Solved: Re: limiting vlan access

richard · ‎01-28-2011

Hello. I have three VLANS set up on my Catalyst 3560G switch. Each VLAN has its own subnet and I have enabled IP routing and set up my VLANS so that clients on VLANS 1 and 3 can get to VLAN 2 because they share a server located on VLAN 2. However, now they can also see and get to each others VLANS! Can anyone please suggest or provide a couple of examples on how I can allow my clients on VLANS 1 and 3 access a server on VLAN 2 but not access the other VLANS? I don't want VLAN 1 to get to VLAN 3 or VLAN 3 to get to VLAN 1. Thanks for any help.

Edison Ortiz · ‎02-02-2011

If you go into the router and issue show ip route, can you see VLAN2 subnet in the routing table?

View solution in original post

Edison Ortiz · ‎02-02-2011

Can you post the switch config?

Edit: you posted the switch routing table. I need to see the router routing table.

The switch has the route as connected route but the router is one hop away so it must have the route as static.

View solution in original post

Edison Ortiz · ‎02-02-2011

FW with address 192.168.8.250 must know how to reach the 192.168.9.0/24 segment.

The hosts on 192.168.8.0/24 segment can reach the server because their default gateway is pointing to the switch.

I'm sure the FW's default gateway is pointing to another gateway, if it is - you need to add a static route for 192.168.9.0/24 segment pointing to 192.168.8.200 as the gateway for that subnet.

Additionally, since you mentioned FW - make sure there aren't any filtering applied on it.

View solution in original post

Edison Ortiz · ‎02-02-2011

That's the idea but the syntax may be different in your FW.

View solution in original post

manish arora · ‎01-28-2011

Hi richard,

Can't find any cisco document on cisco.com with an example but

Try access list on the SVI's :-

vlan 1 = 10.0.x.0/24

vlan 3 = 10.0.y.0/24

access-list deny-vlan1 ext deny ip 10.0.x.0 0.0.0.255 10.0.y.0 0.0.0.255

access-list deny-vlan1 ext permit ip any any { this opens all other traffic }

access-list deny-vlan3 ext deny ip 10.0.y.0 0.0.0.255 10.0.x.0 0.0.0.255

access-list deny-vlan3 ext permit ip any any { this opens all other traffic }

Interface vlan 1

ip access-group deny-vlan3 in

Interface vlan 3

ip access-group deny-vlan1 in

This should do it.

Manish

Edison Ortiz · ‎01-28-2011

Manish,

The SRC/DST is a bit different with SVIs. The SRC should be the subnet representing the SVI when performing security ACLs.

Regards,

Edison

manish arora · ‎01-28-2011

Thanks Edison

.

Edison Ortiz · ‎01-28-2011

Richard,

You can apply ACLs under the Switch Virtual Interfaces.

interface vlan 1

ip address 1.1.1.x 255.255.255.0

ip access-group 101 in

interface vlan 3

ip address 3.3.3.x 255.255.255.0

ip access-group 103 in

access-list 101 deny ip 1.1.1.x 0.0.0.255 3.3.3.x 0.0.0.255

access-list 101 permit ip any any

access-list 103 deny ip 3.3.3.x 0.0.0.255 1.1.1.x 0.0.0.255

access-list 103 permit ip any any

Regards,

Edison

manish arora · ‎01-28-2011

NM .... I got it , i was thinking it wrong in terms of directions

thanks again Edison ...

richard · ‎02-01-2011

Edison,

Yes I will certainly mark this as resolved. There is one caveat though and this probably warrants a new thread. I have a router attached to the switch and I need the server on VLAN 2 to be able to see it so it can get Internet access through that router. The clients in VLAN 1 can see the router just fine but what do I need to do for the server on VLAN 2? Currently it can only see the clients in VLAN 1 but not the router even though the router has an address that is part of the same subnet as VLAN 1. Also by the way, I plan to move VLAN 3 to a different switch and just trunk the two switches together so I can still give VLAN 3 access the server on VLAN 2. Any suggestions on the server in VLAN 2 issue regarding the router?

richard · ‎01-28-2011

Thanks Edison. I thought some access lists would do the trick but I was not sure. It looks like this will work. I'll give it a try and let you and Manish know how it turns out. Thanks again for everyone's help. You guys are great. - Richard

richard · ‎02-01-2011

Edison and Manish,

Your access list idea worked pefectly and solved my problem. Thanks so much for your help!

interface vlan 1

ip address 1.1.1.x 255.255.255.0

ip access-group 101 in

interface vlan 3

ip address 3.3.3.x 255.255.255.0

ip access-group 103 in

access-list 101 deny ip 1.1.1.x 0.0.0.255 3.3.3.x 0.0.0.255

access-list 101 permit ip any any

access-list 103 deny ip 3.3.3.x 0.0.0.255 1.1.1.x 0.0.0.255

access-list 103 permit ip any any

Edison Ortiz · ‎02-01-2011

Richard, it was a pleasure and thanks for your feedback. Can you mark this thread as resolved? Thanks

richard · ‎02-01-2011

Edison,

Yes I will certainly mark this as resolved. There is one caveat though and this probably warrants a new thread. I have a router attached to the switch and I need the server on VLAN 2 to be able to see it so it can get Internet access through that router. The clients in VLAN 1 can see the router just fine but what do I need to do for the server on VLAN 2? Currently it can only see the clients in VLAN 1 but not the router even though the router has an address that is part of the same subnet as VLAN 1. Also by the way, I plan to move VLAN 3 to a different switch and just trunk the two switches together so I can still give VLAN 3 access the server on VLAN 2. Any suggestions on the server in VLAN 2 issue regarding the router?

Richard

Edison Ortiz · ‎02-02-2011

If you go into the router and issue show ip route, can you see VLAN2 subnet in the routing table?

richard · ‎02-02-2011

Yes it does. Here is what the output shows. The last entry is the router in which I want the server on the 9.0 subnet to reach. It can not ping it even though it can ping everything else on the 8.0 subnet.

Gateway of last resort is 192.168.8.250 to network 0.0.0.0

C 192.168.8.0/24 is directly connected, Vlan1

C 192.168.9.0/24 is directly connected, Vlan2

C 192.168.10.0/24 is directly connected, Vlan3

S* 0.0.0.0/0 [1/0] via 192.168.8.250

Edison Ortiz · ‎02-02-2011

Can you post the switch config?

Edit: you posted the switch routing table. I need to see the router routing table.

The switch has the route as connected route but the router is one hop away so it must have the route as static.

richard · ‎02-02-2011

Edison, I apologize but I have been over simplifying to keep what I was hoping would be a simple situation. The "router" is a SonicWall firewall which in turn I will connect to a Cisco 1841 router. Since this is not a SonicWall forum I was just referring to it as the "router." For the moment the actual router is not even connected to the firewall. The firewall is connected and I can't understand why a client on the 8.0 network can ping the firewall and the server on the 9.0 network can ping a client on the 8.0 network but not the firewall (address 192.168.8.250). I must have some kind of routing issue preventing the server from seeing the firewall on the 8.0 network. Here is my switch config:

Switch>enable
Password:
Switch#show run
Building configuration...

Current configuration : 4532 bytes
!
version 12.2
no service pad
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
!
hostname Switch
!
boot-start-marker
boot-end-marker
!
enable secret 5 $1$XFld$M0duUxDXn3f3tu1k9qctZ.
!
!
!
no aaa new-model
system mtu routing 1500
ip routing
no ip domain-lookup
!
!
!
!
crypto pki trustpoint TP-self-signed-3820680960
enrollment selfsigned
subject-name cn=IOS-Self-Signed-Certificate-3820680960
revocation-check none
rsakeypair TP-self-signed-3820680960
!
!
crypto pki certificate chain TP-self-signed-3820680960
certificate self-signed 01
3082023F 308201A8 A0030201 02020101 300D0609 2A864886 F70D0101 04050030
31312F30 2D060355 04031326 494F532D 53656C66 2D536967 6E65642D 43657274
69666963 6174652D 33383230 36383039 3630301E 170D3933 30333031 30303031
33365A17 0D323030 31303130 30303030 305A3031 312F302D 06035504 03132649
4F532D53 656C662D 5369676E 65642D43 65727469 66696361 74652D33 38323036
38303936 3030819F 300D0609 2A864886 F70D0101 01050003 818D0030 81890281
8100C52A 98E4C9F2 7481030F 71DC0A7F 44C5392B 743658BE B6FAB10D 1C0E9703
C62EB9C2 8E7552B8 5625069F 5852F897 76606D91 1BA0F2B3 46D6CE99 036394F1
F6593B47 488C7069 BF567E14 05BE7BB3 648658F6 94120697 23CE3A9B 24E763DA
ACCD3DD7 FF4E6B4B A7A6AAF2 BFA4D15B 64343590 ADF9C284 2316A55A 5162EA17
33810203 010001A3 67306530 0F060355 1D130101 FF040530 030101FF 30120603
551D1104 0B300982 07537769 7463682E 301F0603 551D2304 18301680 142B6EB6
D7EB938E DBE989BC F55A9CE0 4CF55D4C CB301D06 03551D0E 04160414 2B6EB6D7
EB938EDB E989BCF5 5A9CE04C F55D4CCB 300D0609 2A864886 F70D0101 04050003
818100C2 07C2A6DD 976C5DE8 CC46EADE 867EF624 6939B36B 2778B959 8C5490B3
1227E615 4FA30F1A 4F75EA56 419E8BC1 539B80D6 69ABE943 6ED13563 20C477C2
55F5360E 33B653BC CBC72448 BAFFDCA0 4C81BE63 BF1E595A 4E7B2424 F99B2741
8E8ABF2E 2EF06AE0 60621C04 387CB771 FE2DC338 DB8908ED 6FFC8052 2FA81FAA 7C11FF

quit
!
!
!
spanning-tree mode pvst
spanning-tree extend system-id
!
vlan internal allocation policy ascending
!
!
!
!
interface GigabitEthernet0/1
switchport mode access
!
interface GigabitEthernet0/2
switchport mode access
!
interface GigabitEthernet0/3
switchport mode access
!
interface GigabitEthernet0/4
switchport mode access
!
interface GigabitEthernet0/5
switchport mode access
!
interface GigabitEthernet0/6
description To SonicWall
switchport mode access
!
interface GigabitEthernet0/7
switchport mode access
!
interface GigabitEthernet0/8
switchport mode access
!
interface GigabitEthernet0/9
switchport mode access
!
interface GigabitEthernet0/10
switchport mode access
!
interface GigabitEthernet0/11
switchport mode access
!
interface GigabitEthernet0/12
switchport mode access
!
interface GigabitEthernet0/13
switchport access vlan 2
switchport mode access
!
interface GigabitEthernet0/14
switchport access vlan 3
switchport mode access
!
interface GigabitEthernet0/15
switchport access vlan 2
switchport mode access
!
interface GigabitEthernet0/16
switchport access vlan 2
switchport mode access
!
interface GigabitEthernet0/17
switchport access vlan 2
switchport mode access
!
interface GigabitEthernet0/18
switchport access vlan 2
switchport mode access
!
interface GigabitEthernet0/19
switchport access vlan 2
switchport mode access
!
interface GigabitEthernet0/20
switchport access vlan 2
switchport mode access
!
interface GigabitEthernet0/21
switchport access vlan 2
switchport mode access
!
interface GigabitEthernet0/22
switchport access vlan 2
switchport mode access
!
interface GigabitEthernet0/23
switchport access vlan 2
switchport mode access
!
interface GigabitEthernet0/24
switchport access vlan 2
switchport mode access
!
interface GigabitEthernet0/25
!
interface GigabitEthernet0/26
!
interface GigabitEthernet0/27
!
interface GigabitEthernet0/28
!
interface Vlan1
ip address 192.168.8.200 255.255.255.0
ip access-group 101 in
!
interface Vlan2
ip address 192.168.9.200 255.255.255.0
!
interface Vlan3
ip address 192.168.10.200 255.255.255.0
ip access-group 103 in
!
interface Vlan4
no ip address
!
ip classless
ip route 0.0.0.0 0.0.0.0 192.168.8.250
ip http server
ip http secure-server
!
!
ip sla enable reaction-alerts
access-list 101 deny ip 192.168.8.0 0.0.0.255 192.168.10.0 0.0.0.255
access-list 101 permit ip any any
access-list 103 deny ip 192.168.10.0 0.0.0.255 192.168.8.0 0.0.0.255
access-list 103 permit ip any any
!
!
!
line con 0
line vty 0 4
login
line vty 5 15
login
!
end

Switch#