Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1410
Views
0
Helpful
1
Replies

Help with SG300 VLANs - routing and ACLs

stownsend
Level 2
Level 2

‎01-21-2013 02:51 PM

I have a SG300-28P that is our Main VLAN Switch. Though the VLANs that I have on it are there mostly because of our Edge Router and our

AP541Ns.

We have the Following VLANs defined (Subnets Changed to conseal Piblic IPs)

VLANSubnetUse
VLAN200200.200.200.0/24Class C Public IP Block, Maps to internal Resources, Internal Accessibla on AP521N for Testing On Internal Pub IP
VLAN201201.201.201.0/24

Class C Public IP Block, Maps to internal Resources, NAT For Internal to External

VLAN192192.168.1.1/24Class C for AP521N for Customer Use
VLAN10110.1.0.0/16Class B for Internal LAN

VLAN200  and VLAN201 come into Our Edge Router and out on a Single GE Port via VLAN Tagged to thje SG300.

The SG 300 Splits them out to Untagged Ports and they are connected to Two Firewalls, each with a IP in the 200 and 201 Subnets.

The AP510 has the VLAN200, VLAN192 and VLA101 tagged Subnets sent to it. The AP521 has three SSID, each associated with a Paticular VLAN.

This all works fine, though there are a few hidden flaws.   Since all of the VLANs are present, both Internal and Public IPs, one could craft packets form one network and use the SG300 as its gateway to the other subnet and Gain Access.

How can I isolate the Subnets, so that

  • I can still use the SG300 as a Default Gateway for the 10.1.0.0/16 Network
  • Make it so if someone from the 10.1.0.0/16 netwok accesses the 201.201.201.0/24 Subnet it uses the SG300's 0.0.0.0 0.0.0.0 default router (the Firewall IP) and not the VLAN Interface
  • If somone in the 201, 200, 192 Subnets uses the SG300 as a Gateway and tries to access a 10.1.0.0/16 address it gets blocked

Thanks,

  Scott<-

Labels:
0 Helpful
1 Reply 1

Tom Watts
VIP Alumni
VIP Alumni

‎01-21-2013 04:06 PM

Hi Scott, two features I'd like you to be aware of. The first one is port security, which may be dynamic or static. Basically if you have expect MAC addresses connecting through the switch on a port, any deviation from the MAC address(es) connecting to the port can be discarded or the port shutdown.

The second feature is dynamic arp inspection (DAI). How this feature works is you can set trusted and untrusted interfaces. You then register IP and MAC addresses in to the switch. If a switch interface is "untrusted" a lookup will happen and if the lookup doesn't find the entry in the table, the host connection is blacklisted by the switch. If the interface is "trusted" nothing will happen.

These features of course cover rogue connections or unwanted devices within the LAN.

I do feel I am missing a piece of information for your inquiry. The reason I say this is because I don't know what functionality you need. If you do not put an IP address on the vlan interface, it is a layer 2 vlan. So you could simply remove the IP off the interface and that will end intervlan routing for a vlan unless your router gateway (router) will enable the intervlan routing. If the router handles the intervlan routing then you can either disable intervlan routes on the router or create an access list on the trunk links to filter the subnet traffic to the 10.x.x.x network on the switch. An ACL on the switch is INGRESS (inbound) only.

-Tom
Please mark answered for helpful posts

-Tom Please mark answered for helpful posts http://blogs.cisco.com/smallbusiness/
0 Helpful
Customers Also Viewed These Support Documents