Inter vlan routing on switch and router

Osirison · ‎07-26-2018

Hello,

I would like to route between two vlans but one of the two vlans should also be accessible on the router (Sophos UTM).

My network has the following network devices.

[Sophos UTM] 192.168.122.1

[Cisco 3560CX SW1] 192.168.122.2

[Cisco SG300 SW2] 192.168.122.3

[Cisco SG300 SW3] 192.168.122.4

[Cisco AP2802] 192.168.122.11

[Dahua unmanaged switch]

Where the 3560 is the main switch and is connected to the Sophos UTM via a trunk link.

All other devices are connected to the 3560, the Dahua unmanaged switch is connected to an switchport access VLAN40 on the 3560.

Vlan1 192.168.1.0 (native vlan, not used)

VLAN10 192.168.10.0 (Trusted network, computers etc.)

VLAN20 192.168.20.0 (Guest network)

VLAN40 192.168.40.0 (Security Cameras)

VLAN122 192.168.122.0 (Management network)

Right now all vlans are trunked to the Sophos UTM, it is also the DHCP server for VLAN10 and VLAN20.

To offload the traffic (created by the cameras) from the UTM I would like to route VLAN10 to VLAN40 on the 3560.

VLAN40 should not be accessible from other vlans other than VLAN10.

VLAN40 should have access to a NTP server right now the UTM is a NTP proxy but this could be configured on the 3560 as well.

VLAN10,20,122 need to be accessible on the UTM.

What will be the best way to do this?

Thanks in advance!

Georg Pauwen · ‎07-26-2018

Hello,

you can enable 'ip routing' on the 3650, and the create VLAN (SVI) interfaces. You can then control which VLAN has access to which other VLAN.

Post the configuration of your 3650, so we can fill in the necessary bits and pieces. Also, provide the IP address of the NTP and the DHCP server (or indicate if 192.168.122.1 can be used as the IP address of the DHCP server)...

Osirison · ‎07-26-2018

Thank you for your quick reply.

The UTM will be the NTP proxy and DHCP server, IP is 192.168.122.1 or 192.168.10.1 depends from which VLAN.

Below the current config on the 3560

sw1-overloop#show run
Building configuration...

Current configuration : 3718 bytes
!
! Last configuration change at 20:55:18 UTC Thu Jul 26 2018
! NVRAM config last updated at 16:42:28 UTC Sun Jul 22 2018
!
version 15.2
no service pad
service timestamps debug datetime msec
service timestamps log datetime msec
service password-encryption
!
hostname sw1-overloop
!
boot-start-marker
boot-end-marker
!
enable secret 5 ***
!
no aaa new-model
clock timezone UTC 1 0
clock summer-time UTC recurring last Sun Mar 2:00 last Sun Oct 3:00
system mtu routing 1500
!
!
!
!
ip routing
!
!
!
!
!
!
!
!
!
crypto pki trustpoint TP-self-signed-***
 enrollment selfsigned
 subject-name cn=IOS-Self-Signed-Certificate-***
 revocation-check none
 rsakeypair TP-self-signed-***
!
!
crypto pki certificate chain TP-self-signed-***
 certificate self-signed 01
  ***
  	quit
!
spanning-tree mode rapid-pvst
spanning-tree extend system-id
auto qos srnd4
!
!
!
!
vlan internal allocation policy ascending
!
!
! 
!
!
!
!
!
!
!
!
!
interface GigabitEthernet0/1
 switchport trunk allowed vlan 10,20,122
 switchport trunk native vlan 122
 switchport mode trunk
!
interface GigabitEthernet0/2
 switchport mode trunk
!
interface GigabitEthernet0/3
 switchport mode trunk
!
interface GigabitEthernet0/4
 switchport access vlan 40
 switchport mode access
!
interface GigabitEthernet0/5
 switchport access vlan 10
 switchport mode access
!
interface GigabitEthernet0/6
 switchport access vlan 10
 switchport mode access
!
interface GigabitEthernet0/7
 switchport access vlan 10
 switchport mode access
!         
interface GigabitEthernet0/8
!
interface GigabitEthernet0/9
!
interface GigabitEthernet0/10
 switchport mode trunk
!
interface GigabitEthernet0/11
!
interface GigabitEthernet0/12
!
interface Vlan1
 no ip address
!
interface Vlan10
 ip address 192.168.10.2 255.255.255.0
!
interface Vlan20
 ip address 192.168.20.2 255.255.255.0
!
interface Vlan40
 ip address 192.168.40.2 255.255.255.0
!
interface Vlan99
 no ip address
!
interface Vlan122
 ip address 192.168.122.2 255.255.255.0
!
ip forward-protocol nd
ip http server
ip http secure-server
!
ip route 0.0.0.0 0.0.0.0 192.168.10.1
!
!
!
!
line con 0
 exec-timeout 30 0
 password 7 ***
 logging synchronous
line vty 0 4
 exec-timeout 30 0
 password 7 ***
 logging synchronous
 login
 transport input telnet
line vty 5 15
 password 7 ***
 login
 transport input telnet
!
!
end

I am sorry but have not named the interfaces yet.

