10-14-2010 04:52 AM - edited 03-06-2019 01:31 PM
# im sorry for my english... im trying to make it clear as possible
SETUP:
servers = 10.112.140.0/24
vlan102 = 10.112.145.0/24
vlan103 = 10.112.150.0/24
vlan104 = 10.112.155.0/24
interface 0/1 = assigned to 10.112.140.0 network block.
c3560 = 10.112.140.3/24
CONDITIONS:
1. Vlan 102, Vlan 103, Vlan 104 should NOT see each other
2. Vlan 102, Vlan 103, Vlan 104 should be able to acces servers on common switch (belomgs to 10.112.140.0 network block)
3. Servers and Admin Workstations should be able to ping workstations on each Vlans
4. All workstations under corporateA should be able to access email located at corporateB
MODIFICATION:
Old L3 - use vlan-access map to filter traffic
New L3 - use router ACL
PROBLEM:
Our existing networks works normally. We have a functional L3 fastethernet switch.
The management decided to upgrade our existing L3 switch to Gigabit so we bought one..
We copied almost all of the configurations from the old L3 switch to the new L3 switch only that
we decided not to use the vlan-access map but instead we go for the router ACL.
We put the new L3 switch in a live network for testing
In the new L3 switch, things didnt work as expected. We meet all conditions but not the no.4 item
Only servers (also workstations belong to this group) can successfully connect to the mail server.
Workstations on every Vlans canNOT connect to the mail server.
Did I miss something here? Please enlighten my confused mind..
How can I communicate to mail server on CorporateB?
Thanks in advance for all the support in help
Below is the configuration of the old and new L3 switch...
-----------start OLD L3 switch------------------------
!
version 12.2
no service pad
service timestamps debug uptime
service timestamps log datetime
service password-encryption
service sequence-numbers
!
hostname c3560
ip subnet-zero
ip routing
!
!
spanning-tree mode pvst
no spanning-tree optimize bpdu transmission
spanning-tree extend system-id
!
vlan access-map BLOCKADE 10
action drop
match ip address POLICE
vlan access-map BLOCKADE 20
action forward
vlan filter BLOCKADE vlan-list 102-104
!
interface FastEthernet0/1
no switchport
ip address 10.112.140.3 255.255.255.0
!
interface FastEthernet0/2
switchport access vlan 102
spanning-tree portfast
!
interface FastEthernet0/3
switchport access vlan 103
spanning-tree portfast
!
interface FastEthernet0/4
switchport access vlan 104
spanning-tree portfast
!
!
interface Vlan1
no ip address
shutdown
!
interface Vlan102
description vlan102
ip address 10.112.145.1 255.255.255.0
!
interface Vlan103
description vlan103
ip address 10.112.150.1 255.255.255.0
!
interface Vlan104
description vlan104
ip address 10.112.155.1 255.255.255.0
!
ip classless
ip route 0.0.0.0 0.0.0.0 10.112.140.5
ip http server
ip http authentication local
!
ip access-list extended POLICE
permit ip 10.112.145.0 0.0.0.255 10.112.150.0 0.0.0.255
permit ip 10.112.145.0 0.0.0.255 10.112.155.0 0.0.0.255
permit ip 10.112.150.0 0.0.0.255 10.112.145.0 0.0.0.255
permit ip 10.112.150.0 0.0.0.255 10.112.155.0 0.0.0.255
permit ip 10.112.155.0 0.0.0.255 10.112.145.0 0.0.0.255
permit ip 10.112.155.0 0.0.0.255 10.112.150.0 0.0.0.255
!
snmp-server community public RO
snmp-server enable traps tty
!
control-plane
!
!
line con 0
line vty 0 4
login local
line vty 5 15
login local
!
end
-----------end OLD L3 switch------------------------
-----------start NEW L3 switch------------------------
!
version 12.2
no service pad
service timestamps debug uptime
service timestamps log uptime
service password-encryption
!
hostname c3560
!
no logging console
no aaa new-model
system mtu routing 1500
ip subnet-zero
ip routing
no ip domain-lookup
!
no file verify auto
spanning-tree mode pvst
spanning-tree extend system-id
!
vlan internal allocation policy ascending
!
interface GigabitEthernet0/1
description COMMON
no switchport
ip address 10.112.140.3 255.255.255.0
!
interface GigabitEthernet0/2
switchport access vlan 102
!
