03-13-2015 06:05 AM - edited 03-07-2019 11:04 PM
Dears,
I have configured the following VLANs on my 3560 Cisco switch :
InterVlan routing is allowed between them, however I want to configure the switch to let specific host to have access to all VLANs while all other Hosts to only have connectivity to the members in their VLANs only.
Any suggestions ???
Best Regards,
Begad Ahmed
03-14-2015 04:57 AM
MAC BASED FILTERING will work if your ios supports # mac access-group command under interfaces,
if so, create a mac access-list
switch 3560(config)#mac access-list extended TEST
switch 3560(config-ext-macl)#permit host H.H.H any
and apply on all three vlan interfaces like
switch 3560(config)#interface vlan 30
switch 3560(config-vlan)#mac access-group TEST in
switch 3560(config)#interface vlan 40
switch 3560(config-vlan)#mac access-group TEST in
switch 3560(config)#interface vlan 50
switch 3560(config-vlan)#mac access-group TEST in
this will permit that special mac to other macs (hosts) from other vlans also, rest will communicate with in vlan as an implicit deny deny will be there that will not allow any host out of that vlan.
If mac access-group not supported then it may not be possible on mac based or at least most complex.
then go for earlier
ip access-list ACL1 permit 192.168.30.0 255.255.255.0 192.168.30.0
ip access-list ACL1 permit 192.168.40.0 255.255.255.0 192.168.40.0
ip access-list ACL1 permit 192.168.50.0 255.255.255.0 192.168.50.0
####### Here simple access-group under vlan interface will work but it feel good to use fancy configs like route-map #####
route-map RM_ACL1 permit 10
match ip address ACL1
int vlan 30
ip policy route-map RM_ACL1
int vlan 40
ip policy route-map RM_ACL1
int vlan 50
ip policy route-map RM_ACL1
------------------------
I think/guess this what you are looking for.
P.S: pls dont forget to mark as correct answer if so.
Regards
Suresh
03-14-2015 04:58 AM
Regarding the configuration of VLAN maps, Will it allow the communication between hosts that are members in the same VLAN while allowing only my special host to access other VLANs ???
For example: If my special host assigned IP address in VLAN 30 (192.168.30.2), it will have access to other VLANs (40, 50) while all other hosts in VLAN 30 will not have access to VLAN (40, 50), However they can communicate with each others
switch 3560(config)#mac access-list extended SPECIAL_MAC
switch 3560(config-ext-macl)#permit host H.H.H any //// H.H.H will be ur special host mac address //////
switch 3560(config)# vlan access-map TEST 10
switch 3560(config-access-map)# match mac address SPECIAL_MAC
switch 3560(config-access-map)# action forward
switch 3560(config-access-map)# exit
switch 3560(config)# vlan filter TEST vlan-list 30-50
03-14-2015 05:02 AM
Just edited my last comment... pls refer it
03-14-2015 05:28 AM
actually, on cisco catalyst 3560 mac access-group command is supported only to apply it on layer 2 interface, while its supported for layer 3 interfaces on routers like 12k cisco router.
so in my case mac access-group command is not supported, accordingly do you think that the other approach of using VLAN maps as you mentioned earlier will fulfill my requirements.
switch 3560(config)#mac access-list extended SPECIAL_MAC
switch 3560(config-ext-macl)#permit host H.H.H any //// H.H.H will be ur special host mac address //////
switch 3560(config)# vlan access-map TEST 10
switch 3560(config-access-map)# match mac address SPECIAL_MAC
switch 3560(config-access-map)# action forward
switch 3560(config-access-map)# exit
switch 3560(config)# vlan filter TEST vlan-list 30-50
03-14-2015 05:40 AM
i don't think so !
as i said that may be most complex solution as need to know all the mac address and need to apply permit/deny statements from one mac to other all macs in a particular vlan (this can be possible for few hosts like 5 to 10).
So, better use IP based filtering solution provided earlier.
Regards
Suresh
03-14-2015 11:23 AM
Yes, it may be possible. You could configure a switchport for the host with switchport mode trunk and a subinterface for each vlan IF the NIC on the host supports trunking. I've seen file servers configured in this way, binding an IP address on the host for each subnet associated with the vlans. Just one possibility. HTH
03-14-2015 06:49 PM
hi tzunt,
As i mentioned filtering based on IP is possible and its so easy& clear.
The method you explained may not work as sub interfaces can't created on 3560 instead of that only L3 SVI are used. But the solution will work in other way.
Create trunk port allowing 30,40,50 vlans (the host NIC must support trunk/dot1Q) the and rest of the interfaces as access port to required vlans accordingly.
interface fast0/1
description ***port for special host***
switchport trunk encapsulation dot1q
switchport trunk allowed vlan 30-50
switchport mode trunk
!
interface fast0/2
switchport access vlan 30
switchport mode access
!
interface fast0/3
switchport access vlan 40
switchport mode access
!
interface fast0/4
switchport access vlan 50
switchport mode access
Again we need to define svi interfaces for segregating networks (for allowing the specialhost to communicate between three vlans), then even though the access port hosts belongs to 30/40/50 vlans, they can communicate with each other as L3 communication takes places(routing will happen) which should not happen as per the requirement.
So, what i think is ACL with IP based filtering will work flawlessly.
Pls Correct me if i am wrong.
Regards
Suresh
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide