BS-G3024MR VLAN Network Segmentation and IP Filtering Setup Guide
This document provides a guide for setting up VLANs and IP filtering on the Buffalo BS-G3024MR Layer 3 Gigabit Intelligent Switch. It is intended for system administrators involved in the introduction or consideration of the BS-G3024MR series.
Table of Contents
Introduction
This guide details the basic setup procedures and key points for VLAN network segmentation and IP filtering using the Buffalo BS-G3024MR Layer 3 Switch. It covers VLAN configuration, routing setup, and hardware IP filtering.
The target audience includes system administrators implementing or considering the BS-G3024MR series. Basic knowledge of Port VLAN/Tag VLAN is assumed.
The information in this guide is based on the specifications and screens of the BS-G3024MR firmware Version 1.0.4.8 (August 2009 release).
This guide does not cover all features of the BS-G3024MR. It focuses on the essential functions for VLAN and routing setup, and IP filtering, providing step-by-step instructions.
The network configuration assumed in this guide is for a school environment, separating teacher and student networks and implementing IP filtering. This configuration can be adapted for small to medium-sized offices with minor modifications.
Teacher Network: VLAN 11, IP: 192.168.11.xxx
Shared Network: VLAN 13, IP: 192.168.13.xxx (Connect File Server/NAS)
Student Network: VLAN 12, IP: 192.168.12.xxx
Router: Local IP: 192.168.14.1
Internet Connection Network: VLAN 14, IP: 192.168.14.xxx
Management (Setup) Network: VLAN 1, IP: 192.168.10.xxx
Note: The latest firmware for the switch can be downloaded from the Buffalo website. Screen messages and procedures may change due to future specification updates. For features not covered in this guide, please refer to the product's setup guide or introduction guide (also available as PDF files on the Buffalo website).
Setup and Configuration Plan
Before installing and configuring a Layer 3 switch, it is recommended to plan the network's IP address scheme and the VLAN assignments for each port.
This guide outlines a network configuration for a school LAN environment, involving four VLANs: Teacher Network, Student Network, Shared Network, and Management Network. An additional VLAN is included for the internet access router.
Network Configuration (VLAN Configuration)
The following five VLANs will be configured:
- VLAN 1: Management/Setup Network (for administrators)
- VLAN 11: Teacher Network
- VLAN 12: Student Network
- VLAN 13: Shared Network (for shared servers, NAS, etc.)
- VLAN 14: Router (for internet connection)
IP Address Scheme and Layer 3 Switch IP Address Assignment
The IP addresses for each VLAN are as follows:
- VLAN 1: 192.168.10.xxx. Gateway: 192.168.10.254
- VLAN 11: 192.168.11.xxx. Gateway: 192.168.11.254
- VLAN 12: 192.168.12.xxx. Gateway: 192.168.12.254
- VLAN 13: 192.168.13.xxx. Gateway: 192.168.13.254
- VLAN 14: 192.168.14.xxx. Gateway: 192.168.14.254
The internet router will be connected to VLAN 14 with its LAN side address set to 192.168.14.1.
DHCP Server Settings (if using the switch's DHCP server):
- VLAN 1: DHCP client IP assignment from 192.168.10.11, 5 addresses.
- VLAN 11: DHCP client IP assignment from 192.168.11.11, 80 addresses.
- VLAN 12: DHCP client IP assignment from 192.168.12.11, 80 addresses.
Note: DHCP assignment is not configured for VLAN 13 and VLAN 14 as no clients are expected to connect.
IP Filtering Considerations
The hardware IP filter will be configured with the following policies:
- Student to Teacher network: Access denied.
- Teacher to Student network: Access permitted.
- Shared to Router: Access denied.
- Router to Shared: Access denied.
- Within the same VLAN: Access is permitted.
VLAN Access Rules:
- VLAN 1 (Management): Access to VLAN 11, 12, 13, 14 is permitted.
- VLAN 11 (Teacher): Access to VLAN 12, 13, 14 is permitted.
- VLAN 12 (Student): Access to VLAN 13, 14 is permitted. ICMP (Ping) only to VLAN 11.
- VLAN 13 (Shared): Access to VLAN 11, 12 is permitted. Access to VLAN 14 is denied.
- VLAN 14 (Router): Access to VLAN 1, 11, 12 is permitted.
Note: Hardware IP filtering offers various configuration options; this guide covers basic settings.
Layer 3 Switch Port Configuration and Connection Plan
The VLAN configuration for each port on the Layer 3 switch will be determined. Tag VLAN ports will be configured for connecting to other switches or access points that support Tag VLAN.
VLAN 1 (Management): Ports 1-2
VLAN 11 (Teacher): Ports 3-8
VLAN 12 (Student): Ports 9-16
VLAN 13 (Shared): Ports 17-18
VLAN 14 (Internet): Ports 19-20
Tag VLAN Ports: Ports 21-24
Note: VLAN 13 (Shared Network) does not require Tag VLAN configuration as it is not intended for inter-switch connections. Ports 25 and 26 are unused and will remain in VLAN 1. The internet router connects via ports 19 or 20. Connections to other switches or access points utilize ports 21-24.
