Solved: Isolated VLAN implementation

s-santhosh · ‎02-14-2012

I'm planning to implement a isolated wireless network. It consists of 3 servers and 100 tablets. 1 of the server needs to have external access, all 100 tablets should be communicate with the 3 servers.

This isolated network should not be available for existing VLANs.

IP subnet is 192.168.10.0/24

192.168.10.1 - Server - Requires the external access

192.168.10.2 - Server 2 - No external access

192.168.10.3 - Server 3 - No external access

192.168.10.8 to 192.168.10.252 - DHCP - Used for tablets.

At this particular location we do not have firewall. This location is connected to another MPLS location and from there internet out and in are controlled.

We also using the seperate internet line for this setup, this line is going to terminate on the core level switch.

my question is:

How can I allow the host 192.168.10.1 to have inbound access from internet

Restrict the tablets inbound and outbound access to internet, having the communication to 3 servers.

Due to some restrictions it is not possible to create 2 vlans (1 for server and 2 for tablets)

creating ACL on switch should be one of the solution. I've figured out as below.

access-list 101 permit tcp 192.168.10.1 0.0.0.0 any

access-group 101 in on VLAN

Does this statement works as per my requirement.?

rizwanr74 · ‎02-14-2012

interface Vlan1
no ip address
shutdown
!

interface Vlan2
description seperate internet line for this setup accessing Interent.
ip address 192.168.2.2 255.255.255.252
no shut
exit
!

interface Vlan10
description User tablets-users
ip address 192.168.10.1 255.255.255.0
no shut
exit
!

interface Vlan20
description User two inside
ip address 192.168.20.1 255.255.255.0
no shut
exit
!

interface Vlan30
description Users three inside
ip address 192.168.30.1 255.255.255.0
no shut
exit
!

vlan 2
name internet
exit

vlan 10
name tablets-users
exit

vlan 20
name USER-2
exit

vlan 30
name USER-3
exit

ip route 0.0.0.0 0.0.0.0 192.168.2.1

ip access-list extended table-srv1
permit ip any host 192.168.10.5
permit ip host 192.168.10.5 any

!

ip access-list extended DENY-tablets-inside-network
deny ip 192.168.10.0 0.0.0.255 192.168.10.0 0.0.0.255
permit ip 192.168.0.0 0.0.255.255 192.168.0.0 0.0.255.255

-----------------------------------------------------

vlan access-map RIZ-VLAN-MAP 10
action drop
match ip address DENY-tablets-inside-network

vlan access-map RIZ-VLAN-MAP 20
action forward
match ip address table-srv1

vlan filter RIZ-VLAN-MAP vlan-list 10

-------------------------------------------------------

In this example, only Srv @ 192.168.10.5 on vlan 10 can be accessed from the internet, which is facing internet bound vlan 10 and no access to other vlans 20 and 30 from vlan10 and vise versa but just within vlan10 alone for vlan-10 tablet-users.

Vlan access map, uses the reverse logic, meaning permited are drop at layer2 level and denied are permited at layer2 level, no visiblity.

I tested it and it works like a charm.

Hope this help.

Thanks

Rizwan Rafeek

View solution in original post

JohnTylerPearce · ‎02-14-2012

You could do one of the following. On Server 1 configure a default gateway for the server, which gives external access.

On Server 2 and Server 3 you could not specify a default gateway, that way they only have local access. All the tables

on the wireless network will still have access to all three servers, since there communication will be local.

access-list 101 permit tcp 192.168.10.1 0.0.0.0 any

access-group 101 in

Generally, ACLs are only used to restrict traffic from a local subnet to other subnets, and this may sound stupid of me, but I don't know if that woulc block local traffic as well. I wouldn't think it would, since it wouldn't make any sense for local

traffic to actually go to the default gateway, it should just ARP out the address.

ebarticel · ‎02-14-2012

Hi,

The acl I think you should apply it to router inside interface, that way you dont block traffic to servers, because of implicit deny statement. That way only traffic from 192.168.10.1 will be allowed to enter the router.

