i don't think so !as i said - Page 2

begad.nashaat · ‎03-13-2015

Dears,

I have configured the following VLANs on my 3560 Cisco switch :

VLAN 30
VLAN 40
VLAN 50

InterVlan routing is allowed between them, however I want to configure the switch to let specific host to have access to all VLANs while all other Hosts to only have connectivity to the members in their VLANs only.

Any suggestions ???

Best Regards,

Begad Ahmed

ciscosureshn · ‎03-14-2015

MAC BASED FILTERING will work if your ios supports # mac access-group command under interfaces,

if so, create a mac access-list

switch 3560(config)#mac access-list extended TEST

switch 3560(config-ext-macl)#permit host H.H.H any

and apply on all three vlan interfaces like

switch 3560(config)#interface vlan 30

switch 3560(config-vlan)#mac access-group TEST in

switch 3560(config)#interface vlan 40

switch 3560(config-vlan)#mac access-group TEST in

switch 3560(config)#interface vlan 50

switch 3560(config-vlan)#mac access-group TEST in

this will permit that special mac to other macs (hosts) from other vlans also, rest will communicate with in vlan as an implicit deny deny will be there that will not allow any host out of that vlan.

If mac access-group not supported then it may not be possible on mac based or at least most complex.

then go for earlier

ip access-list ACL1 permit 192.168.30.0 255.255.255.0 192.168.30.0
ip access-list ACL1 permit 192.168.40.0 255.255.255.0 192.168.40.0
ip access-list ACL1 permit 192.168.50.0 255.255.255.0 192.168.50.0

####### Here simple access-group under vlan interface will work but it feel good to use fancy configs like route-map #####

route-map RM_ACL1 permit 10
match ip address ACL1

int vlan 30
ip policy route-map RM_ACL1

int vlan 40
ip policy route-map RM_ACL1

int vlan 50
ip policy route-map RM_ACL1

------------------------

I think/guess this what you are looking for.

P.S: pls dont forget to mark as correct answer if so.

Regards

Suresh

begad.nashaat · ‎03-14-2015

Regarding the configuration of VLAN maps, Will it allow the communication between hosts that are members in the same VLAN while allowing only my special host to access other VLANs ???

For example: If my special host assigned IP address in VLAN 30 (192.168.30.2), it will have access to other VLANs (40, 50) while all other hosts in VLAN 30 will not have access to VLAN (40, 50), However they can communicate with each others

switch 3560(config)#mac access-list extended SPECIAL_MAC

switch 3560(config-ext-macl)#permit host H.H.H any //// H.H.H will be ur special host mac address //////

switch 3560(config)# vlan access-map TEST 10

switch 3560(config-access-map)# match mac address SPECIAL_MAC

switch 3560(config-access-map)# action forward

switch 3560(config-access-map)# exit

switch 3560(config)# vlan filter TEST vlan-list 30-50

ciscosureshn · ‎03-14-2015

Just edited my last comment... pls refer it

begad.nashaat · ‎03-14-2015

actually, on cisco catalyst 3560 mac access-group command is supported only to apply it on layer 2 interface, while its supported for layer 3 interfaces on routers like 12k cisco router.

so in my case mac access-group command is not supported, accordingly do you think that the other approach of using VLAN maps as you mentioned earlier will fulfill my requirements.

switch 3560(config)#mac access-list extended SPECIAL_MAC

switch 3560(config-ext-macl)#permit host H.H.H any //// H.H.H will be ur special host mac address //////

switch 3560(config)# vlan access-map TEST 10

switch 3560(config-access-map)# match mac address SPECIAL_MAC

switch 3560(config-access-map)# action forward

switch 3560(config-access-map)# exit

switch 3560(config)# vlan filter TEST vlan-list 30-50

ciscosureshn · ‎03-14-2015

i don't think so !

as i said that may be most complex solution as need to know all the mac address and need to apply permit/deny statements from one mac to other all macs in a particular vlan (this can be possible for few hosts like 5 to 10).

So, better use IP based filtering solution provided earlier.

Regards

Suresh

tzunt · ‎03-14-2015

Yes, it may be possible. You could configure a switchport for the host with switchport mode trunk and a subinterface for each vlan IF the NIC on the host supports trunking. I've seen file servers configured in this way, binding an IP address on the host for each subnet associated with the vlans. Just one possibility. HTH

ciscosureshn · ‎03-14-2015

hi tzunt,

As i mentioned filtering based on IP is possible and its so easy& clear.

The method you explained may not work as sub interfaces can't created on 3560 instead of that only L3 SVI are used. But the solution will work in other way.

Create trunk port allowing 30,40,50 vlans (the host NIC must support trunk/dot1Q) the and rest of the interfaces as access port to required vlans accordingly.

interface fast0/1
description ***port for special host***
switchport trunk encapsulation dot1q
switchport trunk allowed vlan 30-50
switchport mode trunk
!
interface fast0/2
switchport access vlan 30
switchport mode access
!
interface fast0/3
switchport access vlan 40
switchport mode access
!
interface fast0/4
switchport access vlan 50
switchport mode access

Again we need to define svi interfaces for segregating networks (for allowing the specialhost to communicate between three vlans), then even though the access port hosts belongs to 30/40/50 vlans, they can communicate with each other as L3 communication takes places(routing will happen) which should not happen as per the requirement.

So, what i think is ACL with IP based filtering will work flawlessly.

Pls Correct me if i am wrong.

Regards

Suresh

Is it possible to configure 3560 switch to allow only specific host to have access to all VLANs ????