Solved: Inter-VLAN Routing Config

Chris Mickle · ‎08-14-2015

I just obtained a Catalyst 3750G for my production network and am trying to understand how to configure inter VLAN routing between the two VLANs that exist. None of the examples or explanations I can find online are similar to what I am trying to accomplish, plus I'm very new to cisco and routing and still trying to learn.

I have a /29 public IP block that is configured using a PIX firewall to have each IP address in the public block routed to its own physical interface thereby creating 5 different physical LAN segments each using a different public IP. I have configured two static access VLANs on the 3750G which are connected to two of the physical interfaces on the PIX enabling me to have hosts on both VLANs able to use the same switch, but remain physically separate. My goal is to be able to allow access from VLAN1 to VLAN2 but not the other way around. I have this configured currently via an access list on the PIX, but I would like to use the switch instead if possible to allow for 1Gb connection speeds between the hosts on the two VLANs.

What's really confusing me from reading is that I can not find any examples of inter VLAN routing that have a separate gateway for each VLAN like I do so I'm not sure how to proceed.

Any help would be much appreciated.

Thanks

Jon Marshall · ‎08-15-2015

The "established" keyword is for TCP only connections.

If this is just for FTP and HTTP then it may well be a solution as these both use TCP.

It should be pointed out that the using the "established" keyword is not truly stateful so it is not as secure as using a firewall but it should achieve what you want.

So basically you deny everything from your FTP/HTTP vlan to your domain vlan but you also allow eatablished connections from your FTP/HTTP vlan to your domain vlan.

This would mean nothing in your FTP/HTTP vlan could initiate a connection to the domain vlan but return traffic for TCP would be allowed.

You can lock it down further by only allow FTP/HTTP established traffic to come from that vlan.

Like I say this should do what you want but it is not as secure as a stateful firewall because using that keyword does not mean your switch is now keeping track of the connection in the way a firewall does, it is simply checking a TCP flag in each packet.

This may well be enough for what you are trying to do.

Edit - because it only supports TCP then when you test don't try using ping for example as this won't work.

Jon

View solution in original post

Jon Marshall · ‎08-15-2015

Chris

The problem is if you move the gateways to the switch using L3 vlan interfaces (SVIs) then you won't be able to control the traffic the way you want.

Your firewall is stateful which means it "remembers" which from which side the connection was initiated so allowing access one way but not the other is an easy thing to do ie. the firewall will allow the return traffic because it knows from which side the initial connection came from.

The problem with acls on the SVIs is that they are not stateful so they look at each packet in isolation. Which means if you block traffic one way then you also block the return traffic.

There is a very recent thread discussing the same thing -

https://supportforums.cisco.com/discussion/12581576/vlan-issue

and even though your switch is different the same restrictions apply ie. you will probably only be able to use the "established" keyword as the other options won't be available.

As mentioned at the end of my reply if there are just certain ports you want to block then you may be able to write an acl for it.

Jon

Chris Mickle · ‎08-15-2015

Thanks for the info. I think I understand what you're saying and I also now understand what "stateful" means.

I'm thinking that the "established" key word may work, but I'm not sure because I don't understand what that means. Maybe if I put this in context you could tell me if it would work.

Basically as I said before I have two LAN segments. One is my domain network and the other has an FTP/HTTP server on it. What I want to be able to do is have SMB access to the FTP server from the domain network, but not allow connections to be initiated the other way. FTP and HTTP access would also be nice, but it's not absolutely required. The only reason I need to access the FTP server from the domain is to transfer files to and from it. As I said before, I have this working now through an ACL on the PIX, but it would be nice to do it with the 3750G because it is capable of Gb speeds.

Jon Marshall · ‎08-15-2015

The "established" keyword is for TCP only connections.

If this is just for FTP and HTTP then it may well be a solution as these both use TCP.

It should be pointed out that the using the "established" keyword is not truly stateful so it is not as secure as using a firewall but it should achieve what you want.

So basically you deny everything from your FTP/HTTP vlan to your domain vlan but you also allow eatablished connections from your FTP/HTTP vlan to your domain vlan.

This would mean nothing in your FTP/HTTP vlan could initiate a connection to the domain vlan but return traffic for TCP would be allowed.

You can lock it down further by only allow FTP/HTTP established traffic to come from that vlan.

Like I say this should do what you want but it is not as secure as a stateful firewall because using that keyword does not mean your switch is now keeping track of the connection in the way a firewall does, it is simply checking a TCP flag in each packet.

This may well be enough for what you are trying to do.

Edit - because it only supports TCP then when you test don't try using ping for example as this won't work.

Jon

Chris Mickle · ‎08-15-2015

Actually SMB access is the primary focus with FTP/HTTP being secondary. Since security is a concern here and as you said the established keyword method isn't as secure, I think I will just leave it alone for now and deal with the 100Mb transfer speed.

Thanks again for all your help!

Jon Marshall · ‎08-15-2015

Chris

No problem.

Just to say using the established keyword would mean someone need to spoof a TCP packet to get it through the acl so it's not that it doesn't add some level of security because it does, just not as much as a stateful firewall.

So if the bandwidth does become a concern it may well be worth considering.

Jon

Chris Mickle · ‎08-15-2015

It's not that big of a deal. I don't transfer very large files to it all that often.

Jon Marshall · ‎08-15-2015

Just to add to this.

FTP is a tricky protocol and works in two modes.

Basically FTP uses two connections, one for the control connection and one to send the actual data and they use different TCP ports.

If is running in active mode it probably won't work because for the data connection the server makes the connection back to the client and that would be blocked by your acl.

In passive mode the client makes both connections to the server so that would work.

If your FTP is active then you can get around this by writing a specific entry in your acl for the data connection because that is on a specific TCP port so you can still do it but you would need to modify your acl.

HTTP is fine and works the same as most TCP applications.

Jon