How do I allow certain VLANs to talk to other VLANs?

Toasticuss · ‎02-09-2013

Hey everyone,

I know doing a search will yield many results on what I am showing you but I am stuck. I set up a small network in packet tracer, the packet tracer project file is attached, an image of the network can be seen here -

http://i.imgur.com/S1K5oTW.png

My 3560 config -

http://pastebin.com/raw.php?i=eMe2wkhx

The top of the network is a private lan on 192.168.168.0/24, the bottom left portion of the network is to be the private WLAN on 192.168.0.x, the server network is on 10.0.0.x in the bottom right. The Guest WLAN network is located in the bottom middle. All of the DHCP is handled by the server directly connected to the 3560 layer 3 switch.

After numerous Google searches of VLAN routing I am lost and confused on what I need to do next. I have looked at access control lists, IP routing and vlan inter routing but I cannot figure out how to apply them to what I have.

I would like the private wired lan, private WLAN, and servers to all talk to each other, however I do NOT want the Guest WLAN to talk to any other subnet besides the internet located in the top right.

What is the best thing I can do to accomplish this?

I am a complete noob when it comes to anything advanced with Cisco networking.

Elton Babcock · ‎02-09-2013

You need to configure IP routing on your switch and then use SVIs or switched virtual interfaces for the routable VLANs

This is basically giving each VLAN interface an IP address.

Doing this will add routes to the the routing table for each network and will show as directly connected because they all live on that switch.

Each machine within their own given network will be need a default gateway which is the IP address of the VLAN interface on their network.

Elton

Sent from Cisco Technical Support iPhone App

Toasticuss · ‎02-09-2013

Thank you for the reply Elton,

I had all of the SVI's setup however on my multi layer switch I was missing the master ingredient which was 'ip routing'. Once I enabled that, ALL of the devices were then able to speak to each other.

After that I setup access lists for the guest wireless VLAN to deny any traffic from the other subnets with these commands -

#conf t

#access-list 101 remark Deny private subnet traffic for guest network

#access-list 101 deny ip any 10.0.0.0 0.255.255.255

#access-list 101 deny ip any 192.0.0.0 0.255.255.255

Then I add that access list to the vlan with the following command -

# conf t

# int vlan 172

# ip access-group 101 in

# exit

Then whenever a host on the guest network attempts to ping a host on another network they receive this -

PC>ping 10.0.0.2

Pinging 10.0.0.2 with 32 bytes of data:

Reply from 172.16.0.1: Destination host unreachable.

Ping statistics for 10.0.0.2:

Packets: Sent = 4, Received = 0, Lost = 4 (100% loss)

PC>

However now I am unsure on how internet access will be given to the guest network as setting up real internet access to ping for instance 8.8.8.8 is not possible. More investigation and thought will have to be given while actually implementing this in the real world.

If there is a more elegant solution of where you can completely isolate the port of which the guest network is on, I am all ears!

Otherwise does anyone have any input on how this is being handled?

Attached is an updated packet tracer file and switch config.

Elton Babcock · ‎02-09-2013

I too have ran into the same issue. I don't believe that the switches support firewall capabilities but no could be wrong.

Ultimately you would want a firewall device to segregate the networks or you could configure zone based firewall on a cisco router and create a guest zone with you could deny traffic to your other zones.

Your ACLs can get very complex quickly in your situation but it can be done.

Elton

Sent from Cisco Technical Support iPhone App