Solved

How to solve routing problem between different vlan in layer 3 switch

Posted on 2014-03-25
17
420 Views
Last Modified: 2014-04-01
Hi Expert

http://www.experts-exchange.com/Hardware/Networking_Hardware/Switches/Q_28378894.html 

After the above problem was solved, I have another question about it:

In layer 2 switch, We can separate different traffic through different vlan. However, in layer 3 switch, how to keep traffic in one vlan away from the traffic in other vlan ?  I mean, I do not allow users in vlan 10 to reach users in vlan 20, but vlan 10 and vlan 20 have to go through layer 3 switch. Thank you.
0
Comment
Question by:EESky
  • 7
  • 6
  • 2
  • +1
17 Comments
 
LVL 26

Expert Comment

by:Soulja
ID: 39953465
Just apply an ACL to the vlan interfaces that would restrict the vlan from communicating to one another.
0
 
LVL 26

Expert Comment

by:Soulja
ID: 39953474
For example,

ip access-list extended VLAN10
deny ip any 20.20.20.0 0.0.0.255
permit ip any any

ip access-list extended VLAN20
deny ip any 10.10.10.0 0.0.0.255
permit ip any any

interface vlan 10
ip access-group VLAN10 in

interface vlan 20
ip access-group VLAN20 in
0
 

Author Comment

by:EESky
ID: 39953475
Thank you for your fast reply. If I have 4000 vlans gone through the layer 3 switch, I need to configure more than 4000 ACL. Are there other ways to do that ?
0
PRTG Network Monitor: Intuitive Network Monitoring

Network Monitoring is essential to ensure that computer systems and network devices are running. Use PRTG to monitor LANs, servers, websites, applications and devices, bandwidth, virtual environments, remote systems, IoT, and many more. PRTG is easy to set up & use.

 
LVL 45

Accepted Solution

by:
Craig Beck earned 334 total points
ID: 39953948
Private VLANs (depending on vendor).
VRF-lite is another solution.

I'm just wondering though, why use a layer-3 switch for that many VLANs if you don't want to route?
0
 

Author Comment

by:EESky
ID: 39953974
Thank you for reply. I just want to know the special case theoretically. However, in real network, Catalyst 6500 indeed need to handle a lot vlan traffic.
0
 

Author Comment

by:EESky
ID: 39954003
I think Soulja is right, but can we change these ACL like below. this way, we can use a fewer ACL if the network have a lot Vlan


ip access-list extended VLAN10
permit ip any 10.10.10.0 0.0 0.0.0.255

ip access-list extended VLAN20
permit ip any 20.20.20.0 0.0.0.255

interface vlan 10
ip access-group VLAN10 in

interface vlan 20
ip access-group VLAN20 in
0
 
LVL 26

Expert Comment

by:Soulja
ID: 39954078
No, the acls you have above are not correct and because you have them applied inbound, they are pretty much null.
0
 

Author Comment

by:EESky
ID: 39954096
Can you correct these commands and show it here ? thank you.
0
 
LVL 26

Expert Comment

by:Soulja
ID: 39954106
The way I originally posted them is the correct way.
0
 
LVL 26

Expert Comment

by:Soulja
ID: 39954112
If you are trying to deny a lot of vlans, if they are contiguous you may be able to add a supernet in the acl, otherwise you would have to enter each subnet to deny.
0
 

Author Comment

by:EESky
ID: 39954128
What I want is any vlan cannot communicates with any different vlan.

Can we use "permit" acl to permit its own vlan and deny other vlan implicitly ?
0
 
LVL 26

Assisted Solution

by:Soulja
Soulja earned 166 total points
ID: 39954168
You can't permit your own vlan cause intravlan traffic would never hit the L3 vlan interface to be filtered. It would be all layer 2 traffic.

As for restricting many vlans from one another, the only simple way I can think of is as craigbeck stated, using private vlans. You would essentially create a primary vlan and then add all of the other vlans as community vlans. This way the host's withing the vlans can talk to one another, but the vlans cannot.

