Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

New Member

VLAN Design

Recently I have a hotel project which requires me to provide internet access to all the guest rooms.

The hotel has 30 floors, each floor has 2 24ports 2950 switches. All the 2950 switches connect to a core switch 4506 via gigabit fibre link(1000sx). The core switch will then connect to a internet router. I want guest in one hotel room cannot see guest in the other hotel room for security reason and they must be able to go to internet. So I define VLAN for every port for 60 switches. By doing so, I will have many VLANs in the network. Is this a bad design? Any other better alternative design which can ensure security? (means guest in one hotel room cannot see guest in another hotel room)

I know that I need to define trunking between the 2950 switches and the 4506 switch. Do I need to define trunking between 4506 switch and the internet router?

2 ACCEPTED SOLUTIONS

Accepted Solutions
Bronze

Re: VLAN Design

There are two pieces to this problem:

1) Preventing traffic between any two ports (other than the uplink port) on each individual 2950.

The "protected port" feature is the way to go here. I can't view the links that Andrew posted so this may be what he was referring to (this feature is essentially a cut-down version of the PVLAN feature). Basically, you'll want to make every port on each 2950 protected except for the uplink to the 4506. This will allow you to use only 1 VLAN on each 2950 (or on the entire network for that matter), and still prevent the hosts from talking to anything other than the uplink port. More information here: http://www.cisco.com/en/US/products/hw/switches/ps628/products_configuration_guide_chapter09186a00801a6bb2.html#1029319

2) Preventing hosts on different 2950's from talking to each other.

There are two easy ways to do this. One is to put each port on the 4506 into a different VLAN, then filter inter-VLAN traffic via access lists. The access lists will only allow traffic from a each 2950 uplink VLAN to the router VLAN.

The other way is to use PVLANs on the 4506. More details for CatOS here: http://www.cisco.com/en/US/products/hw/switches/ps663/products_configuration_guide_chapter09186a008017631f.html#1028273 and for IOS here: http://www.cisco.com/en/US/products/hw/switches/ps4324/products_configuration_guide_chapter09186a0080186a31.html

Bronze

Re: VLAN Design

Yes to the first two questions. I'll note however that prafuljaded's idea is also plausible -- this can probably be done entirely with ACL's, as the 2950's do support ACL's in a limited fashion. But I personally would go with PVLANs and protected ports.

As for Spanning Tree, the only time you really need it is if you have redundant paths between switches. In your case it sounds like each 2950 will connect to a single 4506, which will then connect to a router. So Spanning Tree won't do you any good here. Most texts recommend leaving it enabled anyway, but I tend to disable it (or lock it down to whatever extent I can via features like BPDU-guard, BPDU-filter, etc) because it can be somewhat of a security issue. A rogue host can inject Spanning Tree packets into the network and cause complete chaos. It's in line with the "disable protocols that you don't need" philosophy.

6 REPLIES
New Member

Re: VLAN Design

well, there will be a lot of VLANs though I still beleive it is the right way to go.

You will not need to define a trunk between the 4506 and the Internet Router provided that the 4506 is routing. Then all you need is a few static routes between the Internet Router and the 4506..

Re: VLAN Design

Wouldn't Private VLANs be applicable here?

http://www.cisco.com/en/US/partner/tech/tk389/tk814/tk840/tech_protocol_home.html

http://www.cisco.com/en/US/partner/products/hw/switches/ps708/products_configuration_guide_chapter09186a008007e717.html

It seems a bit OTT creating a separate VLAN per port - think of all the lost address space you will have making up all the /30 subnets?

Obviously you will need to make sure the 4506 has protection between VLANs - ACLs etc.

Andy

Bronze

Re: VLAN Design

There are two pieces to this problem:

1) Preventing traffic between any two ports (other than the uplink port) on each individual 2950.

The "protected port" feature is the way to go here. I can't view the links that Andrew posted so this may be what he was referring to (this feature is essentially a cut-down version of the PVLAN feature). Basically, you'll want to make every port on each 2950 protected except for the uplink to the 4506. This will allow you to use only 1 VLAN on each 2950 (or on the entire network for that matter), and still prevent the hosts from talking to anything other than the uplink port. More information here: http://www.cisco.com/en/US/products/hw/switches/ps628/products_configuration_guide_chapter09186a00801a6bb2.html#1029319

2) Preventing hosts on different 2950's from talking to each other.

There are two easy ways to do this. One is to put each port on the 4506 into a different VLAN, then filter inter-VLAN traffic via access lists. The access lists will only allow traffic from a each 2950 uplink VLAN to the router VLAN.

The other way is to use PVLANs on the 4506. More details for CatOS here: http://www.cisco.com/en/US/products/hw/switches/ps663/products_configuration_guide_chapter09186a008017631f.html#1028273 and for IOS here: http://www.cisco.com/en/US/products/hw/switches/ps4324/products_configuration_guide_chapter09186a0080186a31.html

New Member

Re: VLAN Design

Hi all,

For this design,isn't defining appropriate ACLs on L3 suffice? Assume for example, a single vlan is created (10.0.0.0)

access-list 101 ip deny 10.0.0.0 0.255.255.255 10.0.0.0 0.255.255.255

access-list permit ip any any

Let me know any improvements...

New Member

Re: VLAN Design

Am I right to say that configuring PVLANs on the 4506 only prevent hosts on different 2950 from talking to each other but CANNOT prevent traffic between any two ports on each individual 2950?

In short, I need to use both PVLANs and Protected Port to archieve the design objective?

Another question, Is it better for me to enable spanning-tree vlan for the private vlan or disable it? Do I need to enable spanning-tree bpduguard for 4506's gigabit interface which connects to each 2950?

Thanks.

Bronze

Re: VLAN Design

Yes to the first two questions. I'll note however that prafuljaded's idea is also plausible -- this can probably be done entirely with ACL's, as the 2950's do support ACL's in a limited fashion. But I personally would go with PVLANs and protected ports.

As for Spanning Tree, the only time you really need it is if you have redundant paths between switches. In your case it sounds like each 2950 will connect to a single 4506, which will then connect to a router. So Spanning Tree won't do you any good here. Most texts recommend leaving it enabled anyway, but I tend to disable it (or lock it down to whatever extent I can via features like BPDU-guard, BPDU-filter, etc) because it can be somewhat of a security issue. A rogue host can inject Spanning Tree packets into the network and cause complete chaos. It's in line with the "disable protocols that you don't need" philosophy.

353
Views
0
Helpful
6
Replies