Solved: Re: Advice Needed on VLANs

BFriend84 · ‎03-11-2018

So, first off, I am relatively new to Cisco setup. I have some basic knowledge, but not nearly what I should for what I am doing. I need some advice and some possible direction. I have scoured YouTube and other forums and I can't seem to find something similar to what I am trying to do. So, i figured, what better than come to the source!?

Here goes:

We are replacing the switch and router in our fire station. The switch is a Catalyst 4948 and the router is a 3825. We have a large station but not a ton of network devices. I want to do a few VLANs for a couple different areas of the station.

VLAN 10 - All domain traffic (trusted traffic)

VLAN 20 - WLAN

VLAN 30 - Public Access (we have some members that live-in and bring their gaming systems with them)

VLAN 80 - CCTV

VLAN 90 - IT Managment

VLAN 100 - Network Equipment

I want to have VLAN 90 be able to access all other VLANs, however, I don't want anything else to be able to access VLAN 90. Other than that, I want no cross communication. I want all traffic to go out to the internet and have no chance of communicating at the router level. Initially I looked into VRF lite but then I was reading a bit more and it appears as though PVLANs may be the route I need to take. Before I devote a bunch of time in researching PVLANs, I would like to get some opinions on this. What is the best route for me to take and is there somewhere I can go to read up on it? I know these are rookie questions and probably way beneath all of you, but hey, we all started somewhere! I am kind of in the "baptism by fire" role right now, I basically got appointed to do this because I have the most "computer knowledge." I appreciate ANY help that you can give me! Just please don't laugh, too hard! If more information is needed, please let me know! Thanks in advance!

Mark Malone · ‎03-12-2018

Hi
vrf is a good option or just use stringent access-lists on the SVI interfaces so they cant talk to each other at ip level reverse rules on each one , you could easily block them all speaking to each other , vrf would be slightly more secure as its isolating the route tables for each subnet , pvlans im not a fan can get messy especially if your not familiar with it

if you dont want the other vlans to access the internet just make sure they dont have ip nat inside under their interface that will stop them as they cant translate from private to public ip to break out , and the one that does need the internet ip nat outside , thats depending on your setup and if the 3825 is doing the actual nat

View solution in original post

Mark Malone · ‎03-12-2018

Hi
vrf is a good option or just use stringent access-lists on the SVI interfaces so they cant talk to each other at ip level reverse rules on each one , you could easily block them all speaking to each other , vrf would be slightly more secure as its isolating the route tables for each subnet , pvlans im not a fan can get messy especially if your not familiar with it

if you dont want the other vlans to access the internet just make sure they dont have ip nat inside under their interface that will stop them as they cant translate from private to public ip to break out , and the one that does need the internet ip nat outside , thats depending on your setup and if the 3825 is doing the actual nat

BFriend84 · ‎03-12-2018

Okay, so I WAS on the right track with vrf! Thank you! at the router for the default gateway, I was using a sub interface for all of them:

VLAN 10 int gi0/1.10 - 10.20.10.0/24 with a default gateway of 10.20.10.1

VLAN 20 int gi0/1.20 - 10.20.20.0/24 with a default gateway of 10.20.20.1

VLAN 30 int gi0/1.30 - 10.20.30.0/24 with a default gateway of 10.20.30.1

and so on.

Is this correct or do they all need to go to the same default gateway?

Here's my biggest issue and this may be my biggest issue, I can grasp the concept at the switch level for most everything, but for some reason, routing kicks my butt! I am attaching the commands I used initially with vrf, can you tell me if I am on the right track or not?

int gi0/1.10
encapsulation dot1Q 10
ip vrf forwarding CVFD_Domain
exit
ip address 10.20.10.1 255.255.255.0
int gi0/1.20
encapsulation dot1Q 20
ip vrf forwarding WLAN
ip address 10.20.20.1 255.255.255.0
exit
ip address 10.20.30.1 255.255.255.0
int gi0/1.30
encapsulation dot1Q 30
ip vrf forwarding Public_PC
exit
ip address 10.20.90.1 255.255.255.0
int gi0/1.90
encapsulation dot1Q 90
ip vrf forwarding IT_Manage
exit
router ospf 1 vrf CVFD_Domain
network 0.0.0.0 255.255.255.255 area 0
router ospf 2 vrf WLAN
network 0.0.0.0 255.255.255.255 area 0
router ospf 3 vrf Public_PC
network 0.0.0.0 255.255.255.255 area 0
router ospf 4 vrf IT_Manage
network 0.0.0.0 255.255.255.255 area 0
exit
no service dhcp
service dhcp
ip dhcp excluded-address 10.20.10.1 10.20.10.99
ip dhcp excluded-address 10.20.20.1 10.20.20.99
ip dhcp excluded-address 10.20.30.1 10.20.30.99
ip dhcp excluded-address 10.20.90.1 10.20.90.99
ip dhcp pool CVFD_Domain
network 10.20.10.0 255.255.255.0
default-router 10.20.10.1
dns-server 8.8.8.8
exit
ip dhcp pool WLAN
network 10.20.20.0 255.255.255.0
default-router 10.20.20.1
dns-server 8.8.8.8
exit
ip dhcp pool Public_PC
network 10.20.30.0 255.255.255.0
default-router 10.20.30.1
dns-server 8.8.8.8
exit
ip dhcp pool IT_Manage
network 10.20.90.0 255.255.255.0
default-router 10.20.90.1
dns-server 8.8.8.8
exit

I hope I am on the right track, but I am not sure. Thnaks again!

Mark Malone · ‎03-13-2018

thats correct they should have there DF in their own subnet and your config looks ok , are your ospf neighbors up now , can you see each vrf routing table , show ip route vrf ....

Joseph W. Doherty · ‎03-13-2018

A 4948 is a L3 switch. Were you planning on using it just as a L2 switch, or take advantage of its L3?

From what you described, I don't believe PVLANs is suitable. PVLANs is principally to block hosts on the same VLAN from direct intercommunication.

As Mark notes, you could use VRF or ACLs, but I would lean toward using ACLs? Why? Because they can be more granular in what traffic you allow where. For example, say perhaps a CCTV camera needs to be accessed from some "special" host that's not on the CCTV VLAN. You could easily amend an ACL for that, including the specific kind of traffic allowed between those hosts.