VLANing and IP Address ACLs

Unanswered Question

Hi All,

I am working on a new network configuration for our company and I'm not sure if I have the right equipment to do what I'm wanting to do. We just got a direct allocation of IPs directly from ARIN and we're setting them up.

Here's the equipment that I have:

1 7301 Router

1 3560G Layer 3 switch

3 2960G 48 Port layer 2switches

5 Ranges of IP Addresses (Named 1, 2, 3, A, and B for simplicity)

At a conceptual level, what I want to do is say IP Range 1 can only be utilized on 2960G #1, IP Range 2 can only be utilized on 2960G #2, IP Range 3 can only be utilized 2960G #3, and IP Range A and B and be utilized "across" all three 2960Gs. At the same time I want to isolate the layer 2 traffic such that if any host on #1, #2, or #3 starts sending out bad data, it only affects the servers located on its individual switch.

Ideally, I should be able to enter the configuration only on my layer 3 switch and the other switches could be dumb.

This is "psudo-IOS" to what I am wanting to accomplish on my layer 3 switch:

--------------

interface gi0/1

ip access deny all

ip access allow 10.10.1.1 10.10.1.255 (IP range 1)

ip access allow 10.10.100.1 10.10.100.255 (IP range A)

ip access allow 10.10.200.1 10.10.200.255 (IP range B)

exit

interface gi0/2

ip access deny all

ip access allow 10.10.2.1 10.10.2.255 (IP range 2)

ip access allow 10.10.100.1 10.10.100.255 (IP range A)

ip access allow 10.10.200.1 10.10.200.255 (IP range B)

exit

interface gi0/3

ip access deny all

ip access allow 10.10.3.1 10.10.3.255 (IP range 3)

ip access allow 10.10.100.1 10.10.100.255 (IP range A)

ip access allow 10.10.200.1 10.10.200.255 (IP range B)

exit

--------------

I know I am mixing layer 2 and layer 3 concepts together.

Does anyone have any suggestions?

I have this problem too.
0 votes
  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Loading.
sreekanth sarma Sat, 07/26/2008 - 05:19

HI as for as my konowledge what i suggest is

configure vlans in l3 switch for all the ip ranges u want say 5 vlans

configure 5 SVI (interface vlan ) commands over the l3 switch and assign some ip address in the corresponding ip ranges so that these ip addresses act as a gateway to the inside users

and configure all l2 switches with the vlans and have trunk ports to the L3 switch.

This configures the necessary thing and unless u enable routing in L3 switch there will be no inter valn routing and no traffic can flow between any two vlans

assign the ports on L2 switches as regarding to thier VLANS

I hope it works

Hi Sreekanth,

Thank you very much for the reply. That was actually something that I tried first. The problem that I ran into was that the individual hosts on Switch 1 will use IPs in 1,A,B, and the hosts on switch 2 will use IPs in 2,A,B and the hosts on switch 3 will use IPs in 3,A,B.

The first time I set that up, we ended up having to use Broadcom NICs with the BACS software and also configure the actual computer's NICs with multiple virtual interfaces which each had the VLAN IDs. That was simply too complex for our users to comprehend. I would like to be able to assign all three IP ranges to the same physical NIC with no additional configuration.

-Tony V.

Actions

This Discussion