interface GigabitEthernet0/3
switchport access vlan 103
!
interface GigabitEthernet0/4
switchport access vlan 104
!
interface Vlan1
no ip address
shutdown
!
interface Vlan102
description vlan102
ip address 10.112.145.1 255.255.255.0
ip access-group common out
!
interface Vlan103
description vlan103
ip address 10.112.150.1 255.255.255.0
ip access-group common out
!
interface Vlan104
description vlan104
ip address 10.112.155.1 255.255.255.0
ip access-group common out
!
ip classless
ip route 0.0.0.0 0.0.0.0 10.112.140.5
ip http server
ip http authentication local
!
ip access-list standard common
permit 10.112.140.0 0.0.0.255
!
!
control-plane
!
!
line con 0
login local
line vty 0 4
login local
line vty 5 15
login
!
end
-----------end NEW L3 switch------------------------
Solved! Go to Solution.
10-14-2010 05:06 AM
SETUP:
servers = 10.112.140.0/24
vlan102 = 10.112.145.0/24
vlan103 = 10.112.150.0/24
vlan104 = 10.112.155.0/24
interface 0/1 = assigned to 10.112.140.0 network block.
c3560 = 10.112.140.3/24
CONDITIONS:
1. Vlan 102, Vlan 103, Vlan 104 should NOT see each other
2. Vlan 102, Vlan 103, Vlan 104 should be able to acces servers on common switch (belomgs to 10.112.140.0 network block)
3. Servers and Admin Workstations should be able to ping workstations on each Vlans
4. All workstations under corporateA should be able to access email located at corporateB
access-list 102 deny ip 10.112.145.0 0.0.0.255 10.112.150.0 0.0.0.255
access-list 102 deny ip 10.112.145.0 0.0.0.255 10.112.155.0 0.0.0.255
access-list 102 permit ip 10.112.145.0 0.0.0.255 any
access-list 103 deny ip 10.112.150.0 0.0.0.255 10.112.145.0 0.0.0.255
access-list 102 deny ip 10.112.150.0 0.0.0.255 10.112.155.0 0.0.0.255
access-list 102 permit ip 10.112.150.0 0.0.0.255 any
access-list 102 deny ip 10.112.155.0 0.0.0.255 10.112.145.0 0.0.0.255
access-list 102 deny ip 10.112.155.0 0.0.0.255 10.112.150.0 0.0.0.255
access-list 102 permit ip 10.112.155.0 0.0.0.255 any
int vlan 102
ip access-group 102 in
int vlan 103
ip access-group 103 in
int vlan 104
ip acess-group 104 in
The only thing i'm not sure about is point 3. If the workstations belonging to the admins are part of vlans 102/103/104 then you will have to explicit entries in the acls 102/103/104 for the pings to work.
Jon
10-14-2010 05:16 AM
Jon beat me to it!!!
Anyway, here's my hack at it.
access-list 102 remark *** Vlan 102 Ingress Filter ***
access-list 102 deny ip any 10.112.150.0 0.0.0.255
access-list 102 deny ip any 10.112.155.0 0.0.0.255
access-list 102 permit ip any any
access-list 103 remark *** Vlan 103 Ingress Filter ***
access-list 103 deny ip any 10.112.145.0 0.0.0.255
access-list 103 deny ip any 10.112.155.0 0.0.0.255
access-list 103 permit ip any any
access-list 104 remark *** Vlan 104 Ingress Filter ***
access-list 104 deny ip any 10.112.145.0 0.0.0.255
access-list 104 deny ip any 10.112.150.0 0.0.0.255
access-list 104 permitn ip any any
int vlan 102
no ip access-group common out
ip access-group 102 in
exit
int vlan 103
no ip access-group common out
ip access-group 103 in
exit
int vlan 104
no ip access-group common out
ip access-group 104 in
exit
Chris
10-14-2010 05:32 AM
gulle_ryan wrote:
oh i forgot... admin workstations does NOT belong to any VLans.. instead they are directly connected to 'common' switch together with the servers.
its working on my packet tracer... I'll inform you next week if this works on live test...
Kudos.
Thanks Jon.
If admin workstations are not part of those vlans then it will work fine.
I think part of your issue was that you applied the acls outbound on the vlan interface. Just for your info -
inbound on a vlan interface is traffic coming from clients in that vlan to other destinations
outbound on a vlan interface is traffic going to clients in that vlan from other destinations
Good luck with the implementation.
