Need Help IMMEDIATELY

Answered Question
Aug 14th, 2007

Thanks, folks.

here goes..

I need to create an isolated vlan on a 3560. Not sure how to provide that L3 isolation. Hosts on this isolated vlan will plug directly into the switch.

So, lets say I create vlan 10 for the isolated vlan. I would create the SVI for vlan 10 also (layer 3 routing).

ex:

interface vlan 10

description isolated vlan

ip address 10.10.10.0/24

and then

interface gig0/40

switchport access vlan 10

int gi0/41

switchport access vlan 10

...and so on...

and then what??

I have this problem too.
0 votes
Correct Answer by Richard Burts about 9 years 3 months ago

Victor

I apologize for not having read your earlier post quite carefully enough. I was focused on the syntax and believed that the statements in the access list were sufficient and adequate. But I did not look carefully at which ACL was applied in which direction.

To make it easier to discuss I am copying from the earlier post the essential parts of the config. Please correct me if any part of this is not as you implemented it:

description OCC_Security_VLAN

ip address 172.16.37.2 255.255.255.0

ip access-group ALLOW_ONLY_WSUS_TRAFFIC_OUT out

ip access-group ALLOW_ONLY_WSUS_TRAFFIC_IN in

!

ip access-list extended ALLOW_ONLY_WSUS_TRAFFIC_OUT

permit ip any 172.16.1.159

deny ip any any log

!

ip access-list extended ALLOW_ONLY_WSUS_TRAFFIC_IN

permit ip 172.16.1.159 any

deny ip any any log

!

the essential concepts are that VLAN 37 (the isolated VLAN uses subnet 172.16.37.0 and the host 172.16.1.159 is on some other remote subnet.

The part where things get confused is in and out. So lets think of the functionality this way: filtering in and out is done from the perspective of the interface on the MSFC. So filtering inbound is filtering where hosts in 172.16.37 are the source and traffic is coming INto the interface to get to destination 172.16.1.159. So the filter with source 172.16.37.0 needs to be IN. And filtering outbound traffic is traffic going from the interface OUT to 172.16.37 hosts. So the outbound filter needs to specify 172.16.1.159 as the source and 172.16.37 as the destination. You have configured correct permit and deny statements, but the filter that has the IN statements is the filter that you named OUT. And the filter that you named IN has the correct statements to be the out filter.

If you think about it this way does it make more sense?

[edit] I just saw the other response that you posted while I was typing my response. I believe that you have the correct understanding.

HTH

Rick

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 5 (1 ratings)
Loading.
farkascsgy Tue, 08/14/2007 - 00:54

Hi,

And put an ACL under the VLAN 10 interface to isolate this subnet from the others, or if you don't need access from this subnet to the others you don't need L3 SVI.

bye

FCS

Please rate me if I helped.

Richard Burts Tue, 08/14/2007 - 02:42

FCS makes a very good point. If you want the VLAN to be truly isolated, just create the layer 2 VLAN, assign ports to the VLAN, and do not create a layer 3 SVI. The devices on that VLAN would communicate with each other and with nothing else - truly isolated.

On the other hand, if you want the VLAN sort of isolated (perhaps access to outside/Internet resources but not to internal resources) then you would need access list filtering to control the traffic.

So can we clarify your requirement: truly isolated or sort of isolated?

HTH

Rick

lamav Tue, 08/14/2007 - 07:48

Folks, thank you os much for your input.

There is ONE server that supports WSUS that is on another vlan that devices on this isolated vlan will need access to. So, I DID configure an SVI for vlan 37 (the isolated vlan) and I added the below access lists.

Can someone review the configs, especially the ACL, to make sure it is correct? I do have to permit eigrp, right?

Can you please review what I have in general and give either a thumbs UP or DOWN?

Here is the set up.

I have a 3560 which will be an L2 switch only. Vlan traffic will be trunked up to an L3 6513.

3560 configs:

vlan 37

name OCC_Security_VLAN

!

vlan 250

name Management_vlan

!

interface FastEthernet0/1

description OCC Security Devices

switchport access vlan 37

switchport mode access

speed 100

duplex full

spanning-tree portfast

!

interface FastEthernet0/2

description OCC Security Devices

switchport access vlan 37

switchport mode access

speed 100

duplex full

spanning-tree portfast

!

interface FastEthernet0/3

description OCC Security Devices

switchport access vlan 37

switchport mode access

speed 100

duplex full

spanning-tree portfast

interface GigabitEthernet0/1

description ***L2 Trunk to twcn18-swcorep1_13/7***

switchport trunk encapsulation dot1q

switchport trunk allowed vlan 1,37,250

switchport mode dynamic desirable

udld port aggressive

spanning-tree guard loop

!

interface Vlan1

no ip address

!

interface Vlan250

description ***Network Devices Management Vlan***

ip address 172.16.250.122 255.255.255.128

!

ip classless

ip route 0.0.0.0 0.0.0.0 172.16.250.1

6513 configs:

L2 PART:

set vlan 37 name OCC_Security_VLAN

set port name 13/7 Trunk to OCC Switch

clear trunk 13/7 2-36,38-249,251-4094

set trunk 13/7 desirable dot1q 1,37,250

set udld aggressive-mode enable 13/7

set spantree guard loop 13/7

set port enable 13/7

MSFC PART:

interface vlan 37

description OCC_Security_VLAN

ip address 172.16.37.2 255.255.255.0

ip access-group ALLOW_ONLY_WSUS_TRAFFIC_OUT out

ip access-group ALLOW_ONLY_WSUS_TRAFFIC_IN in

no shutdown

router eigrp 200

network 172.16.37.0 0.0.0.255

ip access-list extended ALLOW_ONLY_WSUS_TRAFFIC_OUT

permit ip any 172.16.1.159

permit eigrp any any

deny ip any any log

ip access-list extended ALLOW_ONLY_WSUS_TRAFFIC_IN

permit ip 172.16.1.159 any

permit eigrp any any

deny ip any any log

rwedham Tue, 08/14/2007 - 03:15

Hi,

If you need the L3 interface on the 3560 you can create a VRF instance for that VLAN. (using VRF-light). This makes the L3 interface separated from the rest on the switch.

ip vrf ISOLATED

rd 65000:1

route-target both 65000:1

interface vlan 10

description isolated vlan

ip vrf forwarding ISOLATED

ip address 10.10.10.0/24

interface gig0/40

switchport access vlan 10

This could be one way!

/Regards Rikard

lamav Tue, 08/14/2007 - 08:03

Rikard, thanks. I will keep in mind your suggested approach.

But for now, I am really interested in knowing if my onfigs and approach are correct.

lamav Tue, 08/14/2007 - 08:05

Folks, thank you so much for everyone's input.

There is ONE server that supports WSUS that is on another vlan that devices on this isolated vlan will need access to. So, I DID configure an SVI for vlan 37 (the isolated vlan) and I added the below access lists.

Can someone review the configs, especially the ACL, to make sure it is correct? I do have to permit eigrp, right?

Can you please review what I have in general and give either a thumbs UP or DOWN?

Here is the set up.

I have a 3560 which will be an L2 switch only. Vlan traffic will be trunked up to an L3 6513.

3560 configs:

vlan 37

name OCC_Security_VLAN

!

vlan 250

name Management_vlan

!

interface FastEthernet0/1

description OCC Security Devices

switchport access vlan 37

switchport mode access

speed 100

duplex full

spanning-tree portfast

!

interface FastEthernet0/2

description OCC Security Devices

switchport access vlan 37

switchport mode access

speed 100

duplex full

spanning-tree portfast

!

interface FastEthernet0/3

description OCC Security Devices

switchport access vlan 37

switchport mode access

speed 100

duplex full

spanning-tree portfast

interface GigabitEthernet0/1

description ***L2 Trunk to twcn18-swcorep1_13/7***

switchport trunk encapsulation dot1q

switchport trunk allowed vlan 1,37,250

switchport mode dynamic desirable

udld port aggressive

spanning-tree guard loop

!

interface Vlan1

no ip address

!

interface Vlan250

description ***Network Devices Management Vlan***

ip address 172.16.250.122 255.255.255.128

!

ip classless

ip route 0.0.0.0 0.0.0.0 172.16.250.1

6513 configs:

L2 PART:

set vlan 37 name OCC_Security_VLAN

set port name 13/7 Trunk to OCC Switch

clear trunk 13/7 2-36,38-249,251-4094

set trunk 13/7 desirable dot1q 1,37,250

set udld aggressive-mode enable 13/7

set spantree guard loop 13/7

set port enable 13/7

MSFC PART:

interface vlan 37

description OCC_Security_VLAN

ip address 172.16.37.2 255.255.255.0

ip access-group ALLOW_ONLY_WSUS_TRAFFIC_OUT out

ip access-group ALLOW_ONLY_WSUS_TRAFFIC_IN in

no shutdown

router eigrp 200

network 172.16.37.0 0.0.0.255

ip access-list extended ALLOW_ONLY_WSUS_TRAFFIC_OUT

permit ip any 172.16.1.159

permit eigrp any any

deny ip any any log

ip access-list extended ALLOW_ONLY_WSUS_TRAFFIC_IN

permit ip 172.16.1.159 any

permit eigrp any any

deny ip any any log

WILL THIS WORK?

