Solved: Inter-VLAN Access for FS

steve.steel@nct.org.uk · ‎05-22-2019

Hi all,

I am somewhat of a Cisco switching beginner, but have inherited a network that contains a switch stack of 4 x Catalyst 3560.

Due to the sale of a portion of the company (and the end users still being in our building), I have had to create a separate VLAN to virtually isolate their network. I have done this by creating a new VLAN (80, 172.16.80.0/24) and putting in an ACL so that they can't route out to any servers they shouldn't. This VLAN gets DHCP from the switches, but DNS from a server on our existing network.

All is good that end. However, we also have an RDS farm set up on our own network (VLAN 1, 172.16.100.0/24) and some of these users will work from home, via a Remote Desktop Broker on this VLAN. I've been trying to figure out how to let the Remote Desktop servers see through to the File Store server that is on VLAN 80, but can't seem to get there. If anyone has any advice, it would be most appreciated!

I have added what I think are all the relevant lines from my switch config below. Please let me know if any more information is needed:

ip dhcp pool EXAMPLE
network 172.16.80.0 255.255.255.0
default-router 172.16.80.254
dns-server 172.16.100.1
!
interface Port-channel101
switchport trunk allowed vlan 1,3,4,10,40,50,101,200
switchport mode trunk
!
interface Port-channel102
switchport trunk allowed vlan 1,3,4,10,40,50,101,200
switchport mode trunk
!
interface GigabitEthernet0/0
vrf forwarding Mgmt-vrf
no ip address
negotiation auto
!
interface GigabitEthernet1/0/7
description EXAMPLE-File-Store-Server
switchport access vlan 80
switchport mode access
spanning-tree portfast
!
interface GigabitEthernet2/0/14
description WP396 EXAMPLE PHONE/PC
switchport access vlan 80
switchport mode access
switchport voice vlan 10
spanning-tree portfast
service-policy input 10Mbps
service-policy output 10Mbps
!
interface GigabitEthernet4/0/44
description VM HOSTING REMOTE DESKTOP BROKER
switchport mode access
spanning-tree portfast
!
interface Vlan1
description Core-Network
ip address 172.16.100.254 255.255.255.0
!
interface Vlan80
description EXAMPLE Network
ip address 172.16.80.254 255.255.255.0
ip access-group EXAMPLE in
!
ip access-list extended EXAMPLE
permit udp any host 172.16.100.1 eq domain
permit tcp any host 172.16.100.130 eq 3389 (RD Broker IP)
permit tcp any host 172.16.100.130 eq 443
permit tcp any host 172.16.80.24 eq 139 (Printer)
permit tcp any host 172.16.80.24 eq 445
permit udp any host 172.16.80.24 eq netbios-ns
permit udp any host 172.16.80.24 eq netbios-dgm
permit tcp any host 172.16.80.24 eq www
permit tcp any host 172.16.100.4 (3rd Party App Server)
permit udp any host 172.16.100.4
permit tcp any host 172.16.100.24
permit udp any host 172.16.100.24
permit icmp any 0.0.0.0 255.255.255.0 echo
deny ip any 172.16.0.0 0.0.255.255
permit ip any any

steve.steel@nct.org.uk · ‎05-23-2019

So, thanks for the help Balaji, but I posted this query in the middle of the night and then woke up and fixed it myself. Got access tested from both VLANs and all is fine.

For some reason, in my tired state, I didn't realise that I could just trunk the port that the file server is on and set up a second NIC on the VM to access the core network.

Boom. Access to both networks from the server, but still restricted access on the isolated VLAN.

Thanks again!

View solution in original post

balaji.bandi · ‎05-22-2019

You required below port open for SMB / CIFS to work.

Soruce your RDP Server - Destiantation File server ip - with the below ports allowed

TCP: 445

UDP: 137, 138

TCP: 137, 139

permit tcp host RDPSERVERIP eq 139 host FILESERVERIP
permit tcp host RDPSERVERIP eq 445 host FILESERVERIP
permit udp host RDPSERVERIP eq netbios-ns host FILESERVERIP
permit udp host RDPSERVERIP eq netbios-dgm host FILESERVERIP

test and advise

BB

***** Rate All Helpful Responses *****

How to Ask The Cisco Community for Help

steve.steel@nct.org.uk · ‎05-23-2019