Solved

Restrict Guest Vlan to internal network

Posted on 2014-10-28
28
245 Views
Last Modified: 2014-11-08
Hi Experts

I have a customer that they have exciting router and data Vlans.  The switch is Cisco linksys SG500 Layer 3 switch.
They want to add one more restricted Guest Vlan and following is their setup.

Exciting setup
Main Router IP - 192.168.0.1/24
Switch: Data Vlan1 - 192.168.0.0/24 and Vlan 2: 172.16.0.0/24 ( Vlan 1 and 2 can talk to each other)

Requirement
Add one more Guest Vlan as 10.0.0.0/24 .
Since it is layer 3 switch, I can add 10.0.0.0/24 Vlan 3 to their exciting network and it can go to internet but how I can restrict Vlan 3(Guest) to deny access to Vlan 1 and 2 ?
If I create access-list for Vlan 3 that deny access to 192.168.0.0, it won't be able to go to internet.
And they cannot change their exciting Data Vlan 1 network subnet .
How to make this work ? Any suggestion ?

Thanks
0
Comment
Question by:bominthu
  • 11
  • 11
  • 4
  • +1
28 Comments
 
LVL 50

Expert Comment

by:Don Johnston
ID: 40409513
If I create access-list for Vlan 3 that deny access to 192.168.0.0, it won't be able to go to internet.
Sure they can.  The new VLAN doesn't have to go through the 192.168.0.0 network to get to the internet.
0
 
LVL 4

Author Comment

by:bominthu
ID: 40409530
In my case, it can't. Example (brief)

Main Router IP - 192.168.0.1/24

Switch: Data Vlan1 - 192.168.0.2 and Vlan 2: 172.16.0.0/24
ip routing
ip route 0.0.0.0 0.0.0.0 192.168.0.1

if Vlan 3 10.0.0.0/24 has to go through 192.168.0.2 right ? If I would deny 10.0.0.0/24 to 192.168.0.0/24 (Data) , it can't ping to router Gateway anymore
0
 
LVL 50

Expert Comment

by:Don Johnston
ID: 40409544
Vlan 3 10.0.0.0/24 has to go through 192.168.0.2 right ?
No.

You have four interfaces.
1 - VLAN 1 192.168.0.1/24
2 - VLAN 2 172.16.0.1/24
3 - VLAN 3 10.0.0.1/24
4 - Internet (with a public IP address)

Traffic coming in from VLAN 3 doesn't have to go through VLAN 1 to get to the internet (just like it also doesn't have to go through VLAN 2 to get to the internet) . It has to go though the router. And then it exits the internet interface.  It never goes near VLAN 1. The only reason it would is if the internet connection was on another router that was connected to the 192.168.0.0 network.
0
 
LVL 26

Expert Comment

by:Predrag Jovic
ID: 40410181
When you are filtering traffic - this is denied, and this is allowed - you don't do that on basis through which router you traffic flows, you filter traffic is filtered by destination address and source address.
So, if you block traffic to VLAN than is in befween internet and other VLAN - it will simply go through VLAN (if that is how network is designed) since destination IP address internet not local address.
0
 
LVL 4

Author Comment

by:bominthu
ID: 40410195
Hi Both

My customer Router IP and Vlan 1 network subnet is the same .
As I mentioned above, router LAN ip is 192.168.0.1 and Vlan 1 in switch subnet is 192.168.0.0/24

If I set access-list in switch to deny Guest vlan going to 192.168.0.0/24 it will not get to internet as default route is 192.168.0.1 .

So how to block Guest Vlan going to 192.168.0.* ?
0
 
LVL 50

Expert Comment

by:Don Johnston
ID: 40410280
Two things:
1) Maybe I'm missing something. Can you post a topology diagram?  I still don't see the problem.
2) As Predrag states, the network that your traffic is going through is irrelevant. The only thing that matters is the source address and the destination address. Those are the only addresses that matter when you are filtering traffic with an ACL.  If your traffic is going through a denied network makes no difference at all since the denied network does not appear as a destination.
0
 
LVL 4

Author Comment

by:bominthu
ID: 40411280
Hi both

I have just setup the topology in Packet Tracer lab. Also attached Router and Switch config.
Could you help me check where it is wrong ?

