from within the LAN, e.g. VLAN hopping and other attacks that manipulate the 802.1Q tag of Ethernet frames. This is a particular concern in the common scenario in which a LAN with a single gateway to the Internet, for example, must accommodate both office and guest traffic.

In general, IP subnetting is a simple way to isolate different portions of a LAN from each other. However, different subnets cannot directly share the same gateway IP address. With a LAN partitioned into n subnets, at least n - 1 of them must use an IP router or NAT between subnet and shared gateway. This is the main reason why I resorted to VLANs in my initial solution of this problem.

Using an IP router between the guest LAN and the gateway, as a matter of fact, is a robust way to make sure that traffic from the guest subnet is only directed to the gateway. All it takes is a static route from IP router to gateway. Malicious packets from the guest subnet that reach the gateway, naturally, must be handled by the security configuration of the gateway. Using a non-secure gateway leaves the door open to attacks from the guest LAN. The office subnet can be secured, for example, by inserting a multi-port IP router or firewall between gateway and subnets.

Restricting traffic on the basis of the originating IP addresses on specific switch ports can be an alternative to VLANs, but vulnerable to attacks like IP address spoofing. For example, on a loosely configured LAN that uses a contiguous block of IP addresses (e.g. the commonly used 192.168.0.0/16 internal network of many home routers) IP address spoofing can be as simple as configuring a computer with a static IP address instead of using DHCP. Combining VLANs with IP address-based ACLs, on the other hand, makes intrusion from the guest LAN to the office LAN more difficult.

Prerequisites

You may wish to review the prerequisites discussed on my earlier pages. For the present purposes, we only need to discuss the configuration of one switch, and all we need to know is:

  • Port 1 of the switch is connected to the WiFi access point of the guest network. The guest network has no other wired access to the LAN.
  • The LAN uses the 192.168.8.0/24 IP address block, with the gateway at address 192.168.8.1 and connected to a port of VLAN 1.
  • Address 192.168.8.2 is not used (or is used by a computer with the only purpose of monitoring the whole LAN and therefore connected to VLAN 1).

The reason for the last of the above prerequisites is that, when configuring the switch, we cannot specify a single IP address. Instead, we need to specify the smallest possible subnet that contains the gateway address. This network only contains two usable IP addresses (besides network and multicast) and uses the /34 netmask, or 255.255.255.252.

Intended results

As mentioned above, the main purpose of this exercise is to extend three asymmetrical VLANs already configured on switch 1 to switch 2, using a single physical link between the two switches.

A secondary purpose is testing how link aggregation works in practice, by aggregating a second link to the first one connecting the switches.

Some thought must also be paid to the choice of which ports to use for interconnecting the two switches. The DGS-1210-10 has in total 10 ports that are essentially identical to each other, but for the fact that two of them are equippend with SFP receptacles instead of RJ45 sockets. In this case, the choice of which ports to use for interconnections has essentially no implications.

The DGS-1210-10MP, on the other hand, provides PoE on its RJ45 sockets, but not on ths SFP receptacles. It would make little sense to "waste" two of the eight PoE ports by using them for interconnections that cannot use PoE, and for this purpose it makes instead perfect sense to use the SFP receptacles. The choice of the SFP receptacles for interconnections also on the DGS-1210-10, although not justified by technical reasons, makes it easier to remember which ports to interconnect with cables, since it is a like-with-like arrangement.

My cabling strategy is to keep things as simple and obvious as possible, and therefore I chose to use the SFP receptacles on both switches for the same purpose. I recommend that you too keep you cabling as simple and straightforward as possible. Most real-world LANs grow "organically" by small incremental changes that use whatever ports and cables are easiest to use on the spur of the moment and require the least amount of work. Whatever is done is subsequently not optimized or rationalized because there is always something more urgent or more gratifying to do. I suggest instead that following a long-term strategy from the start is better, in the long term, than letting the "spaghetti monster" grow unchecked in your network cabinets.

LAN structure.

The above figure shows the desired structure of the LAN with the two smart switches discussed on this page and connected equipment. VLAN 1 is indicated in blue, VLAN 2 in red, and VLAN 3 in yellow. For simplicity, firewalls and individual computers (with the exception of a Raspberry Pi used for network surveillance) are not shown.

VLAN configuration

On switch 2, configure three asymmetric VLANs in exactly the same way as already done on switch 1, as described here.

Switch configuration

Port 10 of both switches is going to be used as the first link connecting the switches. This port is accessible to all VLANs, and therefore can be used to extend all three VLANs from switch 1 to switch 2.

Existing VLANs on switch 1.

On switch 1, the three VLANs shown in the above figure are already configured.

Reconfigured VLANs on switch 1.

The first task is reconfiguring the three VLANs as shown above. Open the 802.1Q Asymmetric VLAN Settings dialog (above figure). In this dialog, click the VID of VLAN 1. This displays the VID Settings dialog.

