separate vlan no intervlan config?

itdaddyitdaddy Member Posts: 2,089 ■■■■□□□□□□
How To Configure InterVLAN Routing on Layer 3 Switches - Cisco Systems

Hey guys. I probably should know this but kind of fuzzy. Okay.
look at vlan 3 PC in this link for L3 switching.
Okay say for example I have a vendor come into our work and we want to separate him from our vlans. So when he hooks his PC to the RJ45 connection he will be in vlan 3 say for example. Well. I dont want
intervlan communication in this case what do I do here? Can I set up a static route for his ip address? using the trunk lines to the router?
can yo give me some guidance on this? what is normal practice and even on a L2 swtch like a 2950 how would you do that? and still make a subif on the ROS? icon_redface.gif

Comments

  • ColbyGColbyG Member Posts: 1,264
    Just leave that VLAN at layer 2 on the switch. No SVI = no gateway = no routing.

    Edit: If you want them to be able to communicate to the internet (or somewhere other than the local VLAN), you could use ACLs filtering communication to your production VLANs.
  • CyanicCyanic Member Posts: 289
    You might be able to use a private vlan to do what you want.
  • itdaddyitdaddy Member Posts: 2,089 ■■■■□□□□□□
    thanks guys
    I was thinking that I had to use ACLs sort of made sense but needed a 2nd opinion thanks to both of you yeah, they need internet...super tips appreciate your skills will look into the private vlan stuff too as well as ACL thanks icon_thumright.gif
  • 4E65644E6564 Member Posts: 32 ■■□□□□□□□□
    Ok, one way would be to put him on his own VLAN. I'm assuming you are using a layer 3 switch or a router as you specified above your layer 2 switch. Whether you are using an SVI or a sub-interface, stick an access-list on it ie:


    deny ip any <<your inside host addresses>>
    permit ip any any

    or setup an access-list inbound to his interface, etc etc


    This will deny him access to your internal hosts, but allow him out to the Internet.


    Alternatively you could set him up in a private vlan, depending on the switches you have.

    You set up your router port as promiscuous, and his port as isolated. That way he can only get to the promiscuous port, and every other port is unaffected.

    I think it is something similar to the following, though this is from memory.

    vlan 100
    name primaryvlan
    private-vlan primary
    private-vlan association 101

    vlan 101
    name privatevlan
    private-vlan isolated



    under the intefaces

    fa0/0
    switchp mode private-vlan promis
    switchp private-vlan mapping 100 add 101


    fa0/1
    switchp mode private-vlan host
    switchp private-vlan host-association 101



    Lastly you could use a VLAN or Port ACL to block the traffic...
  • Forsaken_GAForsaken_GA Member Posts: 4,024
    Private VLAN's are only good if he wants to prevent them talking to machines on the same vlan, doesn't do anything to prevent him talking to something through the default gateway.

    Create an ACL that disallows connecting to any host on your private networks, and stick that on whatever interface is going to be routing for the vlan you create for him.
  • 4E65644E6564 Member Posts: 32 ■■□□□□□□□□
    Correct, but if he only has a single VLAN, then it would work.


    But looking back now I see that he was putting him in a separate VLAN.
  • EzliteEzlite Member Posts: 27 ■□□□□□□□□□
    A simple way to do this is a GRE tunnel or an MPLS LSP to the DMZ. Then just PBR it into the LSP/Tunnel. This way you do not have to worry about managing the ACLs and the 'guest' is dumped into an zone for which security is already there and actively managed.

    easy, scales, and will comply with current/future security policies.

    just my thoughts on the implementation
    TB

    JNCIP-M: Late June 2010
  • itdaddyitdaddy Member Posts: 2,089 ■■■■□□□□□□
    thanks guys for your great inputs super ;)
  • ColbyGColbyG Member Posts: 1,264
    Ezlite wrote: »
    A simple way to do this is a GRE tunnel or an MPLS LSP to the DMZ. Then just PBR it into the LSP/Tunnel. This way you do not have to worry about managing the ACLs and the 'guest' is dumped into an zone for which security is already there and actively managed.

    easy, scales, and will comply with current/future security policies.

    just my thoughts on the implementation

    Explain this a bit more please, maybe provide some config. I don't see how this is easier than an ACL on the L3 interface.
  • Forsaken_GAForsaken_GA Member Posts: 4,024
    I see where he's coming from, and it is indeed an easy and scalable solution, depending on the network size. It's a good solution if there's a DMZ already in place, which the OP doesn't seem to have any indication of.

