Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Community Member

Non Intervlan Routing & Security

  Needing some help looking at this the correct way. I have a network with 5 VLANs, Management 1, Voice 10, Employee 20, Guest 30, and WLAN Authentication 100. With this network I'm looking to implement "Router on a Stick" type configuration. On the router, Management 1, Employee 20, and Guest 30 are the only VLANs that will have access to Internet resources. The voice vlan is only for digital phones connecting to the pbx on a T1 analog trunk and the WLAN Authentication is an ingress to the wireless controller for a html authentication then NAT'd to the Guest vlan. Now the issue i'm having is how do I secure all these vlans to not have any communication between each other but still provide internet access to the 3 needed vlans through a single Global IP.

  Then with ACLs, what if someone in the Guest vlan statics their IP to a subnet in the Employee network? Am I correct in saying that an access list would allow the cross VLAN communication due to the acl allowing that subnet? Assuming that a PC connected to a switch port that puts a guest vlan tag on the packet, then gets trunked to the router with a guest vlan tag but does a router look at that tag or does it only apply filtering with ip to acl?

For sample configuration sake:

VLAN 1: 10.1.1.0/24

VLAN 10: 10.1.10.0/24

VLAN 20: 10.1.20.0/24

VLAN 30: 10.1.30.0/24

VLAN 100: 10.1.100.0/24

Gateway: 10.1.1.1

I am yet to try anything in a lab environment. Still waiting on all the equipment to get in to try.

Thanks!

1 ACCEPTED SOLUTION

Accepted Solutions

Non Intervlan Routing & Security

Cody,

Then with ACLs, what if someone in the Guest vlan statics their IP to a  subnet in the Employee network? Am I correct in saying that an access  list would allow the cross VLAN communication due to the acl allowing  that subnet?

If you're doing router-on-a-stick, that means that you're going to create the subinterfaces on the router to allow for the routing of those vlans. The switches on the other hand will have the vlans configured and ports will be added to individual vlans generally. Suppose you have a port configured for vlan 30. If you have the concern that a guest connected to that port will be able to change their subnet to match the vlan 20 subnet, you don't have to worry. If they did, the router would drop the traffic because it would see the tag for vlan 30, but it would see the subnet for vlan 20.

As far as your acls, you can keep your users from talking to each other with inbound acls. Something very simple would be like:

VLAN 1: 10.1.1.0/24

VLAN 10: 10.1.10.0/24

VLAN 20: 10.1.20.0/24

VLAN 30: 10.1.30.0/24

VLAN 100: 10.1.100.0/24

access-list 101 deny 10.1.1.0 0.0.0.255 10.1.10.0 0.0.0.255

access-list 101 deny 10.1.1.0 0.0.0.255 10.1.20.0 0.0.0.255

access-list 101 deny 10.1.1.0 0.0.0.255 10.1.30.0 0.0.0.255

access-list 101 deny 10.1.1.0 0.0.0.255 10.1.100.0 0.0.0.255

access-list 101 permit ip 10.1.1.0 0.0.0.255 any

int

ip access-group 101 in

access-list 110 deny 10.1.10.0 0.0.0.255 10.1.1.0 0.0.0.255

access-list 110 deny 10.1.10.0 0.0.0.255 10.1.20.0 0.0.0.255

access-list 110 deny 10.1.10.0 0.0.0.255 10.1.30.0 0.0.0.255

access-list 110 deny 10.1.10.0 0.0.0.255 10.1.100.0 0.0.0.255

access-list 110 permit ip 10.1.10.0 0.0.0.255 any

int

ip access-group 110 in

etc....

A better way, although more complicated, is to use zone-based firewalls. Here's a link explaining this. You would need an image that supported it:

http://www.cisco.com/en/US/products/sw/secursw/ps1018/products_tech_note09186a00808bc994.shtml

HTH,
John

*** Please rate all useful posts ***

HTH, John *** Please rate all useful posts ***
12 REPLIES
Community Member

Non Intervlan Routing & Security

Sample Diagram

Non Intervlan Routing & Security

Cody,

Then with ACLs, what if someone in the Guest vlan statics their IP to a  subnet in the Employee network? Am I correct in saying that an access  list would allow the cross VLAN communication due to the acl allowing  that subnet?