If router has a public ip on outside interface you need a nat translation.

ip nat inside source static 192.168.10.1 x.x.x.x

Hope this helps

Eugen

rizwanr74 · ‎02-14-2012

interface Vlan1
no ip address
shutdown
!

interface Vlan2
description seperate internet line for this setup accessing Interent.
ip address 192.168.2.2 255.255.255.252
no shut
exit
!

interface Vlan10
description User tablets-users
ip address 192.168.10.1 255.255.255.0
no shut
exit
!

interface Vlan20
description User two inside
ip address 192.168.20.1 255.255.255.0
no shut
exit
!

interface Vlan30
description Users three inside
ip address 192.168.30.1 255.255.255.0
no shut
exit
!

vlan 2
name internet
exit

vlan 10
name tablets-users
exit

vlan 20
name USER-2
exit

vlan 30
name USER-3
exit

ip route 0.0.0.0 0.0.0.0 192.168.2.1

ip access-list extended table-srv1
permit ip any host 192.168.10.5
permit ip host 192.168.10.5 any

!

ip access-list extended DENY-tablets-inside-network
deny ip 192.168.10.0 0.0.0.255 192.168.10.0 0.0.0.255
permit ip 192.168.0.0 0.0.255.255 192.168.0.0 0.0.255.255

-----------------------------------------------------

vlan access-map RIZ-VLAN-MAP 10
action drop
match ip address DENY-tablets-inside-network

vlan access-map RIZ-VLAN-MAP 20
action forward
match ip address table-srv1

vlan filter RIZ-VLAN-MAP vlan-list 10

-------------------------------------------------------

In this example, only Srv @ 192.168.10.5 on vlan 10 can be accessed from the internet, which is facing internet bound vlan 10 and no access to other vlans 20 and 30 from vlan10 and vise versa but just within vlan10 alone for vlan-10 tablet-users.

Vlan access map, uses the reverse logic, meaning permited are drop at layer2 level and denied are permited at layer2 level, no visiblity.

I tested it and it works like a charm.

Hope this help.

Thanks

Rizwan Rafeek

darren.g · ‎02-14-2012

Santhosh Kumar wrote:

IP subnet is 192.168.10.0/24

192.168.10.1 - Server - Requires the external access

192.168.10.2 - Server 2 - No external access

192.168.10.3 - Server 3 - No external access

192.168.10.8 to 192.168.10.252 - DHCP - Used for tablets.

At this particular location we do not have firewall. This location is connected to another MPLS location and from there internet out and in are controlled.

We also using the seperate internet line for this setup, this line is going to terminate on the core level switch.

my question is:

How can I allow the host 192.168.10.1 to have inbound access from internet

Restrict the tablets inbound and outbound access to internet, having the communication to 3 servers.

creating ACL on switch should be one of the solution. I've figured out as below.

access-list 101 permit tcp 192.168.10.1 0.0.0.0 any

access-group 101 in on VLAN

Does this statement works as per my requirement.?

Don't put a default gateway in server 2, server 3 and the tablets?

Since the rest of the devices are in the same network, they'll always be able to communicate with each other (physical connectivity being present), but never communicate with anything else because they don't have a route to anywhere else.

If you want to make it a little more difficult, use a "weird" address for your default gateway (I.E. not .1 or .254) to stop people using the servers and tablets from trying the obvious and working around it.

That'd be the easiest way, but only if your users are relatively dumb and can't figure out how to put in a route or gateway.

Cheers

s-santhosh · ‎03-07-2012

Thanks for your response.

rizwanr7 Solution worked for my network environment.

rizwanr74 · ‎03-07-2012

I am glad to hear that my solution worked out for you and you understood the reverse logical implementation with ACL and VACL but I have seen many people having trouble with reverse logic.

Thanks

Rizwan Rafeek