    The context I got from the question is how to essentially provide guest internet access for a small network, in which case an ACL applied to a router port is going to be the simplest way to accomplish this, but if I were trying to implement the same thing in a more complex network, his suggestion is a good one
  • APAAPA Member Posts: 959
    Use PACLs.... (Port ACLs) - Warning this can become cumbersome if you have many guests....

    ip access-list extended ISOLATE-GUESTS
    permit ip (SRC Guest network) host (Guest Network SVI GW)
    deny ip (SRC Guest network) (DST guest network)
    deny ip (SRC Guest network) (DST inside networks)
    permit ip any any

    Apply this inbound to the switchports that you wish to have guests on...

    This will only allow traffic if the Gateway is the DST address in the IP header.... or allow traffic with a DST address of external networks in the IP header...

    Otherwise if you're happy to... then just apply an ACL to the gateway to the VLAN SVI and filter inter-vlan traffic that way... however this will not isolate your guests will allow guests to contact each other on the guest VLAN...

    If you want to isolate your guests then use PACLs or a VLAN access-map... Can also use p-vlans, however as mentioned above by Forsaken this does not prevent hosts from speaking outside their given VLAN... work almost on the same basis as a vlan access-map....

    Multiple options to get this done... If you choose to use PACLs then ensure the switching infrastructure supports PACLs... I know some earlier Cisco switches do not support them...

    CCNA | CCNA:Security | CCNP | CCIP
    JNCIA:JUNOS | JNCIA:EX | JNCIS:ENT | JNCIS:SEC
    JNCIS:SP | JNCIP:SP
  • Forsaken_GAForsaken_GA Member Posts: 4,024
    APA wrote: »
    Otherwise if you're happy to... then just apply an ACL to the gateway to the VLAN SVI and filter inter-vlan traffic that way... however this will not isolate your guests will allow guests to contact each other on the guest VLAN...

    <ebil>
    This is where my BOFH certification comes in. I'd stick the guy in a /30 vlan, and make that network port 'the' guest port. If any other guest wanted to use the internet, they'd have to wait for the other guy.

    I'd also rate limit his port to 64k.
    </ebil>
  • EzliteEzlite Member Posts: 27 ■□□□□□□□□□
    ColbyG wrote: »
    Explain this a bit more please, maybe provide some config. I don't see how this is easier than an ACL on the L3 interface.


    GRE - just use the SDM and let it do the work. An internal site to site vpn in essence.

    MPLS - (only if you have a mpls enabled network already in place)

    I can do a few configs if you need, but, I would need to make some assumptions about the existing implementation <LDP, RSVP, what IGP, What summarization is in place, IOS version, model, etc>.

    what makes it simpler is that you can use DHCP servers in the DMZ and the topology, for MPLS case, is independent of addressing. So setup takes a little more inital thought but ongoing management is very low, esp when you start to add additional guest areas in other physical locations.

    1 central DHCP server, 1 Firewall instance, and a standard "template" config at each 'guest' access location. Its even simple to add secure 'guest' access at remote locations if needed.

    In the future you could add classes of guests via radius/ldap based accounts with a very little hassle.

    'Guest' systems are a potential nightmare and should be treated as "untrusted" from my perspective.

    I always look to reduce op-ex and a reasonable inital one-time cost to get it down is well worth it.


    and as Forsaken pointed out .. if this in fact a 'small' net thats not expected to grow then acls are fine.
    TB

    JNCIP-M: Late June 2010
Sign In or Register to comment.