Objective is Router LAN must remain the same 192.168.0.1 as well as exciting Data Vlan 192.168.0.0/24
Guest network 172.16.0.0/24 should be able to go to internet but should not have access to Data Vlan.
Please assume 192.168.0.0 is DataVlan , 172.16.0.0 is Guest in attached topology

Thanks
Layer-3SwitchingWith-RestrictedVlan.zip
0
 
LVL 50

Expert Comment

by:Don Johnston
ID: 40411306
Now we're getting somewhere.  :-)

So you've got a 3560 but you're doing a router-on-a-stick?

And which version of Packet Tracer did you create this on?  I can't get it to load on v6.
0
 
LVL 4

Author Comment

by:bominthu
ID: 40411336
They will have multiple Data Vlan soon that requires routing.

I use version 6.1 . It should work in version 6 too.

Please amend the file extension .pkt in Layer-3-Switching-With-restrictedVlan

It should be Layer-3-Switching-With-restrictedVlan.pkt . I mentioned it in Readme file

If my config is correct. Please advise me how to achieve below as they already have servers in their Data Vlan.

Objective is Router LAN must remain the same 192.168.0.1 as well as exciting Data Vlan 192.168.0.0/24
Guest network 172.16.0.0/24 should be able to go to internet but should not have access to Data VlanS
0
 
LVL 26

Expert Comment

by:Predrag Jovic
ID: 40411346
Me neither cannot open file in packet tracer 6.1.
0
 
LVL 4

Author Comment

by:bominthu
ID: 40411353
Anyway I can share via Dropbox http://goo.gl/iWMIIH
0
 
LVL 50

Expert Comment

by:Don Johnston
ID: 40411355
Yes... I did that.  Thank you.

When I open it in 6.0.1.0011, it crashes the program.

Regradless of that, the configs between the switch and router don't seem to match. On switch port f0/24 it's a trunk. But you don't have any router ports configured as trunks.

Which ports on the switch connect to which devices? And which port on the router connect to the switch?
0
 
LVL 4

Author Comment

by:bominthu
ID: 40411408
Yes it can't be opened in ver 6.0 . Sorry about that . I have just dump the config in version 6.0 and shared via Dropbox http://goo.gl/XHG7Zu

Please ignore f0/24 . It was configured as trunk but not in used. I just planned to configured something later.

Port fa0/1 in switch port connect to router LAN interface.
0
6 Surprising Benefits of Threat Intelligence

All sorts of threat intelligence is available on the web. Intelligence you can learn from, and use to anticipate and prepare for future attacks.

 
LVL 26

Expert Comment

by:Predrag Jovic
ID: 40411426
OK, I opened this one.
Still makes no difference. Same rules still apply.
0
 
LVL 4

Author Comment

by:bominthu
ID: 40411460
Predrag Jovic

You still can't open either one I shared ? If you can't, are you able to just paste the config into your whatever Packet tracer and help me check ? In the first zip file I shared, there is config files as well as simple diagram.
Basically it has one Cisco 2911 router, one 3560switch and two PC. Config is already there.
I just uninstalled 6.1, install 6.0 and paste the config, shared 6.0 pkt file . Took 3 minutes.


6.1
http://goo.gl/iWMIIH

6.0
http://goo.gl/XHG7Zu
0
 
LVL 50

Expert Comment

by:Don Johnston
ID: 40411494
I can open the file but it still crashes Packet Tracer every now and then.

But... Once I fixed all the configuration errors, it works exactly as we've said. the 172.16.0.2 device can access the internet but not the hosts on the 192.168.0.0 network.
0
 
LVL 50

Expert Comment

by:Don Johnston
ID: 40411499
PC>ping 182.168.1.2

Pinging 182.168.1.2 with 32 bytes of data:

Reply from 182.168.1.2: bytes=32 time=0ms TTL=126
Reply from 182.168.1.2: bytes=32 time=0ms TTL=126
Reply from 182.168.1.2: bytes=32 time=0ms TTL=126
Reply from 182.168.1.2: bytes=32 time=0ms TTL=126

Ping statistics for 182.168.1.2:
    Packets: Sent = 4, Received = 4, Lost = 0 (0% loss),
Approximate round trip times in milli-seconds:
    Minimum = 0ms, Maximum = 0ms, Average = 0ms

PC>ping 192.168.0.2

Pinging 192.168.0.2 with 32 bytes of data:

Reply from 172.16.0.1: Destination host unreachable.
Reply from 172.16.0.1: Destination host unreachable.
Reply from 172.16.0.1: Destination host unreachable.
Reply from 172.16.0.1: Destination host unreachable.

