12-26-2009 11:45 PM - edited 03-06-2019 09:05 AM
Hi.
I am setting up a simulated network environment using gns3, with cisco 3640 router (with 16port switch module, so I can simulate a switch, as gns3 does not support switch emulation). I have 4 PCs and 2 servers connected to the switch:
PC1 192.168.1.1
PC2 192.168.1.2
PC3 192.168.1.3
PC4 192.168.1.4
SVR1 192.168.1.5
SVR2 192.168.1.6
Is there a way to set a gateway for specific PCs connected to a switch? eg:
SVR1 for PC1,PC2,PC3
SVR2 for PC4
I know a switch is not supposed to behave like this, but I want to isolate PC4 from any other hosts, and set its gateway to SVR2.
Can I do this?
What about VLAN, can I set a gateway for each VLAN?
12-27-2009 12:19 AM
As you are trying this setup in GNS3 and having switch module in cisco 3640 router.Create separate vlans and assign them ip which will be acting as gateways for the host residing in that vlans.
Hope this helps out your query !!
Regards
Ganesh.H
12-27-2009 12:28 AM
Thanks for the reply. I had created 2 vlans to separate them, but how to assign a gateway to each vlan?
Can I run like "ip route" on each VLAN?
12-27-2009 12:41 AM
aptgetmoo wrote:
Hi.
I am setting up a simulated network environment using gns3, with cisco 3640 router (with 16port switch module, so I can simulate a switch, as gns3 does not support switch emulation). I have 4 PCs and 2 servers connected to the switch:
PC1 192.168.1.1
PC2 192.168.1.2
PC3 192.168.1.3
PC4 192.168.1.4
SVR1 192.168.1.5
SVR2 192.168.1.6
Is there a way to set a gateway for specific PCs connected to a switch? eg:
SVR1 for PC1,PC2,PC3
SVR2 for PC4
I know a switch is not supposed to behave like this, but I want to isolate PC4 from any other hosts, and set its gateway to SVR2.
Can I do this?
What about VLAN, can I set a gateway for each VLAN?
Setting the gateway for the PC is nothing to do with the switch, you do this either via DHCP or if you are manually assigning the IP address when you configure the client.
Jon
12-27-2009 12:51 AM
Yes, I know I can set gateway to each host, but I want to isolate a host (say, it is infected with virus) without configuring anything on the host itself. But I want that host to be able to communicate with SVR2, not any other hosts.Is there a way to this with a switch?
12-27-2009 01:05 AM
Hello,
If you want to isolate a PC within a VLAN from other stations, changing its gateway will not help, as the station still remains in the same broadcast domain with other stations and is able to talk to them directly (and thereby possibly attack them).
On Catalyst 3560 and higher with recent IOSes, there is a feature called Private VLANs. Private VLANs allows you to partition an existing VLAN (called also the primary VLAN) into an arbitrary number of so-called secondary VLANs that have additional restrictions placed on them. There can be arbitrary many community secondary VLANs under a particular primary VLAN whose stations may freely communicate with themselves in a single community VLAN but they cannot talk to any other seconday VLAN members under the same primary VLAN. Additionally, there can be at most one isolated secondary VLAN for each primary VLAN whose members cannot talk to each other, nor can they talk to members of any other secondary VLAN under the same primary VLAN. All secondary VLANs are still allowed to access common shared resources like servers, gateways etc. that are placed on so-called promiscuous ports (it has nothing to do with promiscuous mode of NICs).
From outside, the partitioning of the VLAN into secondary VLANs is not visible, and the entire system is visible as a single VLAN with a single, unpartitioned IP address space.
I think that this is what you are seeking for - placing offending clients into an secondary isolated VLAN so that they cannot attack themselves or any other stations in other secondary (community) VLANs. This feature is unfortunately not available under GNS - a 3560 or higher switch is required.
You may want to read more here:
Best regards,
Peter
12-27-2009 01:36 AM
Thanks for your suggestion. But I don't think I would get access to such a switch. Using the regular VLAN, I can still separate infected hosts on its own LAN, with a server (for disinfecting purpose). But infected hosts may still attack one another. Can I add any policy to only allow them to access the server?
12-27-2009 02:17 AM
aptgetmoo wrote:
Thanks for your suggestion. But I don't think I would get access to such a switch. Using the regular VLAN, I can still separate infected hosts on its own LAN, with a server (for disinfecting purpose). But infected hosts may still attack one another. Can I add any policy to only allow them to access the server?
vlan access-lists control traffic within the same vlan but i don't know whether your switch supports that. Alternatively you can try an acl on the physical interface although again not sure whether it will work on your switch -
Jon
12-27-2009 03:33 AM
12-27-2009 05:57 AM
Thanks.
I couldn't add a VACL, the 3640 doesn't seem to support that. I also couldn't apply the ACL to the interface. I have problem using "ip access-group" command to apply the ACL to the interface. It seems that I can only use that command to ports(NM-1FE-TX) other than on 16-port switch module(NM-16ESW). Is that because they have been configured as access port?
12-27-2009 03:18 PM
Gentlemen,
Traffic filtering on switches is a cumbersome issue, as the individual support for traffic filtering differs considerably among various switch platforms. Advanced filtering tools like Private VLANs or VACLs are available only on 3560 and higher platforms. IP or MAC ACLs can be applied onto individual access ports since 2950 series platforms (at least as far as I know) but only in the inbound direction, and also the style of evaluating the IP and MAC ACLs differs strongly, for example, between 2950 and 2960 switches. Reading the documentation thoroughly that pertains to the particular switching platform and IOS version is a must here.
Regarding the ACLs on NM/HWIC switching modules, their support may be even more limited than on standalone switches. Such a module may not support traffic filtering at all. For example, on HWIC-4ESW, it appears that no MAC nor IP access lists are supported on the individual switchports (confirmed using the HWIC-4ESW module in a 2801 router running the c2801-advipservicesk9-mz.124-4.XC2 IOS).
I am afraid that trying to simulate the situation using GNS3 and 3640 series + NM-16ESW switching module will not be helpful here. As I indicated earlier, each switch differs in its support of traffic filtering, and its capabilities would be determining the way the filtering would be done (if possible at all).
Best regards,
Peter
12-27-2009 04:11 PM
Thanks for that explanation, Peter. I think the best I can do for the time being is to just move them into another VLAN, although they may still communicate with each other.
12-27-2009 04:20 PM
Hello,
What you perhaps could do even with a switching module (and also with any recent switch) is this:
This link contains further information:
Best regards,
Peter
12-27-2009 05:09 PM
Thanks a lot Peter. I'm very new to router/switch configuration. In fact, I never configured a real one, just trying in gns3 and packettracer.
The switch module in 3640 does not support that. I guess I'll have to get a real switch.
12-27-2009 09:04 PM
Hi,
Check out with Cisco 3725 router series for acl implementation in GNS3 it will be helpful for switching commands also.Download the 3725 series ios and try to implement.
Regards
Ganesh.H
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide