08-14-2007 12:36 AM - edited 03-05-2019 05:52 PM
Thanks, folks.
here goes..
I need to create an isolated vlan on a 3560. Not sure how to provide that L3 isolation. Hosts on this isolated vlan will plug directly into the switch.
So, lets say I create vlan 10 for the isolated vlan. I would create the SVI for vlan 10 also (layer 3 routing).
ex:
interface vlan 10
description isolated vlan
ip address 10.10.10.0/24
and then
interface gig0/40
switchport access vlan 10
int gi0/41
switchport access vlan 10
...and so on...
and then what??
Solved! Go to Solution.
08-17-2007 06:18 AM
Victor
I apologize for not having read your earlier post quite carefully enough. I was focused on the syntax and believed that the statements in the access list were sufficient and adequate. But I did not look carefully at which ACL was applied in which direction.
To make it easier to discuss I am copying from the earlier post the essential parts of the config. Please correct me if any part of this is not as you implemented it:
description OCC_Security_VLAN
ip address 172.16.37.2 255.255.255.0
ip access-group ALLOW_ONLY_WSUS_TRAFFIC_OUT out
ip access-group ALLOW_ONLY_WSUS_TRAFFIC_IN in
!
ip access-list extended ALLOW_ONLY_WSUS_TRAFFIC_OUT
permit ip any 172.16.1.159
deny ip any any log
!
ip access-list extended ALLOW_ONLY_WSUS_TRAFFIC_IN
permit ip 172.16.1.159 any
deny ip any any log
!
the essential concepts are that VLAN 37 (the isolated VLAN uses subnet 172.16.37.0 and the host 172.16.1.159 is on some other remote subnet.
The part where things get confused is in and out. So lets think of the functionality this way: filtering in and out is done from the perspective of the interface on the MSFC. So filtering inbound is filtering where hosts in 172.16.37 are the source and traffic is coming INto the interface to get to destination 172.16.1.159. So the filter with source 172.16.37.0 needs to be IN. And filtering outbound traffic is traffic going from the interface OUT to 172.16.37 hosts. So the outbound filter needs to specify 172.16.1.159 as the source and 172.16.37 as the destination. You have configured correct permit and deny statements, but the filter that has the IN statements is the filter that you named OUT. And the filter that you named IN has the correct statements to be the out filter.
If you think about it this way does it make more sense?
[edit] I just saw the other response that you posted while I was typing my response. I believe that you have the correct understanding.
HTH
Rick
08-14-2007 12:54 AM
Hi,
And put an ACL under the VLAN 10 interface to isolate this subnet from the others, or if you don't need access from this subnet to the others you don't need L3 SVI.
bye
FCS
Please rate me if I helped.
08-14-2007 02:42 AM
FCS makes a very good point. If you want the VLAN to be truly isolated, just create the layer 2 VLAN, assign ports to the VLAN, and do not create a layer 3 SVI. The devices on that VLAN would communicate with each other and with nothing else - truly isolated.
On the other hand, if you want the VLAN sort of isolated (perhaps access to outside/Internet resources but not to internal resources) then you would need access list filtering to control the traffic.
So can we clarify your requirement: truly isolated or sort of isolated?
HTH
Rick
08-14-2007 07:48 AM
Folks, thank you os much for your input.
There is ONE server that supports WSUS that is on another vlan that devices on this isolated vlan will need access to. So, I DID configure an SVI for vlan 37 (the isolated vlan) and I added the below access lists.
Can someone review the configs, especially the ACL, to make sure it is correct? I do have to permit eigrp, right?
Can you please review what I have in general and give either a thumbs UP or DOWN?
Here is the set up.
I have a 3560 which will be an L2 switch only. Vlan traffic will be trunked up to an L3 6513.
3560 configs:
vlan 37
name OCC_Security_VLAN
!
vlan 250
name Management_vlan
!
interface FastEthernet0/1
description OCC Security Devices
switchport access vlan 37
switchport mode access
speed 100
duplex full
spanning-tree portfast
!
interface FastEthernet0/2
description OCC Security Devices
switchport access vlan 37
switchport mode access
speed 100
duplex full
spanning-tree portfast
!
interface FastEthernet0/3
description OCC Security Devices
switchport access vlan 37
switchport mode access
speed 100
duplex full
spanning-tree portfast
interface GigabitEthernet0/1
description ***L2 Trunk to twcn18-swcorep1_13/7***
switchport trunk encapsulation dot1q
switchport trunk allowed vlan 1,37,250
switchport mode dynamic desirable
udld port aggressive
spanning-tree guard loop
!