Configuring ports 9-10 as tagged in VLAN 1.

In the VID Settings dialog, tick the Tagged radio button of ports 9 and 10 as shown in the above figure, then click Apply.

Repeat the procedure for VIDs 2 and 3. In VID 3, additionally add untagged port 8 to this VLAN. Ports 9-10 will be aggregated to link the two switches, so we need to add a third port where we will connect the mobile network gateway that provides Internet access. Port 8 is already part of VLAN 1 and VLAN 2, so we do not need to add it to these VLANs. Don't forget to click Apply for each VLAN.

Ports 9 and 10 already belong to VLAN 1, but port 8 must be changed from VLAN 2 to VLAN 1.

In the 802.1Q VLAN PVID Settings dialog, assign port 8 to VLAN 1. Click Apply.

Save the configuration.

Duplicate the above configuration on switch 2.

If not already done, connect ports 10 of the two switches with a suitable network cable.

Test VLAN 1 on both switches. In terms of VLAN functionality, it should make no difference whether you are testing VLAN 1 with a computer connected to either switch 1 or switch 2. A computer on VLAN 1 should be able to ping any other computer connected to any VLAN on switches 1 and 2.

Repeat the tests on VLANs 2 and 3 to verify that these VLANs can communicate with computers on VLAN 1, but cannot communicate with each other.

Link aggregation

Link aggregation is called port trunking on D-Link switches. It is just one of several different names for the same thing.

Result of aggregating ports 9 and 10.

In L2 Functions/Link Aggregation/Port Trunking, tick the Enabled radio button, then click Apply in the same dialog section. Tick the checkboxes of ports 9 and 10 in the Link Aggregation Settings dialog section, then click Apply in the same section of the dialog. This creates a new entry in the Trunking list section of the dialog (above figure).

Repeat the above configuration on switch 1.

Connect port 9 of both switches with an Ethernet cable. Now it is safe to do so, while before aggregating ports 9 and 10 the spanning tree algorithm would detect ports 9 and 10 forming a closed loop, and disable one of the two ports (or, if spanning tree detection is disabled, ports 9 and 10 would continue to re-send the same frames to each other in an endless loop, and become unresponsive).

Testing the aggregated links is not straightforward, short of generating large amounts of traffic between the two switches and measuring the effective speed of the aggregated links, which in this case should be up to roughly 2 Gbps. The easiest way to verify that the two links are aggregated is by observing that the activity LEDs of both port 9 and port 10 are blinking (asynchronously from each other) when data is transmitted between the two switches. LACP allocates ports of an aggregated link on a flow basis, not on a packet basis (at least in these switches), so it is entirely possible for traffic along the aggregated links to use only one of the physical links on a short-term basis.

There is a second dialog for configuring LACP, but you do not need to change any of the default settings (and changing anything here may prevent link aggregation from working). In particular, it does not hurt for LACP to be active on all ports, including those not aggregated.

LACP establishes and dynamically maintains the aggregation. This involves some overhead processing and extra network traffic across the aggregated link, but LACP can manage changes in the availability and speed of the aggregated ports (e.g. if a port should stop working, or request a drop in link speed from 1G to 100M). Static link agregation is simpler, but as far as I understand, it cannot dynamically adapt to link changes and would just stop working if something happens to the link. The switches at both ends of the aggregated link must be set to the same type of aggregation (either LACP or static). As a matter of fact, D-Link recommends that LACP be always used instead of static aggregation.

I did try static aggregation and the aggregated link still works, but I cannot detect a difference in speed with respect to LACP. I will just follow D-Link's recommendation to use LACP, since in my case both switches support it. Static aggregation might be useful if one of the switches does not support LACP.

LACP can work in active or passive mode. In active mode, an endpoint actively contacts the opposite endpoint to start and maintain an aggregation group. In passive mode, the endpoint only waits for an active endpoint to start communicating. Therefore, at least one of the LACP endpoints must be in active mode. In fact, both endpoints can be in active mode, which is the default setting on the DGS-1210 series.

LACP is not bridged across a switch, so it is not forwarded past the endpoints of the aggregated link, and you do not have to worry about LACP frames causing havoc with equipment that cannot process these frames.

Concluding remarks

Joining two smart switches of the DGS-1210 series with a single link and configuring the Ethernet ports using this link as tagged can allow asymmetric VLANs to span across switches and the latter to behave, in essence, like a single distributed switch. Implementing this functionality, however, requires an understanding of the logic involved in the configuration of VLANs, tagged ports and (if used) aggregated links.

If multiple connections between the switches are available, link aggregation can be used between the two switches to increase bandwidth and add link redundancy. LACP, recommended by D-Link for this use, appears to be the most reliable alternative for link aggregation.



Distribution of page hits (whole site) during the last month.
Provided by clustrmaps.com

This site is ad-free. If you see any ads here, they are added by your ISP, or by spyware on your computer, or you are visiting this site through frames of another site.