Layer 3 Switch Setup Workflow
The following steps outline the Layer 3 switch configuration process:
- Connect the configuration PC to Port 1 (VLAN 1) of the Layer 3 switch.
- Setup Procedure 1: VLAN Network Segmentation
- Configure the IP address for the Layer 3 switch.
- Configure VLAN/IP status.
- Configure VLAN ports.
- Configure inter-VLAN routing (default gateway, RIP2).
- Configure system security (admin username/password).
- Setup Procedure 2: Hardware IP Filter
- Configure hardware IP filters.
MEMO: When connecting multiple switches or access points with default IP addresses (192.168.1.254), IP address conflicts may occur. Ensure unique IP addresses are assigned before connecting more than one device.
MEMO: For hardware IP filtering, it is recommended to complete all device configurations before applying filters to avoid difficulties in troubleshooting.
Note: This guide assumes the use of a Buffalo broadband router for internet connection, but other routers can also be used.
The guide includes information on the BS-G3024MR's simple DHCP server function. If your router supports DHCP scope functionality for each VLAN, you can use the switch's DHCP relay function to assign IP addresses via the router.
Layer 3 Switch Setup Procedures
Setup Procedure 1: VLAN Network Segmentation
1. Configure IP Address for Layer 3 Switch
The IP address of the Layer 3 switch is crucial as it is accessed via a web browser. This IP address also serves as the gateway address for the management VLAN.
There are three methods to change the switch's IP address:
- Access the default IP address of the product and change it via the web configuration screen.
- Change the IP address using AirStation Admin Tools Lite (free management tool).
- Connect via a console cable (RS-232C) and set the IP address. (Console cable setup is omitted in this guide; refer to the BS-G3024MR Reference Guide for details.)
Method 1: Using the Web Configuration Screen
This method allows IP address configuration without requiring a separate tool, provided the switch's IP address is still at its default setting.
If the initial IP address is unknown, use AirStation Admin Tools to change it.
- The default IP address of the Layer 3 switch is 192.168.1.254 (255.255.255.0). Configure your PC's IP address to be in the same network range (e.g., 192.168.1.253) and access the web interface using a web browser.
- Open a web browser and enter
192.168.1.254in the address bar. - The Layer 3 switch login screen will appear. Enter
adminas the username and click OK. (No password is set by default). - The web configuration interface will be displayed.
- Navigate to [Basic Settings] > [VLAN/IP Settings] > [VLAN/IP Status].
Configuration PC IP Address: (e.g.) 192.168.1.253
Subnet Mask: (e.g.) 255.255.255.0
Product IP Address: 192.168.1.254 (Default)
Subnet Mask: 255.255.255.0 (Default)
Changing the IP Address
- Click [Edit] next to the VLAN ID 1 entry in the 'VLAN Status' screen to change the IP address and subnet mask.
- Set the switch's IP address to 192.168.10.254 and the subnet mask to 255.255.255.0 (default).
After changing the IP address, you may need to reconfigure your PC's IP address to access the management interface if the network addresses differ.
Method 2: Using AirStation Admin Tools Lite
AirStation Admin Tools Lite is a free management tool from Buffalo for their business network products. It can be downloaded from the Buffalo website.
This tool allows you to search for Buffalo business network switches and access points on your network and easily change their IP addresses. It can find and display connected devices, enabling you to assign appropriate IP addresses even if you don't know the switch's IP beforehand.
MEMO: When setting up devices in a network, using AirStation Admin Tools can help in identifying devices and setting user-friendly passwords for security.
- Download and launch AirStation Admin Tools Lite from the Buffalo website (http://buffalo.jp).
- The tool will automatically scan the network for connected Buffalo business network devices. You can perform a manual rescan via the menu: [Edit] > [Rescan].
- Select the switch, then navigate to [Tools] > [Change IP Address].
- Follow the on-screen instructions to enter the new IP address (e.g., 192.168.10.254) and subnet mask (255.255.255.0).
The IP address configuration for the Layer 3 switch is now complete.
2. Create VLANs (VLAN 1, 11, 12, 13, 14)
Access the Layer 3 switch's web configuration screen as described in the IP address setup section.
- Navigate to [Basic Settings] > [VLAN/IP Settings] > [VLAN/IP Status].
- Begin by creating VLAN 11.
- In the 'Create New VLAN' section, enter the VLAN ID (e.g., 11), VLAN Name (e.g., VLAN11), IP Address (192.168.11.254), and Subnet Mask (255.255.255.0/24).
- Configure port settings: Ports 21-24 as 'Static Tagged', Ports 3-8 as 'Static Untagged', and the remaining ports as 'Not Member'. Click 'Set'.
After the settings are saved, click 'Back'.
Repeat the process to create VLAN 12, VLAN 13, VLAN 14, and VLAN 1.
- VLAN 12: IP Address 192.168.12.254, Ports 21-24 'Static Tagged', Ports 9-16 'Static Untagged', others 'Not Member'.
- VLAN 13: IP Address 192.168.13.254, Ports 17-18 'Static Untagged', others 'Not Member'.
- VLAN 14: IP Address 192.168.14.254, Ports 19-20 'Static Untagged', others 'Not Member'.
- VLAN 1: IP Address 192.168.10.254. All ports default to 'Static Untagged'. No changes are needed for the management VLAN.
Refer to the port configuration diagram on page 5 of this guide.
Memo: PVID settings, described in the next section, are necessary for VLAN operation.
Layer 3 Switch Setup - Hardware IP Filter
Hardware IP filtering allows you to control data packet transmission between VLANs based on IP addresses and port numbers. This feature provides high-speed filtering without impacting transfer rates.
1. Configure Hardware IP Filter
- Create a condition list under [Advanced Settings] > [Hardware IP Filter] > [Condition List]. Name the list (e.g., 'oneway' for one-way access from student to teacher network) and click 'Add'.
- Configure the filtering action in the 'Create/Edit New Rule' screen. For example, to deny SYN packets from 192.168.12.0/24 to 192.168.11.0/24, set Action to 'Discard', Source IP to '192.168.12.0/24', Destination IP to '192.168.11.0/24', Protocol to 'TCP', and TCP Control Code to 'SYN'.
This configuration achieves one-way communication by discarding SYN packets, which are essential for TCP/IP session establishment.
VLAN 11 (Teacher) to VLAN 12 Communication:
- Discard TCP SYN packets from VLAN 12 to VLAN 11.
- Permit other TCP communications from VLAN 12 to VLAN 11.
- Permit ICMP (Ping) from VLAN 12 to VLAN 11.
- Discard all other protocols from VLAN 12 to VLAN 11.
VLAN 12 (Student) to VLAN 11 Communication:
- Discard TCP SYN packets from VLAN 12 to VLAN 11.
- Permit other TCP communications from VLAN 12 to VLAN 11.
- Permit ICMP (Ping) from VLAN 12 to VLAN 11.
- Discard all other protocols from VLAN 12 to VLAN 11.
Note: To avoid issues during troubleshooting, it's recommended to allow ICMP (Ping) for communication from the user network to the management network.
The rule list will be generated based on the applied settings.
| No | Action | Source IP | Destination IP | Protocol | Source Port | Destination Port | TCP Control Code | Edit/Delete |
|---|---|---|---|---|---|---|---|---|
| 1 | Discard | 192.168.12.0/24 | 192.168.11.0/24 | TCP | ANY | ANY | SYN | Edit/Delete |
| 2 | Permit | 192.168.12.0/24 | 192.168.11.0/24 | TCP | ANY | ANY | ANY | Edit/Delete |
| 3 | Permit | 192.168.12.0/24 | 192.168.11.0/24 | ICMP | ANY | ANY | ANY | Edit/Delete |
| 4 | Discard | 192.168.12.0/24 | 192.168.11.0/24 | ANY | ANY | ANY | ANY | Edit/Delete |
Similarly, configure settings to block communication from VLAN 13 to VLAN 14. Name this list 'stopall'.
| No | Action | Source IP | Destination IP | Protocol | Source Port | Destination Port | TCP Control Code | Edit/Delete |
|---|---|---|---|---|---|---|---|---|
| 1 | Discard | 192.168.13.0/24 | 192.168.14.0/24 | ANY | ANY | ANY | ANY | Edit/Delete |
Apply the configured rules to specific ports. For example, apply 'oneway' to the student network ports (9-16) and Tag VLAN ports (21-24), and 'stopall' to the shared network ports (17-18).
| Port | Input | Output |
|---|---|---|
| 1 | Not Applied | Not Applied |
| 2 | Not Applied | Not Applied |
| 3 | Not Applied | Not Applied |
| 4 | Not Applied | Not Applied |
| 5 | Not Applied | Not Applied |
| 6 | Not Applied | Not Applied |
| 7 | Not Applied | Not Applied |
| 8 | Not Applied | Not Applied |
| 9 | oneway | Not Applied |
| 10 | oneway | Not Applied |
| 11 | oneway | Not Applied |
| 12 | oneway | Not Applied |
| 13 | oneway | Not Applied |
| 14 | oneway | Not Applied |
| 15 | oneway | Not Applied |
| 16 | oneway | Not Applied |
| 17 | stopall | Not Applied |
| 18 | stopall | Not Applied |
| 19 | Not Applied | Not Applied |
| 20 | Not Applied | Not Applied |
| 21 | oneway | Not Applied |
| 22 | oneway | Not Applied |
| 23 | oneway | Not Applied |
| 24 | oneway | Not Applied |
| 25 | Not Applied | Not Applied |
| 26 | Not Applied | Not Applied |
The Layer 3 switch setup is now complete. Refer to the next page for information on the 'Simple DHCP Server Setup' for IP address assignment.
Reference Information: Simple DHCP Server Setup
This section provides information on configuring the simple DHCP server function of the BS-G3024MR.
For detailed instructions on IP address assignment using a router's DHCP scope function, consult your router's manual.
