Solved

How to solve routing problem between different vlan in layer 3 switch

Posted on 2014-03-25
17
417 Views
Last Modified: 2014-04-01
Hi Expert

http://www.experts-exchange.com/Hardware/Networking_Hardware/Switches/Q_28378894.html  

After the above problem was solved, I have another question about it:

In layer 2 switch, We can separate different traffic through different vlan. However, in layer 3 switch, how to keep traffic in one vlan away from the traffic in other vlan ?  I mean, I do not allow users in vlan 10 to reach users in vlan 20, but vlan 10 and vlan 20 have to go through layer 3 switch. Thank you.
0
Comment
Question by:EESky
  • 7
  • 6
  • 2
  • +1
17 Comments
 
LVL 26

Expert Comment

by:Soulja
ID: 39953465
Just apply an ACL to the vlan interfaces that would restrict the vlan from communicating to one another.
0
 
LVL 26

Expert Comment

by:Soulja
ID: 39953474
For example,

ip access-list extended VLAN10
deny ip any 20.20.20.0 0.0.0.255
permit ip any any

ip access-list extended VLAN20
deny ip any 10.10.10.0 0.0.0.255
permit ip any any

interface vlan 10
ip access-group VLAN10 in

interface vlan 20
ip access-group VLAN20 in
0
 

Author Comment

by:EESky
ID: 39953475
Thank you for your fast reply. If I have 4000 vlans gone through the layer 3 switch, I need to configure more than 4000 ACL. Are there other ways to do that ?
0
 
LVL 45

Accepted Solution

by:
Craig Beck earned 334 total points
ID: 39953948
Private VLANs (depending on vendor).
VRF-lite is another solution.

I'm just wondering though, why use a layer-3 switch for that many VLANs if you don't want to route?
0
 

Author Comment

by:EESky
ID: 39953974
Thank you for reply. I just want to know the special case theoretically. However, in real network, Catalyst 6500 indeed need to handle a lot vlan traffic.
0
 

Author Comment

by:EESky
ID: 39954003
I think Soulja is right, but can we change these ACL like below. this way, we can use a fewer ACL if the network have a lot Vlan


ip access-list extended VLAN10
permit ip any 10.10.10.0 0.0 0.0.0.255

ip access-list extended VLAN20
permit ip any 20.20.20.0 0.0.0.255

interface vlan 10
ip access-group VLAN10 in

interface vlan 20
ip access-group VLAN20 in
0
 
LVL 26

Expert Comment

by:Soulja
ID: 39954078
No, the acls you have above are not correct and because you have them applied inbound, they are pretty much null.
0
 

Author Comment

by:EESky
ID: 39954096
Can you correct these commands and show it here ? thank you.
0
IT, Stop Being Called Into Every Meeting

Highfive is so simple that setting up every meeting room takes just minutes and every employee will be able to start or join a call from any room with ease. Never be called into a meeting just to get it started again. This is how video conferencing should work!

 
LVL 26

Expert Comment

by:Soulja
ID: 39954106
The way I originally posted them is the correct way.
0
 
LVL 26

Expert Comment

by:Soulja
ID: 39954112
If you are trying to deny a lot of vlans, if they are contiguous you may be able to add a supernet in the acl, otherwise you would have to enter each subnet to deny.
0
 

Author Comment

by:EESky
ID: 39954128
What I want is any vlan cannot communicates with any different vlan.

Can we use "permit" acl to permit its own vlan and deny other vlan implicitly ?
0
 
LVL 26

Assisted Solution

by:Soulja
Soulja earned 166 total points
ID: 39954168
You can't permit your own vlan cause intravlan traffic would never hit the L3 vlan interface to be filtered. It would be all layer 2 traffic.

As for restricting many vlans from one another, the only simple way I can think of is as craigbeck stated, using private vlans. You would essentially create a primary vlan and then add all of the other vlans as community vlans. This way the host's withing the vlans can talk to one another, but the vlans cannot.