If you're doing router-on-a-stick, that means that you're going to create the subinterfaces on the router to allow for the routing of those vlans. The switches on the other hand will have the vlans configured and ports will be added to individual vlans generally. Suppose you have a port configured for vlan 30. If you have the concern that a guest connected to that port will be able to change their subnet to match the vlan 20 subnet, you don't have to worry. If they did, the router would drop the traffic because it would see the tag for vlan 30, but it would see the subnet for vlan 20.

As far as your acls, you can keep your users from talking to each other with inbound acls. Something very simple would be like:

VLAN 1: 10.1.1.0/24

VLAN 10: 10.1.10.0/24

VLAN 20: 10.1.20.0/24

VLAN 30: 10.1.30.0/24

VLAN 100: 10.1.100.0/24

access-list 101 deny 10.1.1.0 0.0.0.255 10.1.10.0 0.0.0.255

access-list 101 deny 10.1.1.0 0.0.0.255 10.1.20.0 0.0.0.255

access-list 101 deny 10.1.1.0 0.0.0.255 10.1.30.0 0.0.0.255

access-list 101 deny 10.1.1.0 0.0.0.255 10.1.100.0 0.0.0.255

access-list 101 permit ip 10.1.1.0 0.0.0.255 any

int

ip access-group 101 in

access-list 110 deny 10.1.10.0 0.0.0.255 10.1.1.0 0.0.0.255

access-list 110 deny 10.1.10.0 0.0.0.255 10.1.20.0 0.0.0.255

access-list 110 deny 10.1.10.0 0.0.0.255 10.1.30.0 0.0.0.255

access-list 110 deny 10.1.10.0 0.0.0.255 10.1.100.0 0.0.0.255

access-list 110 permit ip 10.1.10.0 0.0.0.255 any

int

ip access-group 110 in

etc....

A better way, although more complicated, is to use zone-based firewalls. Here's a link explaining this. You would need an image that supported it:

http://www.cisco.com/en/US/products/sw/secursw/ps1018/products_tech_note09186a00808bc994.shtml

HTH,
John

*** Please rate all useful posts ***

HTH, John *** Please rate all useful posts ***
Community Member

Non Intervlan Routing & Security

Thanks John, exactly what I needed.

So would you still use the next hop as:

ip route 0.0.0.0 0.0.0.0 x.x.x.x   and all the vlans will route in and out ok?

Non Intervlan Routing & Security

Yes, you'll only need to have the single default route out if you only have a single outbound link.

HTH,
John

*** Please rate all useful posts ***

HTH, John *** Please rate all useful posts ***
Community Member

Non Intervlan Routing & Security

Alright John, last question, what would be beneficial to have a block of global IPs since a connection only routes out a single interface?

Non Intervlan Routing & Security

The main benefit for a block of addresses is that you can have an address for different services. For example, if you have a web server, ftp server, and a mail server. Let's say you have addresses 8.8.8.1 - 8.8.8.14 that are useable. You can have your web server mapped to 8.8.8.5, ftp server mapped to 8.8.8.6 and mail server at 8.8.8.14. Your default route is used for when the router doesn't know how to get to a destination. If your user, who has their default gateway set to your router's lan interface, wants to go to a destination of 5.5.5.5, your router is going to do a lookup in its routing table. If it doesn't find that route, it will use its default gateway. This is where your "ip route 0.0.0.0" statement comes in at.

You can also nat out as different global addresses as well. Let's say that you wanted to assign 8.8.8.2 and 8.8.8.3 to be used by your users. Users on the 192.168.2.0/24 subnet can be natted out as 8.8.8.2 and the users at 192.168.3.0/24 can be natted out as 8.8.8.3.  So, there are a few things you can do with global addresses

HTH,
John

*** Please rate all useful posts ***

HTH, John *** Please rate all useful posts ***
Community Member

Non Intervlan Routing & Security

Correct me if i'm wrong but am I looking at these acls correctly. It looks backwards from your previous reply.

Cisco Version 12.4

access list 101 deny ip

so the command would be to deny vlan 10,20,30,and 100 is:

access list 101 deny ip 10.1.10.0 0.0.0.255 10.1.1.0 0.0.0.255

access list 101 deny ip 10.1.20.0 0.0.0.255 10.1.1.0 0.0.0.255

etc

etc

access list 101 permit ip any 10.1.1.0 0.0.0.255

and then set it on inbound on vlan 1

Non Intervlan Routing & Security

The acl that you posted would be better for an outbound direction. Generally when you create an acl, you would apply inbound if it's coming from that subnet. For example, if you have 10.1.1.1 on the router and you want to deny 10.1.1.0/24 from going anywhere, you would deny 10.1.1.0, as a source, inbound on that interface. If you wanted to use the same interface and block outbound, you'd create acl blocking from some source to a destination on the interface.