Ping statistics for 192.168.0.2:
    Packets: Sent = 4, Received = 0, Lost = 4 (100% loss),

PC>

Open in new window

0
 
LVL 4

Author Comment

by:bominthu
ID: 40411504
Could you please share the config as well as your pkt file ?

Thanks
0
 
LVL 50

Expert Comment

by:Don Johnston
ID: 40411520
Sure.

Building configuration...

Current configuration : 2576 bytes
!
version 12.2
no service timestamps log datetime msec
no service timestamps debug datetime msec
no service password-encryption
!
hostname Switch
!
no logging console
!
ip routing
!
spanning-tree mode pvst
!
interface FastEthernet0/1
 switchport access vlan 100
 switchport mode access
!
interface FastEthernet0/2
 switchport access vlan 100
 switchport mode access
!
interface FastEthernet0/3
 switchport access vlan 100
 switchport mode access
!
interface FastEthernet0/4
 switchport access vlan 100
 switchport mode access
!
interface FastEthernet0/5
 switchport access vlan 100
 switchport mode access
!
interface FastEthernet0/6
 switchport access vlan 100
 switchport mode access
!
interface FastEthernet0/7
 switchport access vlan 100
 switchport mode access
!
interface FastEthernet0/8
 switchport access vlan 100
 switchport mode access
!
interface FastEthernet0/9
 switchport access vlan 100
 switchport mode access
!
interface FastEthernet0/10
 switchport access vlan 100
 switchport mode access
!
interface FastEthernet0/11
 switchport access vlan 200
 switchport mode access
!
interface FastEthernet0/12
 switchport access vlan 200
 switchport mode access
!
interface FastEthernet0/13
 switchport access vlan 200
 switchport mode access
!
interface FastEthernet0/14
 switchport access vlan 200
 switchport mode access
!
interface FastEthernet0/15
 switchport access vlan 200
 switchport mode access
!
interface FastEthernet0/16
 switchport access vlan 200
 switchport mode access
!
interface FastEthernet0/17
 switchport access vlan 200
 switchport mode access
!
interface FastEthernet0/18
 switchport access vlan 200
 switchport mode access
!
interface FastEthernet0/19
 switchport access vlan 200
 switchport mode access
!
interface FastEthernet0/20
 switchport access vlan 200
 switchport mode access
!
interface FastEthernet0/21
!
interface FastEthernet0/22
!
interface FastEthernet0/23
!
interface FastEthernet0/24
 switchport trunk allowed vlan 100,200
 switchport trunk encapsulation dot1q
 switchport mode trunk
!
interface GigabitEthernet0/1
!
interface GigabitEthernet0/2
!
interface Vlan1
 no ip address
 shutdown
!
interface Vlan100
 description This-is-DataVlan
 ip address 192.168.0.2 255.255.255.0
!
interface Vlan200
 description This-is-for-GUEST
 ip address 172.16.0.1 255.255.255.0
 ip access-group 100 in
!
ip classless
ip route 0.0.0.0 0.0.0.0 192.168.0.1 
!
access-list 100 deny ip any 192.168.0.0 0.0.0.255
access-list 100 permit ip any any
!
line con 0
!
line aux 0
!
line vty 0 4
 login
!
!
!
end

Open in new window


Building configuration...