Sophos UTM is connected to interface 0/10

Unmanaged switch for the camera's is connected to interface 0/4

AP is on interface 0/1

Calin C. · ‎07-26-2018

I would go with a combination of Private VLAN and / or ACL on SVI.

Private VLAN would take care of the VLAN40 traffic segregation from the other VLANs (here is an example: https://www.cisco.com/c/en/us/support/docs/lan-switching/private-vlans-pvlans-promiscuous-isolated-community/40781-194.html).

If you want more granularity, you can go with ACL, at the expense of some resource (especially in case of heavy traffic).

HTH,

Calin

paul driver · ‎07-26-2018

Hello

Although this sounds quite a straight forward request, I would agree with Georg , The post its a bit convoluted , Can you share the configs of the router and the main switch and if applicable a simple topology of what you are wanting to accomplish?

Please rate and mark as an accepted solution if you have found any of the information provided useful.
This then could assist others on these forums to find a valuable answer and broadens the community’s global network.

Kind Regards
Paul

Julio A. Martinez Herrera · ‎07-26-2018

Hi maybe you can do something like this:

1. First if you want to route on C3650CX you have to add a SVI interface for VLAN 10 and VLAN40 there, and enable routing:

Example:

SW1(config)#ip routing

SW1(config)#interface vlan 10
SW1(config-if)#ip address 192.168.100.100 255.255.255.0
SW1(config-if)#no switchport

SW1(config)#interface vlan 40
SW1(config-if)#ip address 192.168.40.100 255.255.255.0
SW1(config-if)#no switchport

SW1(config)#interface vlan 122
SW1(config-if)#ip address 192.168.122.101 255.255.255.0
SW1(config-if)#no switchport

Now, you need to edit the DHCP server for (VLAN10 and VLAN40) and use the SVI address as the gateway. This will permit local routing between VLAN10 and VLAN40 using C3650CX

To route the internet traffic to Sophos, you should use an static route like:

ip route 0.0.0.0 0.0.0.0 192.168.122.100

192.168.122.100 IP address for VLAN122 in Shopos

In addition you have to add static routing from Shopos to SW SVI to permit the traffic like:

ip route 192.168.100.0 255.255.255.0 192.168.122.101
ip route 192.168.40.0 255.255.255.0 192.168.122.101

To permit only traffic between VLAN 10 and VLAN 40 you can try with an ACL and the apply to the SVI interface:

access-list 100 permit ip 192.168.100.0 0.0.0.255 192.168.40.0 0.0.0.255
access-list 100 deny ip any any

I hope this will be useful for you.
Kind Regards

Osirison · ‎07-29-2018

Thanks for your reply!

Right now I am trying to connect the 3560 switch to the Sophos UTM using a different IP subnet, no vlan.

No ACLs in place.

I can successfully ping the UTM from the switch.

I can ping the switch (192.168.10.2) from the Host PC (192.168.10.31)

I can ping 192.168.90.2 from the Host PC (192.168.10.31)

I cannot ping the UTM (192.168.90.1) from the Host PC (192.168.10.31)

What am I doing wrong?

Sophos utm:

Switchport mode access (no vlan tagging)
ip address 192.168.90.1 255.255.255.0
Static IP route 192.168.10.0/24 192.168.90.2

3560:

interface GigabitEthernet0/10
ip address: 192.168.90.2 255.255.255.0

interface GigabitEthernet0/7
switchport access vlan 10
switchport mode access

interface Vlan10
ip address 192.168.10.2 255.255.255.0

ip route 0.0.0.0 0.0.0.0 192.168.90.1

Host PC (connected to port 7 on the 3560)

IP: 192.168.10.31 255.255.255.0
GW: 192.168.10.2

IP route:

sw1-overloop#show ip route    
Codes: L - local, C - connected, S - static, R - RIP, M - mobile, B - BGP
       D - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter area 
       N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2
       E1 - OSPF external type 1, E2 - OSPF external type 2
       i - IS-IS, su - IS-IS summary, L1 - IS-IS level-1, L2 - IS-IS level-2
       ia - IS-IS inter area, * - candidate default, U - per-user static route
       o - ODR, P - periodic downloaded static route, H - NHRP, l - LISP
       a - application route
       + - replicated route, % - next hop override

Gateway of last resort is 192.168.90.1 to network 0.0.0.0

S*    0.0.0.0/0 [1/0] via 192.168.90.1
      192.168.10.0/24 is variably subnetted, 2 subnets, 2 masks
C        192.168.10.0/24 is directly connected, Vlan10
L        192.168.10.2/32 is directly connected, Vlan10
      192.168.20.0/24 is variably subnetted, 2 subnets, 2 masks
C        192.168.20.0/24 is directly connected, Vlan20
L        192.168.20.2/32 is directly connected, Vlan20
      192.168.40.0/24 is variably subnetted, 2 subnets, 2 masks
C        192.168.40.0/24 is directly connected, Vlan40
L        192.168.40.2/32 is directly connected, Vlan40
      192.168.90.0/24 is variably subnetted, 2 subnets, 2 masks
C        192.168.90.0/24 is directly connected, GigabitEthernet0/10
L        192.168.90.2/32 is directly connected, GigabitEthernet0/10
      192.168.122.0/24 is variably subnetted, 2 subnets, 2 masks
C        192.168.122.0/24 is directly connected, Vlan122
L        192.168.122.2/32 is directly connected, Vlan122

