Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
984
Views
0
Helpful
1
Replies

limited one way access on a vlan

Jen
Level 1
Level 1

‎05-04-2017 12:13 PM - edited ‎03-08-2019 10:26 AM

I've set myself up a lab so I can expand my cisco skills (up until now I've mainly worked with HP) and wanted to play with different concepts.

So as an exercise, I thought I'd try an configure a set of 'cascading vlans' for want of a better phrase with limited acces in one direction.

E.G:

ID1 = lowest security, anything can access this (seemed obvious given that it's the native VLAN as it were)

ID2 = BYOD vlan

ID3 = Student VLAN

etc

So, VLAN2 can initate a connection to VLAN1, VLAN1 can relply but not initiate.  VLAN 3 can initate to VLAN2 or VLAN1, but  VLAN1 & 2 cant initiate to VLAN3, and so on.

The whole idea with higher VLAN nubers being the equiv of higher security area and the lower levels not being able to access the higher.

I thought this wouldn't be a big deal but after some GoogleFu this seems to be a lot harder that you'd think.

So, any thoughts on how or if this would be possible (or similar cascading security segmentation using any system), preferably using the Cisco hardware with what I have?

I have the following:

I have 1 Cisco 2621XM  router, 1 Cisco 3650G switch and 1 Cisco 3650 switch (10/100+2 GBIC).

3 servers with 3 nics each, each running a virtualisation solution (Xen, VMWare, Hyper-V).

1 ISCSI SAN with 2 nics

So far the only setup is the switches talking to each other at 2GB using PAgP, the Gigabit Switch talking to the ISCSI at 2GB using LACP.  The Router into a 10\100 port of the 2nd switch and the router configured to NAT to my main network for internet conectivity.

The running config isn't an issue as this is lab setup and I have no qualms about nuking the whole setup and starting again.  In fact I'd appreciate being able to set it up from scratch without the fumbling, rolling back and trying something new. :)

Again, this is all to develop a learning experience, as after I get my CompTIAs out of the way (just got Network+ under my belt) I'm thinking of also getting a CCNA.  So, though this is probably overly complicated for a production network, the fact that it is complicated is the reason to do it. :)

Labels:
0 Helpful
1 Reply 1

Martin Carr
Level 4
Level 4

‎05-04-2017 01:11 PM

You would need to write ACL's to permit the appropriate traffic as per your requirement.

Either the switch or Router need configuring to provide inter VLAN routing and both have totally different approaches.

The default VLAN (i.e. 1) should not be used.

Martin

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking for a $25 gift card