Current configuration : 1062 bytes
!
version 15.1
no service timestamps log datetime msec
no service timestamps debug datetime msec
no service password-encryption
!
hostname Router
!
no logging console
!
license udi pid CISCO2911/K9 sn FTX15249910
!
spanning-tree mode pvst
!
interface GigabitEthernet0/0
 description This-is-WAN
 ip address 182.168.1.1 255.255.255.0
 ip nat outside
 duplex auto
 speed auto
!
interface GigabitEthernet0/1
 description This-is-Local-LAN
 ip address 192.168.0.1 255.255.255.0
 ip nat inside
 duplex auto
 speed auto
!
interface GigabitEthernet0/2
 no ip address
 duplex auto
 speed auto
 shutdown
!
interface Vlan1
 no ip address
 shutdown
!
ip nat inside source list 101 interface GigabitEthernet0/0 overload
ip classless
ip route 0.0.0.0 0.0.0.0 182.168.1.254 
ip route 172.16.0.0 255.255.255.0 192.168.0.2 
!
access-list 101 permit ip 192.168.0.0 0.0.0.255 any
access-list 101 permit ip 172.16.0.0 0.0.0.255 any
!
line con 0
!
line aux 0
!
line vty 0 4
 login
!
end

Open in new window

0
 
LVL 50

Accepted Solution

by:
Don Johnston earned 500 total points
ID: 40411528
Packet Tracer file.
Change .txt to .pkt
Layer-3-Switching.txt
0
 
LVL 4

Author Comment

by:bominthu
ID: 40411584
Don Johnston

Thanks a lot for sharing. It is too late in my location now. Need to get to work tomorrow.

Will have a look your config tomorrow and get back to you .

Thanks
0
 
LVL 27

Expert Comment

by:Steve
ID: 40425741
Apologies if I've missed anything but can your router handle vlans too?
it's difficult to restrict traffic between vlans when your gateway is on the network being 'blocked'

if your router can have multiple networks you can assign a 'lan' IP on both the normal and the guest networks (using VLANs if possible, but you could connect the router to each network by separate cables if necessary).
this way no traffic ever needs to flow between networks and you have successfully separated your guest network.
0
 
LVL 26

Expert Comment

by:Predrag Jovic
ID: 40425761
it's difficult to restrict traffic between vlans when your gateway is on the network being 'blocked'
In this case gateway is blocked at L3, but not on L2 layer, traffic that goes to default gateway (such as ping default gateway is blocked), but traffic on L2 that is going to default gateway (passing through default gateway) is not since access list block L3 traffic.

Does somebody needs to write article on subject?
0
 
LVL 4

Author Comment

by:bominthu
ID: 40427948
Don Johnston

Sorry for late respond as I was super busy with some projects these days.
I can see which command I issued was wrong and it is fixed now.

But there is something strange. I wanted to add one more vlan which is 10.0.0.0/24 as Internal-2
Internal-2 can go internet no issue but cannot access router IP 192.168.0.1 that makes me unable to access router from that Internal-2 vlan.

Any idea why 10.0.0.0/24 cannot access router IP 192.168.0.1 while any other Vlan (172.16.0.0, etc ) can access router LAN?
Please note there is no Deny access list for Vlan in this.
0
 
LVL 50

Expert Comment

by:Don Johnston
ID: 40428160
Would need to know where this new VLAN is located and see the current config to be able to answer that question.
0
 
LVL 4

Author Comment

by:bominthu
ID: 40429954
In fact it is Fortigate firewall with Cisco L3 switch . The setup is the same as the topology I shared earlier.

It is just multiple Vlan in L3 switch with Fortigate firewall .

From every Vlan, can access Fortigate LAN interface but only from 10.0.0.0/24 cannot access. However 10.0.0.0/24 can access internet.

What could it be the cause ?
0
 
LVL 50

Expert Comment

by:Don Johnston
ID: 40430178
Once again... I would need to know where this new VLAN is located and see the current config to be able to answer that question.

There is no 10.0.0.0 network and there's no firewall in the topology.
0

Featured Post

Find Ransomware Secrets With All-Source Analysis

Ransomware has become a major concern for organizations; its prevalence has grown due to past successes achieved by threat actors. While each ransomware variant is different, we’ve seen some common tactics and trends used among the authors of the malware.

Join & Write a Comment

This article is a how to to configure a UCS Ethernet-uplink portchannel via the console. It is easy to do and can be done quite quickly. In certain versions of the UCS manager the portchannel has issues coming up and this is a workaround. I am…
Getting hacked is no longer a matter or "if you get hacked" — the 2016 cyber threat landscape is now titled "when you get hacked." When it happens — will you be proactive, or reactive?
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…

706 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

17 Experts available now in Live!

Get 1:1 Help Now