cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
203
Views
0
Helpful
0
Replies

Issues on a SOHO netw.: inter-vlan pkt leaking and malfunctioning dhcp

martijnf1
Level 1
Level 1

Hi

I have a simple soho setup with 3 vlans: priv, guest and iot. The requirements for each vlan are

  • priv: allow network access to all local devices (within the same subnet), and to the internet, but not to the other vlans
  • guest: same as priv, just a different vlan to prevent comms between them.
  • iot: local network access only for required services (such as dhcp/ntp), no internet access

some info about these vlans:

  • priv: vlan tag 3, subnet 10.0.0.0/23, router on 10.0.0.1, nat overloading
  • guest: vlan tag 6, subnet 10.0.255.0/24, router on 10.0.255.1, nat overloading
  • iot: vlan tag 2, subnet 10.0.254.0/24, router on 10.0.254.1, no overloading (which at this point is the only thing that stands in the way of internet access, i believe)

My network layout is a router-on-a-stick: one router with a link to the ISP on wan, and a trunk line to the switch on lan. I have attached a diagram of the situation and attached my configuration.

I'm experiencing multiple issues with the way i've set it up now (although most of it works, somehow...)

  1. packets from different vlans are leaking. I have verified that my switch and wireless access points are not the culprit. I want to prevent inter-vlan packets (including traffic originating from the router) while still permitting priv and guest to access the internet. All leaking packets are either multicast or (global) broadcast packets. Not all of them are from the router, the TV in the guest vlan is also leaking mdns service advertisements among other stuff.
  2. dhcp leases are not showing up on the router. It might be related to issue (1), because i'm getting DHCP NAK packets from a source address (the router) that is on a vlan from which i didn't originally request a lease. I have attached a screenshot of a packet capture where this is shown. show ip dhcp binding comes up empty, but my users are eventually getting adresses that stay and work. The router must be really confused.

I prefer an elegant solution, which i feel should be possible given the simplicity of the setup. I like to have minimal configurations, so i prefer to not have a lot of access lists for policy routing, vlan access maps, ip access, etc. instead, i would like it to put them in at most one place.

I have no idea where to look next, i've looked into (but haven't been able to solve it with):

  • subinterfaces: My LAN trunk is on gi0/1/0 which does not seem to support subinterfaces. I don't know how to verify that the encapsulation is set to dot1q, but it appears to be the default.
  • access lists: I've set up a few that limit access incoming to the router, but this does not filter traffic originating from the router such as is the case with the dhcp nak messages.
  • I've tried nothing, and i'm all out of ideas!

Any ideas on how i might approach this problem next to reach the goals that i've specified at the beginning of this post?
Thanks in advance for any help,

martijn

network diagram, colors represent vlans. some devices have been split for clarity. For example switch.priv means an access port on the switch to vlan priv. thick lines are trunk lines.network diagram, colors represent vlans. some devices have been split for clarity. For example switch.priv means an access port on the switch to vlan priv. thick lines are trunk lines. inter-vlan packet leakage and dhcp transactions. This happens on a wireless network that is bound to vlan 3, so the 10.0.255.1 packets should not appear here at all. This list of packets occurs after reconnecting and eventually stops...inter-vlan packet leakage and dhcp transactions. This happens on a wireless network that is bound to vlan 3, so the 10.0.255.1 packets should not appear here at all. This list of packets occurs after reconnecting and eventually stops...

0 Replies 0