ACL VLAN or PVLAN

mdreelan · ‎08-13-2004

In a mix of 4507 (core) 4506 swithces and 3550 switches, I want to be able to make class c vlans on entire 3550's (or part) only able to get to the internet. What's a simple method? Send all their ip packets to a default gateway on a firewall. But isn't their just a way to create a VLAN acl? The pdf's ive read on it are confusing (so dont helpd by cutting and pasting a link). Thanks.

thiland · ‎08-13-2004

If the internet-only PC's do not need to talk to each other, you could implement isolated PVLANs at the access layer with a VACL at the core 4507.

For example, configure your access layer switch (3550) with PVLANs on the internet only ports (ie VLAN 10,11 -- where 10 is primary (inbound to the PC) and 20 is isolated/secondary (outbound from the PC).

Then your 3550 is probably trunked to the 4507. At the 4507, also creat the same PVLAN associations (PVLAN 10 and PVLAN 11), but do not assign any ports on the core switch.

At this point, you can create a VLAN ACL (VACL) on the 4507 using 2 lists -- an inbound VACL (applied towards the primary PVLAN) and an outbound VACL (applied towards the secondary PVLAN)

Your inbound VACL could read:

!--- Permit already established TCP sessions

permit tcp any any established

!--- Permit DNS servers to reply to hosts

permit udp eq 53 gt 1023

!--- List other reply traffic here...

!--- Drop all others and log

deny ip any any log

And your outbound VACL could read:

deny ip

permit ip any

Personally I think VACLs using IOS is more complex than VACLs using CatOS. Let me know if you need help with those specific commands for IOS though.

-th

mdreelan · ‎08-16-2004

th-

Thanks for your help, and "yes" I would like some more.

The 3550 is trunked to teh 4507 with dot1q.

There are three vlans on the 3550 1, 202, and 302. 302 is the one I want to control as follows:

VLAN 302 to internet permit

VLAN 302 to internet DMZ permit

VLAN 302 to VLAN 202 permit

VLAN 302 to VLAN 193 permit

VLAN 302 to all other vlans deny

VLAN 302 has an ip range of 172.30.20.0 / 24

VLAN 202 has an ip range of 172.20.20.0 / 24

VLAN 193 has an ip range of 198.94.221.1-65 / (.192) /26 (our internet DMZ)

Please let me know if you have any questions

mdreelan@ci.sunnyvale.ca.us

thiland · ‎08-17-2004

Ok, so create your isolated PVLAN throughout the entire switching infrastructure. Remember, right now VTPv2 will NOT support PVLANs, so your switchings must be running in VTP transparent mode. I think VTPv3 adds support for PVLANs. Anyway...

1. Create isolated PVLAN (primary and secondary, and then associate them together)

2. Reassign access link ports on the 3550 to the new PVLAN (i.e. change them from a standard VLAN assignment to a PVLAN assignment)

3. Create a VACL on your 4507 (typically you wouldn't want to do this in the core, but since you have a collapsed core (distribution+core in one switch) we'll say it's OK)

4. Your VACL should include the entries you listed in your last message. You need to decide how restrictive you will make the VACL. Are you going to open VLAN 302 to the entire TCP/UDP port range? Or only HTTP? Whatever you decide, let your VACL reflect that. Also, since you can't really specify a specific network for "internet permit", you have to reverse the logic and say, "deny restricted networks" e.g.

ip access-list extended SECONDARY_OUT

permit tcp any any established

deny ip VLAN302 OTHER-VLANS

permit ip VLAN302 0.0.0.0 0.0.0.0 (this would include permitting VLAN202, VLAN193, and all other hosts on the internet)

5. Create a VLAN map binding the ACL you created in step 4 with an associated action. For example,

6. Put it all together :::

! Create VACL for outbound

ip access-list extended SECONDARY_OUT

permit tcp any any established

deny ip VLAN302 OTHER-VLANS log

permit ip VLAN302 0.0.0.0 0.0.0.0

! Create VACL for inbound

ip access-list extended PRIMARY_IN

permit tcp any any established

deny ip any any log

! Bind ACL with an action (in this case, forward)

vlan access-map PRIMARY_MAP

match ip address PRIMARY_IN

action forward

vlan access-map SECONDARY_MAP

match ip address SECONDARY_OUT

action forward

! Apply VLAN map to a specific VLAN. Primary for inbound VLAN, seconary for outbound VLAN

vlan filter PRIMARY_MAP vlan-list 10

vlan filter SECONDARY_MAP vlan-list 11

Once you get the hang of PVLANs, they come in fairly handy.

Take a look at this training document I created -- it may help clarify the process.

mdreelan · ‎08-17-2004

Th-

Before I get started on this I noticed you said we had to be using VTP in transparent mode and we are not. The Core/Distrobution 4507's are VTP servers and all the edge switches (mix of 4506 and 3550) are vtp clients. All running VTP 2.

Mike

thiland · ‎08-17-2004

You may be out of luck then. Refer to this document for VTP version 3.

http://www.cisco.com/en/US/products/hw/switches/ps708/products_configuration_guide_chapter09186a008019f048.html#wp1017196

When enabled, VTP version 3 provides the following enhancements to previous VTP versions:

•Support for extended VLANs.

•Support for the creation and advertising of private VLANs.

-Tanner