Restrict Guest Vlan to internal network
Hi Experts
I have a customer that they have exciting router and data Vlans. The switch is Cisco linksys SG500 Layer 3 switch.
They want to add one more restricted Guest Vlan and following is their setup.
Exciting setup
Main Router IP - 192.168.0.1/24
Switch: Data Vlan1 - 192.168.0.0/24 and Vlan 2: 172.16.0.0/24 ( Vlan 1 and 2 can talk to each other)
Requirement
Add one more Guest Vlan as 10.0.0.0/24 .
Since it is layer 3 switch, I can add 10.0.0.0/24 Vlan 3 to their exciting network and it can go to internet but how I can restrict Vlan 3(Guest) to deny access to Vlan 1 and 2 ?
If I create access-list for Vlan 3 that deny access to 192.168.0.0, it won't be able to go to internet.
And they cannot change their exciting Data Vlan 1 network subnet .
How to make this work ? Any suggestion ?
Thanks
I have a customer that they have exciting router and data Vlans. The switch is Cisco linksys SG500 Layer 3 switch.
They want to add one more restricted Guest Vlan and following is their setup.
Exciting setup
Main Router IP - 192.168.0.1/24
Switch: Data Vlan1 - 192.168.0.0/24 and Vlan 2: 172.16.0.0/24 ( Vlan 1 and 2 can talk to each other)
Requirement
Add one more Guest Vlan as 10.0.0.0/24 .
Since it is layer 3 switch, I can add 10.0.0.0/24 Vlan 3 to their exciting network and it can go to internet but how I can restrict Vlan 3(Guest) to deny access to Vlan 1 and 2 ?
If I create access-list for Vlan 3 that deny access to 192.168.0.0, it won't be able to go to internet.
And they cannot change their exciting Data Vlan 1 network subnet .
How to make this work ? Any suggestion ?
Thanks
Don Johnston
Sure they can. The new VLAN doesn't have to go through the 192.168.0.0 network to get to the internet.
ASKER
In my case, it can't. Example (brief)
Main Router IP - 192.168.0.1/24
Switch: Data Vlan1 - 192.168.0.2 and Vlan 2: 172.16.0.0/24
ip routing
ip route 0.0.0.0 0.0.0.0 192.168.0.1
if Vlan 3 10.0.0.0/24 has to go through 192.168.0.2 right ? If I would deny 10.0.0.0/24 to 192.168.0.0/24 (Data) , it can't ping to router Gateway anymore
Main Router IP - 192.168.0.1/24
Switch: Data Vlan1 - 192.168.0.2 and Vlan 2: 172.16.0.0/24
ip routing
ip route 0.0.0.0 0.0.0.0 192.168.0.1
if Vlan 3 10.0.0.0/24 has to go through 192.168.0.2 right ? If I would deny 10.0.0.0/24 to 192.168.0.0/24 (Data) , it can't ping to router Gateway anymore
Vlan 3 10.0.0.0/24 has to go through 192.168.0.2 right ?No.
You have four interfaces.
1 - VLAN 1 192.168.0.1/24
2 - VLAN 2 172.16.0.1/24
3 - VLAN 3 10.0.0.1/24
4 - Internet (with a public IP address)
Traffic coming in from VLAN 3 doesn't have to go through VLAN 1 to get to the internet (just like it also doesn't have to go through VLAN 2 to get to the internet) . It has to go though the router. And then it exits the internet interface. It never goes near VLAN 1. The only reason it would is if the internet connection was on another router that was connected to the 192.168.0.0 network.
When you are filtering traffic - this is denied, and this is allowed - you don't do that on basis through which router you traffic flows, you filter traffic is filtered by destination address and source address.
So, if you block traffic to VLAN than is in befween internet and other VLAN - it will simply go through VLAN (if that is how network is designed) since destination IP address internet not local address.
So, if you block traffic to VLAN than is in befween internet and other VLAN - it will simply go through VLAN (if that is how network is designed) since destination IP address internet not local address.
ASKER
Hi Both
My customer Router IP and Vlan 1 network subnet is the same .
As I mentioned above, router LAN ip is 192.168.0.1 and Vlan 1 in switch subnet is 192.168.0.0/24
If I set access-list in switch to deny Guest vlan going to 192.168.0.0/24 it will not get to internet as default route is 192.168.0.1 .
So how to block Guest Vlan going to 192.168.0.* ?
My customer Router IP and Vlan 1 network subnet is the same .
As I mentioned above, router LAN ip is 192.168.0.1 and Vlan 1 in switch subnet is 192.168.0.0/24
If I set access-list in switch to deny Guest vlan going to 192.168.0.0/24 it will not get to internet as default route is 192.168.0.1 .
