separate vlan no intervlan config?
How To Configure InterVLAN Routing on Layer 3 Switches - Cisco Systems
Hey guys. I probably should know this but kind of fuzzy. Okay.
look at vlan 3 PC in this link for L3 switching.
Okay say for example I have a vendor come into our work and we want to separate him from our vlans. So when he hooks his PC to the RJ45 connection he will be in vlan 3 say for example. Well. I dont want
intervlan communication in this case what do I do here? Can I set up a static route for his ip address? using the trunk lines to the router?
can yo give me some guidance on this? what is normal practice and even on a L2 swtch like a 2950 how would you do that? and still make a subif on the ROS?
Hey guys. I probably should know this but kind of fuzzy. Okay.
look at vlan 3 PC in this link for L3 switching.
Okay say for example I have a vendor come into our work and we want to separate him from our vlans. So when he hooks his PC to the RJ45 connection he will be in vlan 3 say for example. Well. I dont want
intervlan communication in this case what do I do here? Can I set up a static route for his ip address? using the trunk lines to the router?
can yo give me some guidance on this? what is normal practice and even on a L2 swtch like a 2950 how would you do that? and still make a subif on the ROS?
Comments
-
ColbyG Member Posts: 1,264Just leave that VLAN at layer 2 on the switch. No SVI = no gateway = no routing.
Edit: If you want them to be able to communicate to the internet (or somewhere other than the local VLAN), you could use ACLs filtering communication to your production VLANs. -
itdaddy Member Posts: 2,089 ■■■■□□□□□□thanks guys
I was thinking that I had to use ACLs sort of made sense but needed a 2nd opinion thanks to both of you yeah, they need internet...super tips appreciate your skills will look into the private vlan stuff too as well as ACL thanks -
4E6564 Member Posts: 32 ■■□□□□□□□□Ok, one way would be to put him on his own VLAN. I'm assuming you are using a layer 3 switch or a router as you specified above your layer 2 switch. Whether you are using an SVI or a sub-interface, stick an access-list on it ie:
deny ip any <<your inside host addresses>>
permit ip any any
or setup an access-list inbound to his interface, etc etc
This will deny him access to your internal hosts, but allow him out to the Internet.
Alternatively you could set him up in a private vlan, depending on the switches you have.
You set up your router port as promiscuous, and his port as isolated. That way he can only get to the promiscuous port, and every other port is unaffected.
I think it is something similar to the following, though this is from memory.
vlan 100
name primaryvlan
private-vlan primary
private-vlan association 101
vlan 101
name privatevlan
private-vlan isolated
under the intefaces
fa0/0
switchp mode private-vlan promis
switchp private-vlan mapping 100 add 101
fa0/1
switchp mode private-vlan host
switchp private-vlan host-association 101
Lastly you could use a VLAN or Port ACL to block the traffic... -
Forsaken_GA Member Posts: 4,024Private VLAN's are only good if he wants to prevent them talking to machines on the same vlan, doesn't do anything to prevent him talking to something through the default gateway.
Create an ACL that disallows connecting to any host on your private networks, and stick that on whatever interface is going to be routing for the vlan you create for him. -
4E6564 Member Posts: 32 ■■□□□□□□□□Correct, but if he only has a single VLAN, then it would work.
But looking back now I see that he was putting him in a separate VLAN. -
Ezlite Member Posts: 27 ■□□□□□□□□□A simple way to do this is a GRE tunnel or an MPLS LSP to the DMZ. Then just PBR it into the LSP/Tunnel. This way you do not have to worry about managing the ACLs and the 'guest' is dumped into an zone for which security is already there and actively managed.
easy, scales, and will comply with current/future security policies.
just my thoughts on the implementationTB
JNCIP-M: Late June 2010 -
ColbyG Member Posts: 1,264A simple way to do this is a GRE tunnel or an MPLS LSP to the DMZ. Then just PBR it into the LSP/Tunnel. This way you do not have to worry about managing the ACLs and the 'guest' is dumped into an zone for which security is already there and actively managed.
easy, scales, and will comply with current/future security policies.
just my thoughts on the implementation
Explain this a bit more please, maybe provide some config. I don't see how this is easier than an ACL on the L3 interface. -
Forsaken_GA Member Posts: 4,024I see where he's coming from, and it is indeed an easy and scalable solution, depending on the network size. It's a good solution if there's a DMZ already in place, which the OP doesn't seem to have any indication of.
The context I got from the question is how to essentially provide guest internet access for a small network, in which case an ACL applied to a router port is going to be the simplest way to accomplish this, but if I were trying to implement the same thing in a more complex network, his suggestion is a good one -
APA Member Posts: 959Use PACLs.... (Port ACLs) - Warning this can become cumbersome if you have many guests....
ip access-list extended ISOLATE-GUESTS
permit ip (SRC Guest network) host (Guest Network SVI GW)
deny ip (SRC Guest network) (DST guest network)
deny ip (SRC Guest network) (DST inside networks)
permit ip any any
Apply this inbound to the switchports that you wish to have guests on...
This will only allow traffic if the Gateway is the DST address in the IP header.... or allow traffic with a DST address of external networks in the IP header...
Otherwise if you're happy to... then just apply an ACL to the gateway to the VLAN SVI and filter inter-vlan traffic that way... however this will not isolate your guests will allow guests to contact each other on the guest VLAN...
If you want to isolate your guests then use PACLs or a VLAN access-map... Can also use p-vlans, however as mentioned above by Forsaken this does not prevent hosts from speaking outside their given VLAN... work almost on the same basis as a vlan access-map....
Multiple options to get this done... If you choose to use PACLs then ensure the switching infrastructure supports PACLs... I know some earlier Cisco switches do not support them...
CCNA | CCNA:Security | CCNP | CCIP
JNCIA:JUNOS | JNCIA:EX | JNCIS:ENT | JNCIS:SEC
JNCIS:SP | JNCIP:SP -
Forsaken_GA Member Posts: 4,024Otherwise if you're happy to... then just apply an ACL to the gateway to the VLAN SVI and filter inter-vlan traffic that way... however this will not isolate your guests will allow guests to contact each other on the guest VLAN...
<ebil>
This is where my BOFH certification comes in. I'd stick the guy in a /30 vlan, and make that network port 'the' guest port. If any other guest wanted to use the internet, they'd have to wait for the other guy.
I'd also rate limit his port to 64k.
</ebil> -
Ezlite Member Posts: 27 ■□□□□□□□□□Explain this a bit more please, maybe provide some config. I don't see how this is easier than an ACL on the L3 interface.
GRE - just use the SDM and let it do the work. An internal site to site vpn in essence.
MPLS - (only if you have a mpls enabled network already in place)
I can do a few configs if you need, but, I would need to make some assumptions about the existing implementation <LDP, RSVP, what IGP, What summarization is in place, IOS version, model, etc>.
what makes it simpler is that you can use DHCP servers in the DMZ and the topology, for MPLS case, is independent of addressing. So setup takes a little more inital thought but ongoing management is very low, esp when you start to add additional guest areas in other physical locations.
1 central DHCP server, 1 Firewall instance, and a standard "template" config at each 'guest' access location. Its even simple to add secure 'guest' access at remote locations if needed.
In the future you could add classes of guests via radius/ldap based accounts with a very little hassle.
'Guest' systems are a potential nightmare and should be treated as "untrusted" from my perspective.
I always look to reduce op-ex and a reasonable inital one-time cost to get it down is well worth it.
and as Forsaken pointed out .. if this in fact a 'small' net thats not expected to grow then acls are fine.TB
JNCIP-M: Late June 2010