EESky
asked on
How to solve routing problem between different vlan in layer 3 switch
Hi Expert
https://www.experts-exchange.com/questions/28378894/Question-about-Vlan-connection-in-Layer-2-switch.html
After the above problem was solved, I have another question about it:
In layer 2 switch, We can separate different traffic through different vlan. However, in layer 3 switch, how to keep traffic in one vlan away from the traffic in other vlan ? I mean, I do not allow users in vlan 10 to reach users in vlan 20, but vlan 10 and vlan 20 have to go through layer 3 switch. Thank you.
https://www.experts-exchange.com/questions/28378894/Question-about-Vlan-connection-in-Layer-2-switch.html
After the above problem was solved, I have another question about it:
In layer 2 switch, We can separate different traffic through different vlan. However, in layer 3 switch, how to keep traffic in one vlan away from the traffic in other vlan ? I mean, I do not allow users in vlan 10 to reach users in vlan 20, but vlan 10 and vlan 20 have to go through layer 3 switch. Thank you.
Soulja
Just apply an ACL to the vlan interfaces that would restrict the vlan from communicating to one another.
For example,
ip access-list extended VLAN10
deny ip any 20.20.20.0 0.0.0.255
permit ip any any
ip access-list extended VLAN20
deny ip any 10.10.10.0 0.0.0.255
permit ip any any
interface vlan 10
ip access-group VLAN10 in
interface vlan 20
ip access-group VLAN20 in
ip access-list extended VLAN10
deny ip any 20.20.20.0 0.0.0.255
permit ip any any
ip access-list extended VLAN20
deny ip any 10.10.10.0 0.0.0.255
permit ip any any
interface vlan 10
ip access-group VLAN10 in
interface vlan 20
ip access-group VLAN20 in
ASKER
Thank you for your fast reply. If I have 4000 vlans gone through the layer 3 switch, I need to configure more than 4000 ACL. Are there other ways to do that ?
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
Thank you for reply. I just want to know the special case theoretically. However, in real network, Catalyst 6500 indeed need to handle a lot vlan traffic.
ASKER
I think Soulja is right, but can we change these ACL like below. this way, we can use a fewer ACL if the network have a lot Vlan
ip access-list extended VLAN10
permit ip any 10.10.10.0 0.0 0.0.0.255
ip access-list extended VLAN20
permit ip any 20.20.20.0 0.0.0.255
interface vlan 10
ip access-group VLAN10 in
interface vlan 20
ip access-group VLAN20 in
ip access-list extended VLAN10
permit ip any 10.10.10.0 0.0 0.0.0.255
ip access-list extended VLAN20
permit ip any 20.20.20.0 0.0.0.255
interface vlan 10
ip access-group VLAN10 in
interface vlan 20
ip access-group VLAN20 in
No, the acls you have above are not correct and because you have them applied inbound, they are pretty much null.
ASKER
Can you correct these commands and show it here ? thank you.
The way I originally posted them is the correct way.
If you are trying to deny a lot of vlans, if they are contiguous you may be able to add a supernet in the acl, otherwise you would have to enter each subnet to deny.
ASKER
What I want is any vlan cannot communicates with any different vlan.
Can we use "permit" acl to permit its own vlan and deny other vlan implicitly ?
Can we use "permit" acl to permit its own vlan and deny other vlan implicitly ?
SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
Here is the main question: Do these VLANs need to talk outside of the switch, or do you want them all completely isolated from anything else? If you want each vlan to be isolated, it's easy:
access-list 101 deny ip any any
interface vlan 10
ip access-group 101 in
interface vlan 20
ip access-group 101 in
etc.
Now, let's say you want to allow them to talk to the internet but not to each other. If you have some kind of organization to your addressing (i.e. they are all on 10.x.x.x and the default gateway address is 10.x.x.1) all you need to do is modify the access list:
access-list 101 permit ip any 10.0.0.1 255.0.0.255
access-list 101 deny ip any 10.0.0.0 0.255.255.255
access-list 101 permit ip any any
The above will allow your hosts to talk directly to the default gateway address (for ping or other protocols that may be needed, deny any other traffic to other vlans, but permit all traffic not destined for other vlans.
Note the mask on that first line, it's very important. It permits communication to 10.x.x.1 where x.x can be anything. So it actually will permit the hosts to talk to ANY of the default gateways on the switch, but that shouldn't be an issue.
If you have other address space on 10 that isn't a part of this, then you'd have be more specific. But either way it allows you to have one access list that gets applied everywhere.
access-list 101 deny ip any any
interface vlan 10
ip access-group 101 in
interface vlan 20
ip access-group 101 in
etc.
Now, let's say you want to allow them to talk to the internet but not to each other. If you have some kind of organization to your addressing (i.e. they are all on 10.x.x.x and the default gateway address is 10.x.x.1) all you need to do is modify the access list:
access-list 101 permit ip any 10.0.0.1 255.0.0.255
access-list 101 deny ip any 10.0.0.0 0.255.255.255
access-list 101 permit ip any any
The above will allow your hosts to talk directly to the default gateway address (for ping or other protocols that may be needed, deny any other traffic to other vlans, but permit all traffic not destined for other vlans.
Note the mask on that first line, it's very important. It permits communication to 10.x.x.1 where x.x can be anything. So it actually will permit the hosts to talk to ANY of the default gateways on the switch, but that shouldn't be an issue.
If you have other address space on 10 that isn't a part of this, then you'd have be more specific. But either way it allows you to have one access list that gets applied everywhere.
Hey Mike,
I think you meant
access-list 101 permit ip any 10.0.0.1 0.255.255.0
but definitely a good option.
I think you meant
access-list 101 permit ip any 10.0.0.1 0.255.255.0
but definitely a good option.
Yep, you are correct. I had that one backwards.
ASKER
I agree private vlan can work well. In addition to the private vlan, I think the simplest way to manage so many vlan with ACL is below configuration.
access-list 101 permit ip any 10.0.0.1 0.0.0.0
access-list 101 deny ip any 10.0.0.0 0.255.255.255
access-list 101 permit ip any any
interface vlan 10
ip access-group 101 in
access-list 102 permit ip any 20.0.0.1 0.0.0.0
access-list 102 deny ip any 20.0.0.0 0.255.255.255
access-list 102 permit ip any any
interface vlan 20
ip access-group 102 in
access-list 103 permit ip any 30.0.0.1 0.0.0.0
access-list 103 deny ip any 30.0.0.0 0.255.255.255
access-list 103 permit ip any any
interface vlan 30
ip access-group 103 in
......
access-list 101 permit ip any 10.0.0.1 0.0.0.0
access-list 101 deny ip any 10.0.0.0 0.255.255.255
access-list 101 permit ip any any
interface vlan 10
ip access-group 101 in
access-list 102 permit ip any 20.0.0.1 0.0.0.0
access-list 102 deny ip any 20.0.0.0 0.255.255.255
access-list 102 permit ip any any
interface vlan 20
ip access-group 102 in
access-list 103 permit ip any 30.0.0.1 0.0.0.0
access-list 103 deny ip any 30.0.0.0 0.255.255.255
access-list 103 permit ip any any
interface vlan 30
ip access-group 103 in
......