[Webinar] Learn how to a build a cloud-first strategyRegister Now

x
  • Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 1124
  • Last Modified:

Cisco 4500E Intervlan ACL

Hi, I have a Cisco 4500-E, with a Supervisor 7E card installed behind an ASA 5520.  The 4500 is acting as the primary gateway for dozens of subnets, which is then routed over a cross-connect network with the ASA, then out to the internet.

I am trying to do the same with our DMZ networks, having them on the 4500, with SVI's as gateways similar to the user networks, however, I'm trying to figure out the best approach to controlling traffic between them.

VACLs, router ACLs? I've read about zone-based firewall in IOS, however the 4500 doesn't seem to support this.

Any recommendations? I don't want to have 15 ACE's per router ACL as this doesn't look efficient and manageable.

Thank you!
0
dkattan
Asked:
dkattan
  • 4
  • 3
1 Solution
 
DanJCommented:
RACL and VACL have a similar format.
RACL is applied to the traffic routed by the switch and is either inbound or outbound.
VACL is applied to the traffic within a VLAN. Essentially if you apply this for a VLAN, the traffic entering the switch on a port from this VLAN is subject to inspection. The same thing is valid for traffic that exit the switch. VACL is directionless and is applied at the entry (inbound port) and at the exit (outbound port).

you can even combine them the order of operation is VACL for the enrtry port, RACL, VACL for the exit port. one major difference is VACL can do matching on Layer 2 info which RACL can't

0
 
602650528Commented:
Hi dkattan,
My understanding of the problem is that you have a seperation of the DMZ networks already at layer2 (this is achived using vlans). The problem is at layer3 (SVI interfaces).
One of the ways to seperate and control layer3 trafic is using VRF-lite. When you place the different SVIs (gateways to different DMZs) into different VRFs on the 4500 switch, you have a complete separartion of the trafic at layer3 and you also have a finer control about routes between the different VRFs by leaking just the exact routes you want in-between the VRFs. I think this is scalable and you have complete control over the inter-VRF routes. Let me know if you require the details of this design.
0
 
dkattanAuthor Commented:
Hi, Do you have some examples I can work from on the VRF-lite approach? I'm seeing a lot on the internet about its use in MPLS, but may need some guidance on using it in our environment.

Thank you
0
What does it mean to be "Always On"?

Is your cloud always on? With an Always On cloud you won't have to worry about downtime for maintenance or software application code updates, ensuring that your bottom line isn't affected.

 
602650528Commented:

http://www.cisco.com/en/US/docs/switches/lan/catalyst4500/12.2/50sg/configuration/guide/vrf.html#wp1045190

If you look at the link above, this is exactly what you want to achieve, just ignore the PE part.
Below are further examples of VRF-lite

http://packetlife.net/blog/2009/apr/30/intro-vrf-lite/

http://www.networkers-online.com/blog/2009/02/vrf-lite/

It appears to me you are really keen on knowing the technology hence i haven't gone ahead to post the config for your situation here. Try and figure it out after reading what i have sent you and then i can help in the configuration if you want.

cheers
0
 
dkattanAuthor Commented:
Okay, I have 2 VRFs setup, one for internal networks, one for DMZ. The etherchannel subinterfaces going to the ASA now have 2 xconnect networks. I'm having trouble leaking routes from the internal to the DMZ network on the L3 switch in an attempt to avoid processing through the ASA. Any suggestions?
0
 
602650528Commented:
In this example, i have got two networks vlan 100 and vlan 300 setup with vrfs cisco10 and cisco30 respectively. Clients in vlan 100 connected to interface f1/1 and f1/2 while clients in vlan 300 are connected to interface f1/3. The bgp protocol only exist on this switch and has no neighbourship with anyone, it is only used for the purpose of route leaking. The loopback 0 is only used for bgp router id.

 !
ip vrf cisco10
 rd 10:10
 route-target export 10:10
 route-target import 10:10
 !
ip vrf cisco30
 rd 30:30
 route-target export 30:30
 route-target import 30:30
!
!
interface Loopback0
 ip address 1.1.1.1 255.255.255.255
!
!
interface FastEthernet1/1
 switchport access vlan 100
!
interface FastEthernet1/2
 switchport access vlan 100
!
interface FastEthernet1/3
 switchport access vlan 300
!
interface Vlan100
 ip vrf forwarding cisco10
 ip address 10.10.10.1 255.255.255.0
!
!
interface Vlan300
 ip vrf forwarding cisco30
 ip address 10.30.30.1 255.255.255.0
!
router bgp 1
 no synchronization
 bgp router-id 1.1.1.1
 bgp log-neighbor-changes
 no auto-summary
 !
 address-family ipv4 vrf cisco30
 redistribute connected
 no synchronization
 exit-address-family
 !
 address-family ipv4 vrf cisco10
 redistribute connected
 no synchronization
 exit-address-family
!
!

Now if you want to leak routes between vlans 100 and 300, you need import that particular route (they are already exported from their respective vrfs anyway) into the other vrf.

!
ip vrf cisco10
 route-target import 30:30
!
ip vrf cisco30
 route-target import 10:10
0
 
dkattanAuthor Commented:
Thanks for the info. Is there a way to do the leaking without BGP? I don't think I have the feature:

isc-core(config)#router bgp 1
Protocol not in this image

Any ideas on this?
0
 
602650528Commented:
If the route-leaking is between the global routing table and a vrf, this can be done without bgp , Please see the link below.

http://www.cisco.com/en/US/tech/tk436/tk832/technologies_configuration_example09186a0080231a3e.shtml

Although a guy claim he was able to route btw 2 vrfs without bgp, i doubt as i tried it before and it didn't work. See the guy's work...

http://playingwithnetworks.blogspot.com/2009/04/en-route-leaking-or-inter-vrf-routing.html

cheers
0

Featured Post

Free learning courses: Active Directory Deep Dive

Get a firm grasp on your IT environment when you learn Active Directory best practices with Veeam! Watch all, or choose any amount, of this three-part webinar series to improve your skills. From the basics to virtualization and backup, we got you covered.

  • 4
  • 3
Tackle projects and never again get stuck behind a technical roadblock.
Join Now