Deny ip traffic to local networks

Unanswered Question
Apr 12th, 2009

I work for a heathcare company with 20 branches.

My question is related to the implematation of dynamic routing between the brances.

The current situation is as follows:

Our network consists of a Catalyst 4507 at our main location and 3560's at our branches. For the employee workstations we've created vlans. Every branch has it own vlan. Our servers are together in a server vlan.

At our main location, at the 4507, there are vlan interfaces in each vlan and ip routing is enabled for routing between the vlans. The brances are connected via trunks in one ring-like network.

Internet for our employees is supported by a hardware firewall which is connected with one of its interfaces to a switch interface at the 4507. This firewall interface is configured as gateway-of-last-resort with the ip route command.

To provide our patients with an internet connection we've created a company-wide vlan. This vlan doesn't have a vlan-interface at the 4507 so traffic to

and from this patients-vlan cannot be routed to and from our other vlans. We have done this for security reasons.

The firewall has a 2nd interface in this vlan and at this interface dhcp is enabled and acts as the routed interface (default-gateway) for this patients vlan.

In the nearby furure we want implement dynamic routing between our brances with ospf. We want to get this done by setting up the trunking interfaces of the 3560's to be routing interfaces. This means that at every branch a employee vlan and a

patients vlan need to be created.

What is the best way to keep the patients ip traffic seperated from the other traffic? I was thinking of create ACLs on the patients-vlan. But is this the best way?

interface which denies traffic to private networks (10.x.x.x in our case) so only traffic to the internet is allowed.

Is there a way to route our patients internet traffic directly to a chosen interface at the firewall?

Is there a technique to span a vlan or in other words to span the same ip subnet over multiple brances in this configuration?

thanks in advance

I have this problem too.
0 votes
  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 3 (1 ratings)
Giuseppe Larosa Sun, 04/12/2009 - 02:53

Hello Dennis,

you can think of using MPLS VPN also in the VRF lite form: it provides built-in segregation and you can put the patients vlans in VRFs.


to check if a switch supports it do the following

switch(config)#ip vrf ?

WORD VPN Routing/Forwarding instance name

it supports it and it is


but this is a C3560E

Hope to help


dennisv99 Fri, 05/01/2009 - 11:42

Hello Giuseppe,

Thanks for your advice, but i've never heard of VRF so i have to do some study work to figure out how this will fit in my network design.

I've searched the internet for some examples but i couldn't get a clear understanding of it yet.

I think i have to build a test lab first and see it working.

Thanks anyway, i think you've pushed me in the right direction.



This Discussion