For example, if you have a host of 10.1.1.50 you want to block to 10.1.20.0/24, you can do it two ways:

access-list 101 deny ip host 10.1.1.50 10.1.20.0 0.0.0.255

access-list 101 permit ip any any

int vlan 1

ip access-group 101 in

This would block 10.1.1.50 from getting to 10.1.20.0/24. It would also have the effect of blocking 10.1.20.0 from getting to 10.1.1.50 (theoretically) because the return traffic would be denied.

Another way to block the same host would be:

access-list 101 deny ip 10.1.20.0 0.0.0.255 host 10.1.1.50

access-list 101 permi ip any any

int vlan 1

ip access-group 101 out

This would block 10.1.20.0/24 from getting to 10.1.1.50.

The acl and direction that it's placed that you posted doesn't look correct. From first glance, it would never match on the first two lines and always match on the last line which would, in effect, still block traffic since your only allowing traffic coming from anything to 10.1.1.0/24. You also want to block as close to the source as you can. I always use inbound acls, but there are some that use outbound acls as well.

HTH,
John

*** Please rate all useful posts ***

HTH, John *** Please rate all useful posts ***
Community Member

Non Intervlan Routing & Security

So which is better?

Do you block outbound traffic since its the closest to the source.

So to block traffic coming from vlan1 and destined for vlan10

access-list 101 deny ip 10.1.1.0 0.0.0.255 (Source) 10.1.10.0 0.0.0.255 (Destination)

                                   (Vlan 1 subnet)                     (Vlan 10 subnet)

vlan1

access-group 101 out

---or---

block traffic coming in to vlan1 from vlan10

access-list 101 deny ip 10.1.10.0 0.0.0.255 (Source) 10.1.1.0 0.0.0.255 (Destination)

                                      (Vlan 10 subnet)                   (Vlan 1 subnet)

vlan1

access-group 101 in

Or am I just looking at this all wrong?! Thinking that the source is vlan 10,20,30,100 and the destination is vlan1 and blocking the traffic once it gets to vlan1?

Non Intervlan Routing & Security

Actually, you have the correct acls, but the direction would be reversed on the two. In your first example "deny ip 10.1.1.0" while coming from vlan 1 would be in the "in" direction because the hosts sending to vlan 10 are in vlan 1, so their gateway would be 10.1.1.1 (assuming). Then you're blocking 10.1.1.x from getting to vlan 10 in the "in" direction.

The second example would be correct if it was in the "out" direction, or if you applied this acl on vlan 10 in the "in" direction.

As far as which one is better, I always do mine in the "in" direction although there are times where you might want to use out direction. I've seen some on here only use the out direction, so it's really a preference.

Here's another example:

access-list 101 deny ip host 10.1.1.50 host 10.1.10.50

access-list 101 permit ip any any

The above access list blocks traffic from 10.1.1.50 getting to 10.1.10.50. But there are two locations that this would work: on vlan 1 in the "in" direction OR vlan 10 in the "out" direction:

int vlan 1

ip address 10.1.1.1 255.255.255.0

ip access-group 101 in

int vlan 10

ip address 10.1.10.1 255.255.255.0

ip access-group 101 out

On vlan 10, I'm blocking traffic from host 10.1.1.50 getting to the host 10.1.10.50.

On vlan 1, I'm doing the same thing, but I do it from the perspective of the vlan closest to the soruce.

HTH,
John

*** Please rate all useful posts ***

HTH, John *** Please rate all useful posts ***
Community Member

Non Intervlan Routing & Security

John, your information has been invaluable. Greatly appreciate you taking the time to answer these questions!

Hopefully all the equipment comes in this week so I can test this all out.

Thanks again!

Non Intervlan Routing & Security

No problem! If you have any other questions, we'll be here to help out....

Thanks!
John

HTH, John *** Please rate all useful posts ***
413
Views
10
Helpful
12
Replies
CreatePlease to create content