Buy or Renew
Buy or Renew
Cisco + Splunk: It’s a new day for your data. Learn more.
 
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
184
Views
0
Helpful
2
Replies

IP filtering 3 VLANs and routing some traffic to public internet

jhvanwyk
Level 1
Level 1

‎05-06-2024 12:37 PM

We have 3 VLANs (say A, B and C). Each of these VLANs are tagged links (T) between two L2 switches, as follows:

SW 1 (T) <-> VLAN A <-> (T) SW 4
SW 2 (T) <-> VLAN B <-> (T) SW 4
SW 3 (T) <-> VLAN C <-> (T) SW 4
                                  (T) |_____> (T) DHCP server (Linux)

We would like to divert certain IP traffic to an outside Internet link (thus doing "IP filtering" on the 3 VLANs), untagged (U) of course. We unfortunately have an existing network that we cannot really change, but at least want to add the additional Internet gateway. The DHCP server only operate within the VLAN environments (intranet).

Our thinking is to place a L3 routing switch (Cisco 2811 with a 4 port switch module that we have laying around :-)) in between the 3 VLAN links and performing L3 routing on the Cisco 2811, as follows:
                                                _______
SW 1 (T) <-> VLAN A <-> (T) |     L3     | (T) <-> VLAN A <-> (T) SW 4
SW 2 (T) <-> VLAN B <-> (T) |   router  | (T) <-> VLAN B <-> (T) SW 4
SW 3 (T) <-> VLAN C <-> (T) | ______ | (T) <-> VLAN C <-> (T) SW 4
                                                      | (U)                                            |____> DHCP server
                                                      |_____> INTERNET (Static IP)

In the initial setup no IPs were assigned for this part of the network (since VLANs are L2), but for the L3 router case, interface IPs are needed. Can they be from the same subnet (let us say IPs x.x.10.2 (left of L3 RT) and x.x.10.3 (right of L3 RT) for the VLAN A string (where VLAN A has subnet x.x.10.0). A similar approach for B and C (subnets x.x.20.0 and x.x.30.0).

If the Internet has IP 1.2.3.4, how will we allow traffic only to external IP 5.6.7.8 from any of SWs 1, 2 or 3 and deny all else?

Any help with setup (config) will be appreciated - Thanks.

Labels:
0 Helpful
2 Replies 2

balaji.bandi
Hall of Fame
Hall of Fame

‎05-06-2024 01:42 PM

Looking at your post, all are connected to SW4, where is the Gateway for all these VLAN ? on SW4

if that is case i am thinking you can connect SW4 and the new router and use PBR next hop sending to router in SW4

Note : as you mentioned you can not change anything on exiting SW4 ? (is this possible ?

also you need to post show run and routing in place for now sending out to internet.

BB

***** Rate All Helpful Responses *****

How to Ask The Cisco Community for Help

0 Helpful

Georg Pauwen
VIP
VIP

‎05-07-2024 11:43 PM

Hello,

I guess it would be easier to give advice if you could provide a schematic drawing of your topology, showing how your devices are physically and logically connected. Also, indicate how the Vlans currently communicate with each other (that is, which device is currently doing the layer 3 routing). Using a 2811 is a good idea, you could simply use that router for all layer 3 routing, and direct all outbound traffic through that router. A simple access list would then allow traffic to 5.6.7.8...

0 Helpful
Customers Also Viewed These Support Documents