The issue with private vlans is that all the vlans are in the subnet of the primary vlan, so ip addressing is not very scalable. The sloppy way around it would be adding a ton of seconday addresses to the primary vlan Layer 3 interface, but I wouldn't go that route.
0
 
LVL 45

Assisted Solution

by:Craig Beck
Craig Beck earned 334 total points
ID: 39954391
You don't have to use a 6500 because you have lots of VLANs.  Nexus can also do this, for example.

However, my point was more to do with routing rather than a layer-3 function within a switch.  You didn't say you needed one; just that you were using one.
0
 
LVL 28

Expert Comment

by:mikebernhardt
ID: 39956900
Here is the main question: Do these VLANs need to talk outside of the switch, or do you want them all completely isolated from anything else? If you want each vlan to be isolated, it's easy:
access-list 101 deny ip any any

interface vlan 10
 ip access-group 101 in
interface vlan 20
 ip access-group 101 in
etc.

Now, let's say you want to allow them to talk to the internet but not to each other. If you have some kind of organization to your addressing (i.e. they are all on 10.x.x.x and the default gateway address is 10.x.x.1) all you need to do is modify the access list:
access-list 101 permit ip any 10.0.0.1 255.0.0.255
access-list 101 deny ip any 10.0.0.0 0.255.255.255
access-list 101 permit ip any any

The above will allow your hosts to talk directly to the default gateway address (for ping or other protocols that may be needed, deny any other traffic to other vlans, but permit all traffic not destined for other vlans.

Note the mask on that first line, it's very important. It permits communication to 10.x.x.1 where x.x can be anything. So it actually will permit the hosts to talk to ANY of the default gateways on the switch, but that shouldn't be an issue.

If you have other address space on 10 that isn't a part of this, then you'd have be more specific. But either way it allows you to have one access list that gets applied everywhere.
0
 
LVL 26

Expert Comment

by:Soulja
ID: 39956958
Hey Mike,

I think you meant

access-list 101 permit ip any 10.0.0.1 0.255.255.0

but definitely a good option.
0
 
LVL 28

Expert Comment

by:mikebernhardt
ID: 39960201
Yep, you are correct. I had that one backwards.
0
 

Author Comment

by:EESky
ID: 39962412
I agree private vlan can work well. In addition to the private vlan, I think the simplest way to manage so many vlan with ACL is below configuration.  

access-list 101 permit ip any 10.0.0.1 0.0.0.0
access-list 101 deny ip any 10.0.0.0 0.255.255.255
access-list 101 permit ip any any
interface vlan 10
ip access-group 101 in

access-list 102 permit ip any 20.0.0.1 0.0.0.0
access-list 102 deny ip any 20.0.0.0 0.255.255.255
access-list 102 permit ip any any
interface vlan 20
ip access-group 102 in

access-list 103 permit ip any 30.0.0.1 0.0.0.0
access-list 103 deny ip any 30.0.0.0 0.255.255.255
access-list 103 permit ip any any
interface vlan 30
ip access-group 103 in

......
0

Featured Post

PRTG Network Monitor: Intuitive Network Monitoring

Network Monitoring is essential to ensure that computer systems and network devices are running. Use PRTG to monitor LANs, servers, websites, applications and devices, bandwidth, virtual environments, remote systems, IoT, and many more. PRTG is easy to set up & use.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Suggested Solutions

Title # Comments Views Activity
Wifi(LAN) GW being picked up 2 54
DHCP Failover Relationship caveats 6 110
Cisco switch suggestion 5 51
Vsphere web not showing changes made by ssh console 5 30
The worst thing when starting a new job is when the previous Network Administrator left behind no documentation. How do you get into the devices? If you've been in this situation or just accidently mistyped your password, this article will hopefully…
I see many questions here on Experts Exchange regarding switch port configurations and trunks. This article is meant for beginners in the subject to help to get basic knowledge about Virtual Local Area Network (VLAN (http://en.wikipedia.org/wiki/Vir…
This Micro Tutorial demonstrates using Microsoft Excel pivot tables, how to reverse engineer competitors' marketing strategies through backlinks.
Two types of users will appreciate AOMEI Backupper Pro: 1 - Those with PCIe drives (and haven't found cloning software that works on them). 2 - Those who want a fast clone of their boot drive (no re-boots needed) and it can clone your drive wh…

810 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question