Solved: ***I have begun with creating

Yordi Mahieu · ‎12-12-2014

Hello,
I have 2 brand new C2960x-48LPS-L (Lan base image) with 2 C2960X-stack module and software 15.0.2-EX5.
I have +- 20 Vlans configured with SVI (the gateway IP for all the Vlans subnets ) .
This stack will be the L3 Core switch of a school network, also acting as DHCP relay client for all the VLANS !
15 Vlans only need internet access (Guest Vlan, VOIP Vlan, ….) , must not be able to route to other Vlans. But IP Client must be able to receive IP address with DHCP IP Helper (Same switch) to the server VLAN.
2 Vlans need access (only the needed TCP / UDP ports ) to 1 other VLAN with the Domainservers.
1 VLAN that I use for network managed may go thru other Vlans (RDP, FTP, NTP, HTTP …..)
The IP routing and IP DHCP helper configured and ok, no I only have to Filter / limit the Vlans.
Internet access (Vlan FIREWALL) must not be filtered , (that is the role of the firewall, to keep it simple )
Question : Filter on SVI ? or VLAN ? I wanted to use ACL but I found out that I cannot use GROUP-OBJECT with this software !!!! Would managing ACL easy and save some resources !! ! Then a have read about Vlan mapping ??? do it work with standard ACL or also extended ACL ? in the future there could be some new Vlans adding, or site-to-site vpn tunneling connecting other school branches …
Maybe configuration example ? If u need more info just ask …. Greetings …

Seth Bjorn · ‎12-12-2014

What you're asking is possible to do on each SVI with an access-list. As you've noticed the full features of IOS aren't available in their switches so it will be a little tedious to manage.

View solution in original post

Seth Bjorn · ‎12-12-2014

What you're asking is possible to do on each SVI with an access-list. As you've noticed the full features of IOS aren't available in their switches so it will be a little tedious to manage.

Yordi Mahieu · ‎12-14-2014

What i am asking , is what is the best praktishe to filter intervlan traffic, ..

can i use vlan mapping ?

Justin Pederson · ‎12-18-2014

For you internet only VLANs, I would take the SVI off them and trunk them down the line to your internet gateway. Add subinterfaces with with SVI IPs. Basically you will have an internet only DMZ.

Depending on what your internet gateway looks like (Router, Firewall, etc), you can then add DHCP services to allow from the Internet Only DMZ to the DHCP server (though the internal interface of the internet gateway device).

Justin Pederson · ‎12-18-2014

For you internet only VLANs, I would take the SVI off them and trunk them down the line to your internet gateway. Add subinterfaces with with SVI IPs. Basically you will have an internet only DMZ.

Depending on what your internet gateway looks like (Router, Firewall, etc), you can then add DHCP services to allow from the Internet Only DMZ to the DHCP server (though the internal interface of the internet gateway device).

Yordi Mahieu · ‎12-18-2014

***I have begun with creating Vacl , i am almost there,

I would like to clean up my (ip) acl with reflective ACL. (and be more secure )

Is it possible that reflective ACL are NOT supported for Vacl ?

****I only want L2 traffic what is REALY necessary (lookup mac of gateway with Rarp )

The only L2 mac acl in use = permit any any 0x806 0x0 (i hope all the other L2 wil be blockt )

So that Rarp will function, I have tried to limed the “any any” in this mac filter but did not succeeded … (replaced the destination “any” with the hardware address of the gateway … )

Best Practise intervlan filter/routing C2960X Lan base image