Limiting Access to Internet Router

control

Setup - Layer 3 switch with multiple VLANS. I want to connect a DSL router into one of the switch ports and have only certain VLAN members (call it Vlan 5) use the router for Internet access.

I obviously do not want any risk of Vlan 5 being able to route to other vlans/subnets on the L3 switch.

So far I've configured the switchport that will take the DSL router to be in VLAN 5 and the plan is to have the router dish out IP addresses via DHCP to VLAN 5 members. The DHCP pool is 10.1.1.0 /24

Do I need to have some sort of ACL on the VLAN interface?

The end result is to have 10.1.5.0 /24 network (Vlan 5) totally independent with no risk of traffic being able to traverse other areas of the network.

Is it just a case of adding machines to Vlan 5 switchports and they will pick up DHCP from the router? Any security concerns I would need to look into?

Thanks

MrXpert

I think you could use a VACL here or even private vlans. have everything on one subnet with private VLANS but setup VLAN5 has a community which means it can talk to other hosts in that community along with the prom port which I assume you'd need to be the port belonging to the default gateway.
If the switch and the router you have are on different VLANS/SUBNETS you will need the IP Helper address command put onto the interface. At least this is my reading of it.

atorven

Why not just use an acl applied to the svi to block traffic going to the other subnets?

control

Can I apply an Access List to an actual Vlan Interface on a layer 3 switch? or does it need to be a VACL? (not came acrosss VACL before).

If I want to restrict the 10.1.5.0 /24 traffic to never leave it's vlan (5) and let no other traffic enter into that VLAN (5) - is this easily accomplished and at what level would I apply the ACL?

networker050184

Yes you can apply an ACL to an SVI on a L3 switch.

control

Can it only be applied in one direction, e.g in or out? Is there a simple ACL I can compile to achieve my goal? ACLs are not something I have much experience with.

networker050184

They can be placed in both directions.

atorven

Post your exact requirements and I'll put something together.

control

Thanks Guys.

So scenario is - layer 3 switch, multiple vlans / multiple subnets and routing between all the vlans done by the switch itself. I have various Access Switches coming off the layer 3 switch.

I created a SVI for VLAN5 (solely for Internet Access) and I have a port in vlan5 which has a basic DSL Internet router connected to it. This dishes out IPs to anyone in VLAN5 so they can get out to Internet.

The Address range being dished out is 10.1.5.0 /24

I don't want there to be any chance of packets from 10.1.5.0 getting out of VLAN 5 and risking the rest of my network as VLAN5 is Internet only. Also, I don't want any packets from the other VLANS/Subnets coming into VLAN 5.

I'm actually just thinking, do I even need to have an SVI created as I'm not actually doing any routing for this VLAN/Subnet. Can I just create the VLAN like I would do on layer 2 switch, and have the DSL router plugged into a port in that VLAN.

That Make sense? I'm making this sound way more complicated than it actually is!

networker050184

I'd just put the router in VLAN and not route it like you said. Simple and easy.