IP interface:

sw1-overloop#show ip int br
Interface              IP-Address      OK? Method Status                Protocol
Vlan1                  unassigned      YES manual up                    up      
Vlan10                 192.168.10.2    YES NVRAM  up                    up      
Vlan20                 192.168.20.2    YES NVRAM  up                    up      
Vlan40                 192.168.40.2    YES NVRAM  up                    up      
Vlan99                 unassigned      YES unset  up                    up      
Vlan122                192.168.122.2   YES NVRAM  up                    up      
GigabitEthernet0/1     unassigned      YES unset  up                    up      
GigabitEthernet0/2     unassigned      YES unset  up                    up      
GigabitEthernet0/3     unassigned      YES unset  up                    up      
GigabitEthernet0/4     unassigned      YES unset  up                    up      
GigabitEthernet0/5     unassigned      YES unset  up                    up      
GigabitEthernet0/6     unassigned      YES unset  up                    up      
GigabitEthernet0/7     unassigned      YES unset  up                    up      
GigabitEthernet0/8     unassigned      YES unset  down                  down    
GigabitEthernet0/9     unassigned      YES unset  down                  down    
GigabitEthernet0/10    192.168.90.2    YES manual up                    up      
GigabitEthernet0/11    unassigned      YES unset  down                  down    
GigabitEthernet0/12    unassigned      YES unset  down                  down

paul driver · ‎07-29-2018

Hello

Allow have you checked the UTM device to allow icmp from internal networks? - here

Please rate and mark as an accepted solution if you have found any of the information provided useful.
This then could assist others on these forums to find a valuable answer and broadens the community’s global network.

Kind Regards
Paul

Osirison · ‎07-30-2018

Thanks for the reply, already had this enabled.

Looks like the 3560 is not routing between vlans.

I can ping 192.168.1.1 (default vlan1 for the Sophos UTM) from 192.168.10.31

As soon I enable vlan1 on the switch and assign an IP, I will no longer be able to ping the UTM

sw1-overloop(config)#int vlan1
sw1-overloop(config-if)#ip address 192.168.1.2 255.255.255.0

This means the UTM routes all vlans that are not assigned in the 3560 switch.

Julio A. Martinez Herrera · ‎07-29-2018

Hi dude;

First, try to ping from 192.168.90.2 -----> 192.168.90.1, this should be work because you are directly connected.

ping 192.168.90.2 source 192.168.90.1

Also, try ping from UTM - 192.168.90.2 and 192.168.10.2

Please check the routing table for that specific IP Address

show ip route 192.168.90.1

Check the ARP traffic, you should watch an entry from UTM on Giga 0/10 :

show ip arp
show ip arp | inc 192.168.90

From the PC use tracert to understand what is the path from that traffic

tracert 192.168.90.1

In addition, check the log file in the UTM to figure out any other issue.

Osirison · ‎07-30-2018

Thanks.

Connection between the switch and UTM is fine.

Looks like the switch is not routing between vlans?

(Refer to my reply above)

sw1-overloop#show ip arp | inc 192.168.90
Internet  192.168.90.1            2   601a.8c65.016a  ARPA   GigabitEthernet0/10
Internet  192.168.90.2            -   247e.12af.dd86  ARPA   GigabitEthernet0/10

sw1-overloop#show ip route 192.168.90.1
Routing entry for 192.168.90.0/24
  Known via "connected", distance 0, metric 0 (connected, via interface)
  Routing Descriptor Blocks:
  * directly connected, via GigabitEthernet0/10
      Route metric is 0, traffic share count is 1

sw1-overloop#traceroute 192.168.90.1
Type escape sequence to abort.
Tracing the route to 192.168.90.1
VRF info: (vrf in name/id, vrf out name/id)
  1 192.168.90.1 0 msec 0 msec 4 msec

paul driver · ‎07-26-2018

Hello

So please confirm -

Vlan 40 should only to be accessible to vlan 10 and the utm device 192.168.122.1 vlan 122?, if so you could apply a RACL or VACL to vlan 40.

Ip access-list extended Vlan40

Permit tcp host 192.168.122.1 any established

deny tcp 192.168.122.0 0.0.0.255 any
deny tcp 192.168.20.0 0.0.0.0 any

permit ip any any

int vlan 10

Ip access-group Vlan40 out

or

permit ip host 192.168.122.1 any
permit ip any host 192.168.122.1
permit ip any 192.168.10.0 0.0.0.255
permit ip 192.168.10.0 0.0.0.255 any

vlan acess-map VACL 10
match ip address STAN
action forward

vlan access-map VACL 99
action drop
vlan filter VACL vlan-list 40

Please rate and mark as an accepted solution if you have found any of the information provided useful.
This then could assist others on these forums to find a valuable answer and broadens the community’s global network.

Kind Regards
Paul