The issue with private vlans is that all the vlans are in the subnet of the primary vlan, so ip addressing is not very scalable. The sloppy way around it would be adding a ton of seconday addresses to the primary vlan Layer 3 interface, but I wouldn't go that route.
0
 
LVL 45

Assisted Solution

by:Craig Beck
Craig Beck earned 334 total points
ID: 39954391
You don't have to use a 6500 because you have lots of VLANs.  Nexus can also do this, for example.

However, my point was more to do with routing rather than a layer-3 function within a switch.  You didn't say you needed one; just that you were using one.
0
 
LVL 28

Expert Comment

by:mikebernhardt
ID: 39956900
Here is the main question: Do these VLANs need to talk outside of the switch, or do you want them all completely isolated from anything else? If you want each vlan to be isolated, it's easy:
access-list 101 deny ip any any

interface vlan 10
 ip access-group 101 in
interface vlan 20
 ip access-group 101 in
etc.

Now, let's say you want to allow them to talk to the internet but not to each other. If you have some kind of organization to your addressing (i.e. they are all on 10.x.x.x and the default gateway address is 10.x.x.1) all you need to do is modify the access list:
access-list 101 permit ip any 10.0.0.1 255.0.0.255
access-list 101 deny ip any 10.0.0.0 0.255.255.255
access-list 101 permit ip any any

The above will allow your hosts to talk directly to the default gateway address (for ping or other protocols that may be needed, deny any other traffic to other vlans, but permit all traffic not destined for other vlans.

Note the mask on that first line, it's very important. It permits communication to 10.x.x.1 where x.x can be anything. So it actually will permit the hosts to talk to ANY of the default gateways on the switch, but that shouldn't be an issue.

If you have other address space on 10 that isn't a part of this, then you'd have be more specific. But either way it allows you to have one access list that gets applied everywhere.
0
 
LVL 26

Expert Comment

by:Soulja
ID: 39956958
Hey Mike,

I think you meant

access-list 101 permit ip any 10.0.0.1 0.255.255.0

but definitely a good option.
0
 
LVL 28

Expert Comment

by:mikebernhardt
ID: 39960201
Yep, you are correct. I had that one backwards.
0
 

Author Comment

by:EESky
ID: 39962412
I agree private vlan can work well. In addition to the private vlan, I think the simplest way to manage so many vlan with ACL is below configuration.  

access-list 101 permit ip any 10.0.0.1 0.0.0.0
access-list 101 deny ip any 10.0.0.0 0.255.255.255
access-list 101 permit ip any any
interface vlan 10
ip access-group 101 in

access-list 102 permit ip any 20.0.0.1 0.0.0.0
access-list 102 deny ip any 20.0.0.0 0.255.255.255
access-list 102 permit ip any any
interface vlan 20
ip access-group 102 in

access-list 103 permit ip any 30.0.0.1 0.0.0.0
access-list 103 deny ip any 30.0.0.0 0.255.255.255
access-list 103 permit ip any any
interface vlan 30
ip access-group 103 in

......
0

Featured Post

Enabling OSINT in Activity Based Intelligence

Activity based intelligence (ABI) requires access to all available sources of data. Recorded Future allows analysts to observe structured data on the open, deep, and dark web.

Join & Write a Comment

The worst thing when starting a new job is when the previous Network Administrator left behind no documentation. How do you get into the devices? If you've been in this situation or just accidently mistyped your password, this article will hopefully…
I eventually solved a perplexing problem setting up telnet for a new switch.  I installed a new Cisco WS-03560X-24P switch connected to an existing Cisco 4506 running a WS-X4013-10GE Sup II-Plus. After configuring vlans and trunking,  I could no…
In this tutorial you'll learn about bandwidth monitoring with flows and packet sniffing with our network monitoring solution PRTG Network Monitor (https://www.paessler.com/prtg). If you're interested in additional methods for monitoring bandwidt…
This video shows how to remove a single email address from the Outlook 2010 Auto Suggestion memory. NOTE: For Outlook 2016 and 2013 perform the exact same steps. Open a new email: Click the New email button in Outlook. Start typing the address: …

762 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

20 Experts available now in Live!

Get 1:1 Help Now