05-06-2024 12:37 PM
We have 3 VLANs (say A, B and C). Each of these VLANs are tagged links (T) between two L2 switches, as follows:
SW 1 (T) <-> VLAN A <-> (T) SW 4
SW 2 (T) <-> VLAN B <-> (T) SW 4
SW 3 (T) <-> VLAN C <-> (T) SW 4
(T) |_____> (T) DHCP server (Linux)
We would like to divert certain IP traffic to an outside Internet link (thus doing "IP filtering" on the 3 VLANs), untagged (U) of course. We unfortunately have an existing network that we cannot really change, but at least want to add the additional Internet gateway. The DHCP server only operate within the VLAN environments (intranet).
Our thinking is to place a L3 routing switch (Cisco 2811 with a 4 port switch module that we have laying around :-)) in between the 3 VLAN links and performing L3 routing on the Cisco 2811, as follows:
_______
SW 1 (T) <-> VLAN A <-> (T) | L3 | (T) <-> VLAN A <-> (T) SW 4
SW 2 (T) <-> VLAN B <-> (T) | router | (T) <-> VLAN B <-> (T) SW 4
SW 3 (T) <-> VLAN C <-> (T) | ______ | (T) <-> VLAN C <-> (T) SW 4
| (U) |____> DHCP server
|_____> INTERNET (Static IP)
In the initial setup no IPs were assigned for this part of the network (since VLANs are L2), but for the L3 router case, interface IPs are needed. Can they be from the same subnet (let us say IPs x.x.10.2 (left of L3 RT) and x.x.10.3 (right of L3 RT) for the VLAN A string (where VLAN A has subnet x.x.10.0). A similar approach for B and C (subnets x.x.20.0 and x.x.30.0).
If the Internet has IP 1.2.3.4, how will we allow traffic only to external IP 5.6.7.8 from any of SWs 1, 2 or 3 and deny all else?
Any help with setup (config) will be appreciated - Thanks.
05-06-2024 01:42 PM
Looking at your post, all are connected to SW4, where is the Gateway for all these VLAN ? on SW4
if that is case i am thinking you can connect SW4 and the new router and use PBR next hop sending to router in SW4
Note : as you mentioned you can not change anything on exiting SW4 ? (is this possible ?
also you need to post show run and routing in place for now sending out to internet.
05-07-2024 11:43 PM
Hello,
I guess it would be easier to give advice if you could provide a schematic drawing of your topology, showing how your devices are physically and logically connected. Also, indicate how the Vlans currently communicate with each other (that is, which device is currently doing the layer 3 routing). Using a 2811 is a good idea, you could simply use that router for all layer 3 routing, and direct all outbound traffic through that router. A simple access list would then allow traffic to 5.6.7.8...
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide