Solved: Re: VC switch and configuration

anitaleung2019 · ‎08-04-2019

Hi expert,

I will implement the video conf for top mgnt only. below is the requirement

1. only top mgnt can connect to the pre-defined ethernet switch.
2. for security reason, there is one NIC card for each PC of top mgnt
3. public internet, non top mgnt cannot access to VC switch

the contractor propose the PoC config as below. please help to review the configure to be feasible or not. mgnt users connect to "VC switch". detail please refer the diagram.

== question ===

Question
1. is it technical feasible?
2. VC traffic and non VC traffic can go right path, is it correct?
3. how to implement the layer 2 ACL (not layer 3 ACL) to block the 172.16.200.128 - 172.16.200.191?

=====

Thanks

---- config of "VC" switch ---

!
ip routing
!
ip route 0.0.0.0 0.0.0.0 --> layer 3 router
!

interface ge 1/0/1 - 1/0/5
!
descr to top mgnt PC
!
switchport access vlan 200
!
spanning-tree portfast
!

interface ge 1/0/10
!
desc connect to VC device
!
switcport access vlan 250
!

interface ge 1/0/24
!
desc to production network vlan 200
!
swithport mode trunk
!
switchport trunk allow vlan 200
!

interface vlan 250
!
descr VC vlan
!
ip address 172.16.250.1 255.255.255.0
!

interface vlan 200
!
descr production vlan
!
ip address 172.16.200.254 255.255.255.0
!

top mgnt PC setting
!
ip address range 172.16.200.16 - 172.16.200.31
!
default gw point to 172.16.200.254 ! VC switch
!

non top mgnt PC seting
!
ip address range 172.16.200.128 - 172.16.200.191
!
default gw point to another layer 3 router (172.16.200.1)
!

Giuseppe Larosa · ‎08-09-2019

Hello Anita,

I'm sorry for late answer.

I think your VACL should have a third section to allow all other traffic to avoid the implicit deny any logic.

ip access-list extended ANY

permit ip any any

vlan access-map top_mgnt_VC
!
match ip address top_mgnt
!
action forward
!
match ip address non_top_mgnt
!
action drop
!

match ip address ANY

action forward

Hope to help

Giuseppe

View solution in original post

Giuseppe Larosa · ‎08-04-2019

Hello Anita,

I try to provide answers to your questions

1) It is technically possible only if the production switch on the right has no knowledge of the VC subnet 172.16.250.0/24 that is on the VC switch. However, the internet facing router needs to know this subnet in order to make the VC device able to place and receive VC calls over the internet. From your network diagram the router R is connected to the production switch, if so the proposed configuration is not effective alone because the production switch will send traffic for unknown subnet to the router R and will receive an ICMP redirect to 172.16.200.254 to reach subnet 172.16.250.0/24. So the solution is not complete without using a VACL on the VC switch (see point 3).

2) VC traffic and non VC traffic can go the router R, but router R needs to know the VC subnet as explained above.

More technically the router R needs also to create a static NAT entry for the VC IP address with extendable option to make possible calls from the internet to the VC device.

3) how to implement the layer 2 ACL (not layer 3 ACL) to block the 172.16.200.128 - 172.16.200.191?

You need a VACL applied to Vlan 200. The VACL is applied to L2 Vlan 200 broadcast domain not to L3 SVI interface Vlan200 on VC switch.

As a reference you can use the following document

https://www.cisco.com/c/en/us/td/docs/switches/lan/catalyst6500/ios/12-2SX/configuration/guide/book/vacl.html?dtid=osscdc000283

without the VACL segregation of non manager users is not effective as explained above.

You need to deny traffic from hosts in range 172.16.200-128-191 to the VC subnet.

You need also to allow all other traffic to reach the VC subnet to allow VC calls with external devices.

To be noted if SVI Vlan 250 is not defined on production switch you can also solve with a routed ACL applied to SVI vlan 200 on VC switch.

If you want to avoid normal users to reach manager PCs IP address range you need a VACL.

Note :

requirement 3) may need to be redefined otherwise the VC device cannot make VC calls to device on the internet.

>> 3. public internet, non top mgnt cannot access to VC switch

In my opinion the VC device should be able to be reached from the internet on appropriate TCP and UDP ports.

Hope to help

Giuseppe

anitaleung2019 · ‎08-07-2019

Dear Giuseppe,

Thanks for your detail explanation and share your professional view on it. I prepare a VACL to be apply on the trunk interface of the VC switch. Please see if it is okay or not. Thanks

Anita

===

!
! set VACL to vlan 200 in VC switch
!
conf t
!
ip access-list top_mgnt
!
permit 172.16.200.16 0.0.0.15 172.16.250.0 0.0.0.255
!
ip access-list non-top_mgnt
!
permit 172.16.200.128 0.0.0.63 172.16.250.0 0.0.0.255
!

! apply VACL to VLAN 200
!
vlan access-map top_mgnt_VC
!
match ip address top_mgnt
!
action forward
!
match ip address non_top_mgnt
!
action drop
!

! apply VACL on vlan 200
!
vlan filter top_mgnt_VC vlan-list 200
!
copy run star
!

Giuseppe Larosa · ‎08-09-2019

Hello Anita,

I'm sorry for late answer.

I think your VACL should have a third section to allow all other traffic to avoid the implicit deny any logic.

ip access-list extended ANY

permit ip any any

vlan access-map top_mgnt_VC
!
match ip address top_mgnt
!
action forward
!
match ip address non_top_mgnt
!
action drop
!

match ip address ANY

action forward

Hope to help

Giuseppe