Jon
10-14-2010 05:06 AM
SETUP:
servers = 10.112.140.0/24
vlan102 = 10.112.145.0/24
vlan103 = 10.112.150.0/24
vlan104 = 10.112.155.0/24
interface 0/1 = assigned to 10.112.140.0 network block.
c3560 = 10.112.140.3/24
CONDITIONS:
1. Vlan 102, Vlan 103, Vlan 104 should NOT see each other
2. Vlan 102, Vlan 103, Vlan 104 should be able to acces servers on common switch (belomgs to 10.112.140.0 network block)
3. Servers and Admin Workstations should be able to ping workstations on each Vlans
4. All workstations under corporateA should be able to access email located at corporateB
access-list 102 deny ip 10.112.145.0 0.0.0.255 10.112.150.0 0.0.0.255
access-list 102 deny ip 10.112.145.0 0.0.0.255 10.112.155.0 0.0.0.255
access-list 102 permit ip 10.112.145.0 0.0.0.255 any
access-list 103 deny ip 10.112.150.0 0.0.0.255 10.112.145.0 0.0.0.255
access-list 102 deny ip 10.112.150.0 0.0.0.255 10.112.155.0 0.0.0.255
access-list 102 permit ip 10.112.150.0 0.0.0.255 any
access-list 102 deny ip 10.112.155.0 0.0.0.255 10.112.145.0 0.0.0.255
access-list 102 deny ip 10.112.155.0 0.0.0.255 10.112.150.0 0.0.0.255
access-list 102 permit ip 10.112.155.0 0.0.0.255 any
int vlan 102
ip access-group 102 in
int vlan 103
ip access-group 103 in
int vlan 104
ip acess-group 104 in
The only thing i'm not sure about is point 3. If the workstations belonging to the admins are part of vlans 102/103/104 then you will have to explicit entries in the acls 102/103/104 for the pings to work.
Jon
10-14-2010 05:16 AM
Jon beat me to it!!!
Anyway, here's my hack at it.
access-list 102 remark *** Vlan 102 Ingress Filter ***
access-list 102 deny ip any 10.112.150.0 0.0.0.255
access-list 102 deny ip any 10.112.155.0 0.0.0.255
access-list 102 permit ip any any
access-list 103 remark *** Vlan 103 Ingress Filter ***
access-list 103 deny ip any 10.112.145.0 0.0.0.255
access-list 103 deny ip any 10.112.155.0 0.0.0.255
access-list 103 permit ip any any
access-list 104 remark *** Vlan 104 Ingress Filter ***
access-list 104 deny ip any 10.112.145.0 0.0.0.255
access-list 104 deny ip any 10.112.150.0 0.0.0.255
access-list 104 permitn ip any any
int vlan 102
no ip access-group common out
ip access-group 102 in
exit
int vlan 103
no ip access-group common out
ip access-group 103 in
exit
int vlan 104
no ip access-group common out
ip access-group 104 in
exit
Chris
10-14-2010 05:40 AM
Im impressed by both of you guys (jon, chris)...
we're going to have a live test next week...
Now that both expert have the same solution, i have a great feeling that this would work..
Your presented it like a teacher christoph, step by step.. that's why jon is a minute a head of you.
I appreciate all your help guys
kudos.
thanks chris
10-14-2010 05:29 AM
oh i forgot... admin workstations does NOT belong to any VLans.. instead they are directly connected to 'common' switch together with the servers.
its working on my packet tracer... I'll inform you next week if this works on live test...
Kudos.
Thanks Jon.
10-14-2010 05:32 AM
gulle_ryan wrote:
oh i forgot... admin workstations does NOT belong to any VLans.. instead they are directly connected to 'common' switch together with the servers.
its working on my packet tracer... I'll inform you next week if this works on live test...
Kudos.
Thanks Jon.
If admin workstations are not part of those vlans then it will work fine.
I think part of your issue was that you applied the acls outbound on the vlan interface. Just for your info -
inbound on a vlan interface is traffic coming from clients in that vlan to other destinations
outbound on a vlan interface is traffic going to clients in that vlan from other destinations
Good luck with the implementation.
Jon
10-14-2010 05:51 AM
you're right jon. i do have issues in understanding ACL directions.
Im very glad that you're not only solved my problem but also pointing out my mistake. i'll take note on that and hope i will not fall on the same mistake.
thanks jon.
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: