Buy or Renew
Buy or Renew
Cisco + Splunk: It’s a new day for your data. Learn more.
 
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1130
Views
0
Helpful
6
Replies

One Router, two companies - best practise for blocking VLAN access

overlord85
Level 1
Level 1

‎08-10-2020 03:06 AM

Hey guys

I have one L3 Router from Cisco and two companies. Company two is joining our office in the next months. Company two should have some vlan networks and access to our Firewall and the Internet behind. 

 

Now to question: Is there a better way to deny the access from the company vlans from company one and two to each others than acls? 

 

I was thinking of something like a "vlan domain" for company one and company two or something like a vlan map. 

 

Greetz

Ovrld

Labels:
0 Helpful
6 Replies 6

chesterr
Level 1
Level 1

‎08-10-2020 04:54 AM

I suggest use ACL + VRF for each of company. VRF provide more security and flexibility in configuration.

0 Helpful

Joseph W. Doherty
Hall of Fame
Hall of Fame

‎08-10-2020 08:00 AM

Like Chesterr, I too would recommend looking into VRF (sort of the L3 version of L2 VLANs). By default, traffic between VRFs is kept separate, and it's actually a bit of work to mix them.

BTW, some Cisco L3 switches support VRF-Lite.

How you need/want to share your FW and Internet, using VRFs, might be a bit complicated.
0 Helpful

overlord85
Level 1
Level 1
In response to Joseph W. Doherty

‎08-11-2020 01:35 AM - edited ‎08-11-2020 05:40 AM

Hey guys! 

Thank you for the hints - I think that is what I'm looked for. As I saw - to make both VRF network working together over one firewall, it could work like this: 

 

in gi 0/3.10 (VLAN 10)

encapsulation dot1q 10

vrf forwarding CompA 

 

in gi 0/3.20 (VLAN 20)

encapsulation dot1q 20

vrf forwarding CompB

 

The Firewall is in VLAN 10 from CompA with an IP address (the VLAN itself has no IP address). I can put the VLAN with an adress for CompB on the firewalls that CompB can reach the firewall as well.

 

Am I'm right?

 

Another question: I have configured "ip default-gateway xx.xx.xx.xx".

What is the equivalent for vrf? 

 

ip route vrf CompA 0.0.0.0 0.0.0.0 xx.xx.xx.xx ? 

 

The next router (firewall) is a part of the vrf as well

 

Greetz

Ovrld

0 Helpful

Joseph W. Doherty
Hall of Fame
Hall of Fame
In response to overlord85

‎08-11-2020 07:33 AM

"What is the equivalent for vrf?
ip route vrf CompA 0.0.0.0 0.0.0.0 xx.xx.xx.xx ?"

Correct, but you can have similar for other VRF, e.g.:
ip route vrf CompB 0.0.0.0 0.0.0.0 xx.xx.xx.xx ?
0 Helpful

overlord85
Level 1
Level 1
In response to Joseph W. Doherty

‎08-11-2020 11:39 PM - edited ‎08-12-2020 12:30 AM

Thank you - I'm just wondering that the route isn't printed when showing "ip route vrf CompA". 

 

Edit

Ok I tested it and it worked - if I ping an address which is not in the network, the route sends it out to the 0.0.0.0 

0 Helpful

overlord85
Level 1
Level 1
In response to overlord85

‎08-19-2020 12:46 AM

Thank you for your help - I configured everything in a test network and it's working like a charm. Unfortunately on our L3 switch, we have only the ipbase license and for VRF I need the ipservices license. 

 

I'm clarifying the assumption of costs but in consideration of the short time, I need an alternative plan and everything is fine but I have one last question:

 

How can I set a default route for a second network (VLAN xy with different ip range?

 

CompA has something like 10.10.0.0 with default gateway 10.10.10.10 (firewall cluster) 

CompB has something like 10.20.0.0 and I would like to set the default gateway to 10.20.10.10 (firewall cluster) 

 

Is that possible or is the policy based routing the only possible solution? 

0 Helpful
Customers Also Viewed These Support Documents