So how to block Guest Vlan going to 192.168.0.* ?
Two things:
1) Maybe I'm missing something. Can you post a topology diagram? I still don't see the problem.
2) As Predrag states, the network that your traffic is going through is irrelevant. The only thing that matters is the source address and the destination address. Those are the only addresses that matter when you are filtering traffic with an ACL. If your traffic is going through a denied network makes no difference at all since the denied network does not appear as a destination.
1) Maybe I'm missing something. Can you post a topology diagram? I still don't see the problem.
2) As Predrag states, the network that your traffic is going through is irrelevant. The only thing that matters is the source address and the destination address. Those are the only addresses that matter when you are filtering traffic with an ACL. If your traffic is going through a denied network makes no difference at all since the denied network does not appear as a destination.
ASKER
Hi both
I have just setup the topology in Packet Tracer lab. Also attached Router and Switch config.
Could you help me check where it is wrong ?
Objective is Router LAN must remain the same 192.168.0.1 as well as exciting Data Vlan 192.168.0.0/24
Guest network 172.16.0.0/24 should be able to go to internet but should not have access to Data Vlan.
Please assume 192.168.0.0 is DataVlan , 172.16.0.0 is Guest in attached topology
Thanks
Layer-3SwitchingWith-RestrictedVlan.zip
I have just setup the topology in Packet Tracer lab. Also attached Router and Switch config.
Could you help me check where it is wrong ?
Objective is Router LAN must remain the same 192.168.0.1 as well as exciting Data Vlan 192.168.0.0/24
Guest network 172.16.0.0/24 should be able to go to internet but should not have access to Data Vlan.
Please assume 192.168.0.0 is DataVlan , 172.16.0.0 is Guest in attached topology
Thanks
Layer-3SwitchingWith-RestrictedVlan.zip
Now we're getting somewhere. :-)
So you've got a 3560 but you're doing a router-on-a-stick?
And which version of Packet Tracer did you create this on? I can't get it to load on v6.
So you've got a 3560 but you're doing a router-on-a-stick?
And which version of Packet Tracer did you create this on? I can't get it to load on v6.
ASKER
They will have multiple Data Vlan soon that requires routing.
I use version 6.1 . It should work in version 6 too.
Please amend the file extension .pkt in Layer-3-Switching-With-res
It should be Layer-3-Switching-With-res
If my config is correct. Please advise me how to achieve below as they already have servers in their Data Vlan.
Objective is Router LAN must remain the same 192.168.0.1 as well as exciting Data Vlan 192.168.0.0/24
Guest network 172.16.0.0/24 should be able to go to internet but should not have access to Data VlanS
I use version 6.1 . It should work in version 6 too.
Please amend the file extension .pkt in Layer-3-Switching-With-res
It should be Layer-3-Switching-With-res
If my config is correct. Please advise me how to achieve below as they already have servers in their Data Vlan.
Objective is Router LAN must remain the same 192.168.0.1 as well as exciting Data Vlan 192.168.0.0/24
Guest network 172.16.0.0/24 should be able to go to internet but should not have access to Data VlanS
Me neither cannot open file in packet tracer 6.1.
ASKER
Anyway I can share via Dropbox http://goo.gl/iWMIIH
Yes... I did that. Thank you.
When I open it in 6.0.1.0011, it crashes the program.
Regradless of that, the configs between the switch and router don't seem to match. On switch port f0/24 it's a trunk. But you don't have any router ports configured as trunks.
Which ports on the switch connect to which devices? And which port on the router connect to the switch?
When I open it in 6.0.1.0011, it crashes the program.
Regradless of that, the configs between the switch and router don't seem to match. On switch port f0/24 it's a trunk. But you don't have any router ports configured as trunks.
Which ports on the switch connect to which devices? And which port on the router connect to the switch?
ASKER
Yes it can't be opened in ver 6.0 . Sorry about that . I have just dump the config in version 6.0 and shared via Dropbox http://goo.gl/XHG7Zu
Please ignore f0/24 . It was configured as trunk but not in used. I just planned to configured something later.
Port fa0/1 in switch port connect to router LAN interface.
Please ignore f0/24 . It was configured as trunk but not in used. I just planned to configured something later.
Port fa0/1 in switch port connect to router LAN interface.
OK, I opened this one.
Still makes no difference. Same rules still apply.
Still makes no difference. Same rules still apply.
ASKER
Predrag Jovic
You still can't open either one I shared ? If you can't, are you able to just paste the config into your whatever Packet tracer and help me check ? In the first zip file I shared, there is config files as well as simple diagram.
Basically it has one Cisco 2911 router, one 3560switch and two PC. Config is already there.
I just uninstalled 6.1, install 6.0 and paste the config, shared 6.0 pkt file . Took 3 minutes.
