I posted a few times here regarding the design I'm working on and I have another issue/question.
The design is a collapsed core, with routed access layer.
On each access switch, I have 4 VLANs. Data (10), VoIP (40), Wifi (20) and Wifi Guests (30), as well as local SVIs for each VLAN, which are in turn connected to the core layer via point-to-point interfaces.
Once the traffic moves into L3, there's no more isolation, as every subnet is routed to the core.
Q1: How do I isolate traffic
a) locally on the access switch, so that the various VLANs can't be routed between each other?
b) same when they reach the core layer?
Q2: They do however need to talk to the same VLAN on other access switches (VoIP for example)
Q3: Wifi Guests need to go directly to the web, nowhere else.
What I'm working with: 3560x switches with IP Base image, 4900M Core/Distribution switches with IP Services image
Ignore the static paths in the diagram, it's a BNT switch that I am stuck with
I have read about VRF (way above my current skill level/knowledge), which seems to be exactly what I need and Policy Based Routing (not supported by IP BASE image afaik). What are my options? (Please don't say training for VRF and purchasing IP Services for PBR lol)
I know, I am not answering you question, but looking at your design, you have 2 access layer switches that are doing routing. (according to your post) I also see the same vlans on both switches. why? I hope the subnets are not the same.
In a routed access layer you can't have the same subnet in 2 different switches.Can you clarify?
It is a common practice to have a unique vlan id for each subnet. It also reduces confusion for people who manage the network.
If you do not want the vlans to talk to each other, then you can deploy something like this example and apply it to these vlans. In this case vlan 10 can not communicate with vlan 20 but everything else.
vlan 10 = 192.168.10.0/24
vlan 20= 192.168.20.0/24
access-list 200 deny ip 192.168.10.0 0.0.0.255 192.168.20.0 0.0.0.255
access-list 200 permit ip 192.168.10.0 0.0.0.255 any
Regarding the VLAN IDs, I ran that by a CCIE friend of mine and he agreed that was a good choice since the VLAN IDs are locally significant. There is no confusion here. VLAN 10 is Data VLAN everywhere, and being in a routed environment means they all have different subnets. In a switched environment, that's a different story unless you want end-to-end VLANs.
Thanks for the ALC suggestion. I think I might be better off permitting only what I want than denying everything one by one (I'd have 5 ACLs per switch with over 40-50 lines per ACL...)
I'll experiment with various options and see what I can come up with.
IOS accepts this but I wonder if that's a good way of doing things.
My addressing is as follows:
A = 10 (Private Class A)
B = site identification
C = VLAN identification
D = device address
in other words, everytime I see a 10 for the 3rd octet, that's VLAN 10. I was thinking of using masks like this one to trap all 10.x.10.y addresses.
access-list 110 permit ip 10.101.10.0 0.0.0.255 10.0.10.0 0.255.0.255 (Any VLAN 10 on the network)
access-list 110 permit ip 10.101.10.0 0.0.0.255 10.0.110.0 0.255.0.255 (Any VLAN 110 on the network)
access-list 110 permit ip 10.101.10.0 0.0.0.255 10.0.120.0 0.255.0.255 (Any VLAN 120 on the network)
This would allow the workstation on Switch 1 (10.101) to access any VLAN 10s anywhere. Make sense? The logic is there, but is that something that should be done? I have no other way to summarize this to make it workable...
This document gives several answers on frequently asked questions for PFRv3 channel state behavior.
Q1: What are all the channel operational states from a BR (border role) perspective and what are the rules/conditions to be in each st...
The need was to reach an host inside a LAN through a VPN connection managed by the LAN gateway (Cisco 1921).
The LAN gateway performs NAT and there was a dedicate nat rule for the host i wanted to reach through VPN.
I couldn't connect to the hos...