interface Vlan1
no ip address
!
interface Vlan250
description ***Network Devices Management Vlan***
ip address 172.16.250.122 255.255.255.128
!
ip classless
ip route 0.0.0.0 0.0.0.0 172.16.250.1
6513 configs:
L2 PART:
set vlan 37 name OCC_Security_VLAN
set port name 13/7 Trunk to OCC Switch
clear trunk 13/7 2-36,38-249,251-4094
set trunk 13/7 desirable dot1q 1,37,250
set udld aggressive-mode enable 13/7
set spantree guard loop 13/7
set port enable 13/7
MSFC PART:
interface vlan 37
description OCC_Security_VLAN
ip address 172.16.37.2 255.255.255.0
ip access-group ALLOW_ONLY_WSUS_TRAFFIC_OUT out
ip access-group ALLOW_ONLY_WSUS_TRAFFIC_IN in
no shutdown
router eigrp 200
network 172.16.37.0 0.0.0.255
ip access-list extended ALLOW_ONLY_WSUS_TRAFFIC_OUT
permit ip any 172.16.1.159
permit eigrp any any
deny ip any any log
ip access-list extended ALLOW_ONLY_WSUS_TRAFFIC_IN
permit ip 172.16.1.159 any
permit eigrp any any
deny ip any any log
08-14-2007 03:15 AM
Hi,
If you need the L3 interface on the 3560 you can create a VRF instance for that VLAN. (using VRF-light). This makes the L3 interface separated from the rest on the switch.
ip vrf ISOLATED
rd 65000:1
route-target both 65000:1
interface vlan 10
description isolated vlan
ip vrf forwarding ISOLATED
ip address 10.10.10.0/24
interface gig0/40
switchport access vlan 10
This could be one way!
/Regards Rikard
08-14-2007 08:03 AM
Rikard, thanks. I will keep in mind your suggested approach.
But for now, I am really interested in knowing if my onfigs and approach are correct.
08-14-2007 08:05 AM
Folks, thank you so much for everyone's input.
There is ONE server that supports WSUS that is on another vlan that devices on this isolated vlan will need access to. So, I DID configure an SVI for vlan 37 (the isolated vlan) and I added the below access lists.
Can someone review the configs, especially the ACL, to make sure it is correct? I do have to permit eigrp, right?
Can you please review what I have in general and give either a thumbs UP or DOWN?
Here is the set up.
I have a 3560 which will be an L2 switch only. Vlan traffic will be trunked up to an L3 6513.
3560 configs:
vlan 37
name OCC_Security_VLAN
!
vlan 250
name Management_vlan
!
interface FastEthernet0/1
description OCC Security Devices
switchport access vlan 37
switchport mode access
speed 100
duplex full
spanning-tree portfast
!
interface FastEthernet0/2
description OCC Security Devices
switchport access vlan 37
switchport mode access
speed 100
duplex full
spanning-tree portfast
!
interface FastEthernet0/3
description OCC Security Devices
switchport access vlan 37
switchport mode access
speed 100
duplex full
spanning-tree portfast
interface GigabitEthernet0/1
description ***L2 Trunk to twcn18-swcorep1_13/7***
switchport trunk encapsulation dot1q
switchport trunk allowed vlan 1,37,250
switchport mode dynamic desirable
udld port aggressive
spanning-tree guard loop
!
interface Vlan1
no ip address
!
interface Vlan250
description ***Network Devices Management Vlan***
ip address 172.16.250.122 255.255.255.128
!
ip classless
ip route 0.0.0.0 0.0.0.0 172.16.250.1
6513 configs:
L2 PART:
set vlan 37 name OCC_Security_VLAN
set port name 13/7 Trunk to OCC Switch
clear trunk 13/7 2-36,38-249,251-4094
set trunk 13/7 desirable dot1q 1,37,250
set udld aggressive-mode enable 13/7
set spantree guard loop 13/7
set port enable 13/7
MSFC PART:
interface vlan 37
description OCC_Security_VLAN
ip address 172.16.37.2 255.255.255.0
ip access-group ALLOW_ONLY_WSUS_TRAFFIC_OUT out
ip access-group ALLOW_ONLY_WSUS_TRAFFIC_IN in
no shutdown
router eigrp 200
network 172.16.37.0 0.0.0.255
ip access-list extended ALLOW_ONLY_WSUS_TRAFFIC_OUT
permit ip any 172.16.1.159
permit eigrp any any
deny ip any any log
ip access-list extended ALLOW_ONLY_WSUS_TRAFFIC_IN
permit ip 172.16.1.159 any
permit eigrp any any
deny ip any any log
WILL THIS WORK?