6.1
http://goo.gl/iWMIIH
6.0
http://goo.gl/XHG7Zu
You still can't open either one I shared ? If you can't, are you able to just paste the config into your whatever Packet tracer and help me check ? In the first zip file I shared, there is config files as well as simple diagram.
Basically it has one Cisco 2911 router, one 3560switch and two PC. Config is already there.
I just uninstalled 6.1, install 6.0 and paste the config, shared 6.0 pkt file . Took 3 minutes.
6.1
http://goo.gl/iWMIIH
6.0
http://goo.gl/XHG7Zu
I can open the file but it still crashes Packet Tracer every now and then.
But... Once I fixed all the configuration errors, it works exactly as we've said. the 172.16.0.2 device can access the internet but not the hosts on the 192.168.0.0 network.
But... Once I fixed all the configuration errors, it works exactly as we've said. the 172.16.0.2 device can access the internet but not the hosts on the 192.168.0.0 network.
PC>ping 182.168.1.2
Pinging 182.168.1.2 with 32 bytes of data:
Reply from 182.168.1.2: bytes=32 time=0ms TTL=126
Reply from 182.168.1.2: bytes=32 time=0ms TTL=126
Reply from 182.168.1.2: bytes=32 time=0ms TTL=126
Reply from 182.168.1.2: bytes=32 time=0ms TTL=126
Ping statistics for 182.168.1.2:
Packets: Sent = 4, Received = 4, Lost = 0 (0% loss),
Approximate round trip times in milli-seconds:
Minimum = 0ms, Maximum = 0ms, Average = 0ms
PC>ping 192.168.0.2
Pinging 192.168.0.2 with 32 bytes of data:
Reply from 172.16.0.1: Destination host unreachable.
Reply from 172.16.0.1: Destination host unreachable.
Reply from 172.16.0.1: Destination host unreachable.
Reply from 172.16.0.1: Destination host unreachable.
Ping statistics for 192.168.0.2:
Packets: Sent = 4, Received = 0, Lost = 4 (100% loss),
PC>ASKER
Could you please share the config as well as your pkt file ?
Thanks
Thanks
Sure.
Building configuration...
Current configuration : 2576 bytes
!
version 12.2
no service timestamps log datetime msec
no service timestamps debug datetime msec
no service password-encryption
!
hostname Switch
!
no logging console
!
ip routing
!
spanning-tree mode pvst
!
interface FastEthernet0/1
switchport access vlan 100
switchport mode access
!
interface FastEthernet0/2
switchport access vlan 100
switchport mode access
!
interface FastEthernet0/3
switchport access vlan 100
switchport mode access
!
interface FastEthernet0/4
switchport access vlan 100
switchport mode access
!
interface FastEthernet0/5
switchport access vlan 100
switchport mode access
!
interface FastEthernet0/6
switchport access vlan 100
switchport mode access
!
interface FastEthernet0/7
switchport access vlan 100
switchport mode access
!
interface FastEthernet0/8
switchport access vlan 100
switchport mode access
!
interface FastEthernet0/9
switchport access vlan 100
switchport mode access
!
interface FastEthernet0/10
switchport access vlan 100
switchport mode access
!
interface FastEthernet0/11
switchport access vlan 200
switchport mode access
!
interface FastEthernet0/12
switchport access vlan 200
switchport mode access
!
interface FastEthernet0/13
switchport access vlan 200
switchport mode access
!
interface FastEthernet0/14
switchport access vlan 200
switchport mode access
!
interface FastEthernet0/15
switchport access vlan 200
switchport mode access
!
interface FastEthernet0/16
switchport access vlan 200
switchport mode access
!
interface FastEthernet0/17
switchport access vlan 200
switchport mode access
!
interface FastEthernet0/18
switchport access vlan 200
switchport mode access
!
interface FastEthernet0/19
switchport access vlan 200
switchport mode access
!
interface FastEthernet0/20
switchport access vlan 200
switchport mode access
!
interface FastEthernet0/21
!
interface FastEthernet0/22
!
interface FastEthernet0/23
!
interface FastEthernet0/24
switchport trunk allowed vlan 100,200
switchport trunk encapsulation dot1q
switchport mode trunk
!
interface GigabitEthernet0/1
!
interface GigabitEthernet0/2
!
interface Vlan1
no ip address
shutdown
!
interface Vlan100
description This-is-DataVlan
ip address 192.168.0.2 255.255.255.0
!
interface Vlan200
description This-is-for-GUEST
ip address 172.16.0.1 255.255.255.0
ip access-group 100 in
!
ip classless
ip route 0.0.0.0 0.0.0.0 192.168.0.1
!
access-list 100 deny ip any 192.168.0.0 0.0.0.255
access-list 100 permit ip any any
!
line con 0
!
line aux 0
!
line vty 0 4
login
!