Richard Burts Tue, 08/14/2007 - 09:19

Victor

As part of answering your question there is something that we need to clarify. On the isolated VLAN 37 do you want to (need to) run EIGRP on that interface. I can understand that you need EIGRP to advertise that subnet, but do you have any need to send EIGRP hellos or listen for EIGRP updates on that interface? Since there is only a single host that will communicate outside of that subnet I can not imagine that you need EIGRP to be active on that interface.

If you do not need EIGRP actively advertising out that VLAN interface then I would suggest that you add under router eigrp the command passive-interface vlan37. And then there is no question of needing EIGRP in the access list.

Other than that I think that what you posted looks like it will work ok.

HTH

Rick

lamav Tue, 08/14/2007 - 09:30

rick:

I brain-farted, as we used ot say in the navy.

I realized it a fe wminutes ago.

The answer is no, I do NOT need the vlan 37 SVI to pass routing updates. That was silly. Its simply an SVI to support the vlan.

So I removed the "permit eigrp any any" line from the access list that I applied to that interface.

The effect I want is that the vlan does get advertised through eigrp, and it would normally be reachable by everyone in the routing domain, EXCEPT that I addded thr ACL so that only ONE host can communicate with that vlan and vice versa.

Pavel Bykov Tue, 08/14/2007 - 09:52

I agree with Rick. I think it will work fine.

Also, ACLs have implicit deny at the end. So you don't need to have that statement. Unless ofcourse you want to log, as you wrote.

If you wnat to log, don't forget to increase your log size, and enable the level required for ACL log - INFORMATIONAL (or level 6)

Like:

logging buffered 128000 info

lamav Fri, 08/17/2007 - 05:23

Guys:

When I applied the access list it didnt work. I had to reverse the direction.

The effect I want is for the hosts on the segregated vlan (37) to ONLY be able to talk to the 172.16.1.159 host. And vise versa.

So I applied the ACLs according to the way I show earlier in this post. It didnt work. I had to reverse the direction...I dont get it

lamav Fri, 08/17/2007 - 06:14

Nevermind, i think I got it.

When applying the an ACL in the 'out' direction, it means traffic going out TO the vlan, not out OF of the vlan.

Correct Answer
Richard Burts Fri, 08/17/2007 - 06:18

Victor

I apologize for not having read your earlier post quite carefully enough. I was focused on the syntax and believed that the statements in the access list were sufficient and adequate. But I did not look carefully at which ACL was applied in which direction.

To make it easier to discuss I am copying from the earlier post the essential parts of the config. Please correct me if any part of this is not as you implemented it:

description OCC_Security_VLAN

ip address 172.16.37.2 255.255.255.0

ip access-group ALLOW_ONLY_WSUS_TRAFFIC_OUT out

ip access-group ALLOW_ONLY_WSUS_TRAFFIC_IN in

!

ip access-list extended ALLOW_ONLY_WSUS_TRAFFIC_OUT

permit ip any 172.16.1.159

deny ip any any log

!

ip access-list extended ALLOW_ONLY_WSUS_TRAFFIC_IN

permit ip 172.16.1.159 any

deny ip any any log

!

the essential concepts are that VLAN 37 (the isolated VLAN uses subnet 172.16.37.0 and the host 172.16.1.159 is on some other remote subnet.

The part where things get confused is in and out. So lets think of the functionality this way: filtering in and out is done from the perspective of the interface on the MSFC. So filtering inbound is filtering where hosts in 172.16.37 are the source and traffic is coming INto the interface to get to destination 172.16.1.159. So the filter with source 172.16.37.0 needs to be IN. And filtering outbound traffic is traffic going from the interface OUT to 172.16.37 hosts. So the outbound filter needs to specify 172.16.1.159 as the source and 172.16.37 as the destination. You have configured correct permit and deny statements, but the filter that has the IN statements is the filter that you named OUT. And the filter that you named IN has the correct statements to be the out filter.

If you think about it this way does it make more sense?

[edit] I just saw the other response that you posted while I was typing my response. I believe that you have the correct understanding.

HTH

Rick

lamav Fri, 08/17/2007 - 06:33

Rick:

There is no need for apologies. I thank you for takign the time and concern. I appreciate it very much. And yes, it is easier to understand now. I was thinking of it backwards.

Richard Burts Fri, 08/17/2007 - 06:40

Victor

It is very easy to think backwards about this topic. It takes most of us a while to get this concept straight. I am glad that you now have a better understanding of it.

Thank you for using the rating system to indicate that your issue was resolved (and thanks for the rating). It makes the forum more useful when people can read about an issue and can know that they will read what resolved the issue. I encourage you to continue your participation in the forum.

HTH

Rick

Actions

This Discussion