We help IT Professionals succeed at work.

Check out our new AWS podcast with Certified Expert, Phil Phillips! Listen to "How to Execute a Seamless AWS Migration" on EE or on your favorite podcast platform. Listen Now

x

Cisco 4500E Intervlan ACL

Medium Priority
1,191 Views
Last Modified: 2012-05-11
Hi, I have a Cisco 4500-E, with a Supervisor 7E card installed behind an ASA 5520.  The 4500 is acting as the primary gateway for dozens of subnets, which is then routed over a cross-connect network with the ASA, then out to the internet.

I am trying to do the same with our DMZ networks, having them on the 4500, with SVI's as gateways similar to the user networks, however, I'm trying to figure out the best approach to controlling traffic between them.

VACLs, router ACLs? I've read about zone-based firewall in IOS, however the 4500 doesn't seem to support this.

Any recommendations? I don't want to have 15 ACE's per router ACL as this doesn't look efficient and manageable.

Thank you!
Comment
Watch Question

Commented:
RACL and VACL have a similar format.
RACL is applied to the traffic routed by the switch and is either inbound or outbound.
VACL is applied to the traffic within a VLAN. Essentially if you apply this for a VLAN, the traffic entering the switch on a port from this VLAN is subject to inspection. The same thing is valid for traffic that exit the switch. VACL is directionless and is applied at the entry (inbound port) and at the exit (outbound port).

you can even combine them the order of operation is VACL for the enrtry port, RACL, VACL for the exit port. one major difference is VACL can do matching on Layer 2 info which RACL can't

Hi dkattan,
My understanding of the problem is that you have a seperation of the DMZ networks already at layer2 (this is achived using vlans). The problem is at layer3 (SVI interfaces).
One of the ways to seperate and control layer3 trafic is using VRF-lite. When you place the different SVIs (gateways to different DMZs) into different VRFs on the 4500 switch, you have a complete separartion of the trafic at layer3 and you also have a finer control about routes between the different VRFs by leaking just the exact routes you want in-between the VRFs. I think this is scalable and you have complete control over the inter-VRF routes. Let me know if you require the details of this design.
Darren KattanIT Consultant

Author

Commented:
Hi, Do you have some examples I can work from on the VRF-lite approach? I'm seeing a lot on the internet about its use in MPLS, but may need some guidance on using it in our environment.

Thank you

http://www.cisco.com/en/US/docs/switches/lan/catalyst4500/12.2/50sg/configuration/guide/vrf.html#wp1045190

If you look at the link above, this is exactly what you want to achieve, just ignore the PE part.
Below are further examples of VRF-lite

http://packetlife.net/blog/2009/apr/30/intro-vrf-lite/

http://www.networkers-online.com/blog/2009/02/vrf-lite/

It appears to me you are really keen on knowing the technology hence i haven't gone ahead to post the config for your situation here. Try and figure it out after reading what i have sent you and then i can help in the configuration if you want.

cheers
Darren KattanIT Consultant

Author

Commented:
Okay, I have 2 VRFs setup, one for internal networks, one for DMZ. The etherchannel subinterfaces going to the ASA now have 2 xconnect networks. I'm having trouble leaking routes from the internal to the DMZ network on the L3 switch in an attempt to avoid processing through the ASA. Any suggestions?
In this example, i have got two networks vlan 100 and vlan 300 setup with vrfs cisco10 and cisco30 respectively. Clients in vlan 100 connected to interface f1/1 and f1/2 while clients in vlan 300 are connected to interface f1/3. The bgp protocol only exist on this switch and has no neighbourship with anyone, it is only used for the purpose of route leaking. The loopback 0 is only used for bgp router id.

 !
ip vrf cisco10
 rd 10:10
 route-target export 10:10
 route-target import 10:10
 !
ip vrf cisco30
 rd 30:30
 route-target export 30:30
 route-target import 30:30
!
!
interface Loopback0
 ip address 1.1.1.1 255.255.255.255
!
!
interface FastEthernet1/1
 switchport access vlan 100
!
interface FastEthernet1/2
 switchport access vlan 100
!
interface FastEthernet1/3
 switchport access vlan 300
!
interface Vlan100
 ip vrf forwarding cisco10
 ip address 10.10.10.1 255.255.255.0
!
!
interface Vlan300
 ip vrf forwarding cisco30
 ip address 10.30.30.1 255.255.255.0
!
router bgp 1
 no synchronization
 bgp router-id 1.1.1.1
 bgp log-neighbor-changes
 no auto-summary
 !
 address-family ipv4 vrf cisco30
 redistribute connected
 no synchronization
 exit-address-family
 !
 address-family ipv4 vrf cisco10
 redistribute connected
 no synchronization
 exit-address-family
!
!

Now if you want to leak routes between vlans 100 and 300, you need import that particular route (they are already exported from their respective vrfs anyway) into the other vrf.

!
ip vrf cisco10
 route-target import 30:30
!
ip vrf cisco30
 route-target import 10:10
Darren KattanIT Consultant

Author

Commented:
Thanks for the info. Is there a way to do the leaking without BGP? I don't think I have the feature:

isc-core(config)#router bgp 1
Protocol not in this image

Any ideas on this?
Unlock this solution and get a sample of our free trial.
(No credit card required)
UNLOCK SOLUTION
Unlock the solution to this question.
Thanks for using Experts Exchange.

Please provide your email to receive a sample view!

*This site is protected by reCAPTCHA and the Google Privacy Policy and Terms of Service apply.

OR

Please enter a first name

Please enter a last name

8+ characters (letters, numbers, and a symbol)

By clicking, you agree to the Terms of Use and Privacy Policy.