!
!
endBuilding configuration...
Current configuration : 1062 bytes
!
version 15.1
no service timestamps log datetime msec
no service timestamps debug datetime msec
no service password-encryption
!
hostname Router
!
no logging console
!
license udi pid CISCO2911/K9 sn FTX15249910
!
spanning-tree mode pvst
!
interface GigabitEthernet0/0
description This-is-WAN
ip address 182.168.1.1 255.255.255.0
ip nat outside
duplex auto
speed auto
!
interface GigabitEthernet0/1
description This-is-Local-LAN
ip address 192.168.0.1 255.255.255.0
ip nat inside
duplex auto
speed auto
!
interface GigabitEthernet0/2
no ip address
duplex auto
speed auto
shutdown
!
interface Vlan1
no ip address
shutdown
!
ip nat inside source list 101 interface GigabitEthernet0/0 overload
ip classless
ip route 0.0.0.0 0.0.0.0 182.168.1.254
ip route 172.16.0.0 255.255.255.0 192.168.0.2
!
access-list 101 permit ip 192.168.0.0 0.0.0.255 any
access-list 101 permit ip 172.16.0.0 0.0.0.255 any
!
line con 0
!
line aux 0
!
line vty 0 4
login
!
endASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
Don Johnston
Thanks a lot for sharing. It is too late in my location now. Need to get to work tomorrow.
Will have a look your config tomorrow and get back to you .
Thanks
Thanks a lot for sharing. It is too late in my location now. Need to get to work tomorrow.
Will have a look your config tomorrow and get back to you .
Thanks
Apologies if I've missed anything but can your router handle vlans too?
it's difficult to restrict traffic between vlans when your gateway is on the network being 'blocked'
if your router can have multiple networks you can assign a 'lan' IP on both the normal and the guest networks (using VLANs if possible, but you could connect the router to each network by separate cables if necessary).
this way no traffic ever needs to flow between networks and you have successfully separated your guest network.
it's difficult to restrict traffic between vlans when your gateway is on the network being 'blocked'
if your router can have multiple networks you can assign a 'lan' IP on both the normal and the guest networks (using VLANs if possible, but you could connect the router to each network by separate cables if necessary).
this way no traffic ever needs to flow between networks and you have successfully separated your guest network.
it's difficult to restrict traffic between vlans when your gateway is on the network being 'blocked'In this case gateway is blocked at L3, but not on L2 layer, traffic that goes to default gateway (such as ping default gateway is blocked), but traffic on L2 that is going to default gateway (passing through default gateway) is not since access list block L3 traffic.
Does somebody needs to write article on subject?
ASKER
Don Johnston
Sorry for late respond as I was super busy with some projects these days.
I can see which command I issued was wrong and it is fixed now.
But there is something strange. I wanted to add one more vlan which is 10.0.0.0/24 as Internal-2
Internal-2 can go internet no issue but cannot access router IP 192.168.0.1 that makes me unable to access router from that Internal-2 vlan.
Any idea why 10.0.0.0/24 cannot access router IP 192.168.0.1 while any other Vlan (172.16.0.0, etc ) can access router LAN?
Please note there is no Deny access list for Vlan in this.
Sorry for late respond as I was super busy with some projects these days.
I can see which command I issued was wrong and it is fixed now.
But there is something strange. I wanted to add one more vlan which is 10.0.0.0/24 as Internal-2
Internal-2 can go internet no issue but cannot access router IP 192.168.0.1 that makes me unable to access router from that Internal-2 vlan.
Any idea why 10.0.0.0/24 cannot access router IP 192.168.0.1 while any other Vlan (172.16.0.0, etc ) can access router LAN?
Please note there is no Deny access list for Vlan in this.
Would need to know where this new VLAN is located and see the current config to be able to answer that question.
ASKER
In fact it is Fortigate firewall with Cisco L3 switch . The setup is the same as the topology I shared earlier.
It is just multiple Vlan in L3 switch with Fortigate firewall .
From every Vlan, can access Fortigate LAN interface but only from 10.0.0.0/24 cannot access. However 10.0.0.0/24 can access internet.
What could it be the cause ?
It is just multiple Vlan in L3 switch with Fortigate firewall .
From every Vlan, can access Fortigate LAN interface but only from 10.0.0.0/24 cannot access. However 10.0.0.0/24 can access internet.
What could it be the cause ?
Once again... I would need to know where this new VLAN is located and see the current config to be able to answer that question.
There is no 10.0.0.0 network and there's no firewall in the topology.
There is no 10.0.0.0 network and there's no firewall in the topology.