08-14-2007 09:19 AM
Victor
As part of answering your question there is something that we need to clarify. On the isolated VLAN 37 do you want to (need to) run EIGRP on that interface. I can understand that you need EIGRP to advertise that subnet, but do you have any need to send EIGRP hellos or listen for EIGRP updates on that interface? Since there is only a single host that will communicate outside of that subnet I can not imagine that you need EIGRP to be active on that interface.
If you do not need EIGRP actively advertising out that VLAN interface then I would suggest that you add under router eigrp the command passive-interface vlan37. And then there is no question of needing EIGRP in the access list.
Other than that I think that what you posted looks like it will work ok.
HTH
Rick
08-14-2007 09:30 AM
rick:
I brain-farted, as we used ot say in the navy.
I realized it a fe wminutes ago.
The answer is no, I do NOT need the vlan 37 SVI to pass routing updates. That was silly. Its simply an SVI to support the vlan.
So I removed the "permit eigrp any any" line from the access list that I applied to that interface.
The effect I want is that the vlan does get advertised through eigrp, and it would normally be reachable by everyone in the routing domain, EXCEPT that I addded thr ACL so that only ONE host can communicate with that vlan and vice versa.
08-14-2007 09:52 AM
I agree with Rick. I think it will work fine.
Also, ACLs have implicit deny at the end. So you don't need to have that statement. Unless ofcourse you want to log, as you wrote.
If you wnat to log, don't forget to increase your log size, and enable the level required for ACL log - INFORMATIONAL (or level 6)
Like:
logging buffered 128000 info
08-17-2007 05:23 AM
Guys:
When I applied the access list it didnt work. I had to reverse the direction.
The effect I want is for the hosts on the segregated vlan (37) to ONLY be able to talk to the 172.16.1.159 host. And vise versa.
So I applied the ACLs according to the way I show earlier in this post. It didnt work. I had to reverse the direction...I dont get it
08-17-2007 06:14 AM
Nevermind, i think I got it.
When applying the an ACL in the 'out' direction, it means traffic going out TO the vlan, not out OF of the vlan.
08-17-2007 06:18 AM
Victor
I apologize for not having read your earlier post quite carefully enough. I was focused on the syntax and believed that the statements in the access list were sufficient and adequate. But I did not look carefully at which ACL was applied in which direction.
To make it easier to discuss I am copying from the earlier post the essential parts of the config. Please correct me if any part of this is not as you implemented it:
description OCC_Security_VLAN
ip address 172.16.37.2 255.255.255.0
ip access-group ALLOW_ONLY_WSUS_TRAFFIC_OUT out
ip access-group ALLOW_ONLY_WSUS_TRAFFIC_IN in
!
ip access-list extended ALLOW_ONLY_WSUS_TRAFFIC_OUT
permit ip any 172.16.1.159
deny ip any any log
!
ip access-list extended ALLOW_ONLY_WSUS_TRAFFIC_IN
permit ip 172.16.1.159 any
deny ip any any log
!
the essential concepts are that VLAN 37 (the isolated VLAN uses subnet 172.16.37.0 and the host 172.16.1.159 is on some other remote subnet.
The part where things get confused is in and out. So lets think of the functionality this way: filtering in and out is done from the perspective of the interface on the MSFC. So filtering inbound is filtering where hosts in 172.16.37 are the source and traffic is coming INto the interface to get to destination 172.16.1.159. So the filter with source 172.16.37.0 needs to be IN. And filtering outbound traffic is traffic going from the interface OUT to 172.16.37 hosts. So the outbound filter needs to specify 172.16.1.159 as the source and 172.16.37 as the destination. You have configured correct permit and deny statements, but the filter that has the IN statements is the filter that you named OUT. And the filter that you named IN has the correct statements to be the out filter.
If you think about it this way does it make more sense?
[edit] I just saw the other response that you posted while I was typing my response. I believe that you have the correct understanding.
HTH
Rick
08-17-2007 06:33 AM
Rick:
There is no need for apologies. I thank you for takign the time and concern. I appreciate it very much. And yes, it is easier to understand now. I was thinking of it backwards.
08-17-2007 06:40 AM
Victor
It is very easy to think backwards about this topic. It takes most of us a while to get this concept straight. I am glad that you now have a better understanding of it.
Thank you for using the rating system to indicate that your issue was resolved (and thanks for the rating). It makes the forum more useful when people can read about an issue and can know that they will read what resolved the issue. I encourage you to continue your participation in the forum.
HTH
Rick
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide