Inter-VLAN Routing Issue

Unanswered Question
Sep 25th, 2008
User Badges:

I have a 4510 Switch with 20+ VLANs configured on it. Several of the VLANs have IP addresses bound to them so that Inter-VLAN routing is possible. This all works fine. However I need to restrict which VLANs can route to which VLANs (as some are in a DMZ and some are on the LAN and I have a Firewall between them). I have read suggestions of using an Access-List on the VLAN, but as I am using OSPF, won't this just cause packets to be routed to a dead end and dropped? Can anyone point me in the right direction to get this sorted correctly. I am struggling to find any documentation on this.


Kind Regards


Mat

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Loading.
nate-miller Thu, 09/25/2008 - 08:46
User Badges:
  • Bronze, 100 points or more

Because OSPF is a link state, you can't 'hide' links within a single OSPF area.

Because all of the VLANs are on the same switch, you can't even use different OSPF areas to try and segreagate things, becaue you're not even relying on OSPF to get from VLAN to VLAN- everything is directly connected.


The access list method is clunky and doesn't scale well- and you'll need to clearly understand what traffic patterns you'll allow and deny.


The easiest way to do it is start by getting a list of all your networks, broken into "DMZ" and "Internal".


On the DMZ VLANs, you'll create an inbound access list similar to:

permit tcp any gt 1023 established

deny ip log

deny ip log

permit ip any any



So what this is doing is forbidding the 'dmz' to talk to any of your LAN addresses. If the LAN initiates the conversation inbound, the established line should allow the conversation to finish.


The big problem is the need for the permit ip any any- if you add a new Internal VLAN, it'll be allowing traffic from the DMZ VLANs until you go back and update all the DMZ VLAN ACLs.




A better way to do this would be to investigate using VRF-Lite. Using VRFs lets you create wholly independent routing tables within the switch. Create a DMZ VRF and an internal VRF, and then ... it's going to really complicate the issue and make things a pain in the ass to support unless you know what your're doing, and can mentally translate the support documentation from "MPLS" to what you're really trying to accomplish.


Another option would be to get another L3 capable switch and move all the DMZ VLANs to it- then connect that into your 4500 via the firewalls. Probably my preferred solution, just for ease of understanding what the heck is going on. I don't think the 4500 has a FWSM equivalent, so I don't know of a way to get a firewall in between the vlans of the switch interally.





Actions

This Discussion