Restrict Guest Vlan to internal network

Hi Experts

I have a customer that they have exciting router and data Vlans.  The switch is Cisco linksys SG500 Layer 3 switch.
They want to add one more restricted Guest Vlan and following is their setup.

Exciting setup
Main Router IP - 192.168.0.1/24
Switch: Data Vlan1 - 192.168.0.0/24 and Vlan 2: 172.16.0.0/24 ( Vlan 1 and 2 can talk to each other)

Requirement
Add one more Guest Vlan as 10.0.0.0/24 .
Since it is layer 3 switch, I can add 10.0.0.0/24 Vlan 3 to their exciting network and it can go to internet but how I can restrict Vlan 3(Guest) to deny access to Vlan 1 and 2 ?
If I create access-list for Vlan 3 that deny access to 192.168.0.0, it won't be able to go to internet.
And they cannot change their exciting Data Vlan 1 network subnet .
How to make this work ? Any suggestion ?

Thanks
LVL 4
bominthuAsked:
Who is Participating?

[Product update] Infrastructure Analysis Tool is now available with Business Accounts.Learn More

x
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

Don JohnstonInstructorCommented:
If I create access-list for Vlan 3 that deny access to 192.168.0.0, it won't be able to go to internet.
Sure they can.  The new VLAN doesn't have to go through the 192.168.0.0 network to get to the internet.
0
bominthuAuthor Commented:
In my case, it can't. Example (brief)

Main Router IP - 192.168.0.1/24

Switch: Data Vlan1 - 192.168.0.2 and Vlan 2: 172.16.0.0/24
ip routing
ip route 0.0.0.0 0.0.0.0 192.168.0.1

if Vlan 3 10.0.0.0/24 has to go through 192.168.0.2 right ? If I would deny 10.0.0.0/24 to 192.168.0.0/24 (Data) , it can't ping to router Gateway anymore
0
Don JohnstonInstructorCommented:
Vlan 3 10.0.0.0/24 has to go through 192.168.0.2 right ?
No.

You have four interfaces.
1 - VLAN 1 192.168.0.1/24
2 - VLAN 2 172.16.0.1/24
3 - VLAN 3 10.0.0.1/24
4 - Internet (with a public IP address)

Traffic coming in from VLAN 3 doesn't have to go through VLAN 1 to get to the internet (just like it also doesn't have to go through VLAN 2 to get to the internet) . It has to go though the router. And then it exits the internet interface.  It never goes near VLAN 1. The only reason it would is if the internet connection was on another router that was connected to the 192.168.0.0 network.
0
Webinar: Cyber Crime Becomes Big Business

The rising threat of malware-as-a-service is not one to be overlooked. Malware-as-a-service is growing and easily purchased from a full-service cyber-criminal store in a “Virus Depot” fashion. Join us in our upcoming webinar as we discuss how to best defend against these attacks!

JustInCaseCommented:
When you are filtering traffic - this is denied, and this is allowed - you don't do that on basis through which router you traffic flows, you filter traffic is filtered by destination address and source address.
So, if you block traffic to VLAN than is in befween internet and other VLAN - it will simply go through VLAN (if that is how network is designed) since destination IP address internet not local address.
0
bominthuAuthor Commented:
Hi Both

My customer Router IP and Vlan 1 network subnet is the same .
As I mentioned above, router LAN ip is 192.168.0.1 and Vlan 1 in switch subnet is 192.168.0.0/24

If I set access-list in switch to deny Guest vlan going to 192.168.0.0/24 it will not get to internet as default route is 192.168.0.1 .

So how to block Guest Vlan going to 192.168.0.* ?
0
Don JohnstonInstructorCommented:
Two things:
1) Maybe I'm missing something. Can you post a topology diagram?  I still don't see the problem.
2) As Predrag states, the network that your traffic is going through is irrelevant. The only thing that matters is the source address and the destination address. Those are the only addresses that matter when you are filtering traffic with an ACL.  If your traffic is going through a denied network makes no difference at all since the denied network does not appear as a destination.
0
bominthuAuthor Commented:
Hi both

I have just setup the topology in Packet Tracer lab. Also attached Router and Switch config.
Could you help me check where it is wrong ?

Objective is Router LAN must remain the same 192.168.0.1 as well as exciting Data Vlan 192.168.0.0/24
Guest network 172.16.0.0/24 should be able to go to internet but should not have access to Data Vlan.
Please assume 192.168.0.0 is DataVlan , 172.16.0.0 is Guest in attached topology

Thanks
Layer-3SwitchingWith-RestrictedVlan.zip
0
Don JohnstonInstructorCommented:
Now we're getting somewhere.  :-)

So you've got a 3560 but you're doing a router-on-a-stick?

And which version of Packet Tracer did you create this on?  I can't get it to load on v6.
0
bominthuAuthor Commented:
They will have multiple Data Vlan soon that requires routing.

I use version 6.1 . It should work in version 6 too.

Please amend the file extension .pkt in Layer-3-Switching-With-restrictedVlan

It should be Layer-3-Switching-With-restrictedVlan.pkt . I mentioned it in Readme file

If my config is correct. Please advise me how to achieve below as they already have servers in their Data Vlan.

Objective is Router LAN must remain the same 192.168.0.1 as well as exciting Data Vlan 192.168.0.0/24
Guest network 172.16.0.0/24 should be able to go to internet but should not have access to Data VlanS
0
JustInCaseCommented:
Me neither cannot open file in packet tracer 6.1.
0
bominthuAuthor Commented:
Anyway I can share via Dropbox http://goo.gl/iWMIIH
0
Don JohnstonInstructorCommented:
Yes... I did that.  Thank you.

When I open it in 6.0.1.0011, it crashes the program.

Regradless of that, the configs between the switch and router don't seem to match. On switch port f0/24 it's a trunk. But you don't have any router ports configured as trunks.

Which ports on the switch connect to which devices? And which port on the router connect to the switch?
0
bominthuAuthor Commented:
Yes it can't be opened in ver 6.0 . Sorry about that . I have just dump the config in version 6.0 and shared via Dropbox http://goo.gl/XHG7Zu

Please ignore f0/24 . It was configured as trunk but not in used. I just planned to configured something later.

Port fa0/1 in switch port connect to router LAN interface.
0
JustInCaseCommented:
OK, I opened this one.
Still makes no difference. Same rules still apply.
0
bominthuAuthor Commented:
Predrag Jovic

You still can't open either one I shared ? If you can't, are you able to just paste the config into your whatever Packet tracer and help me check ? In the first zip file I shared, there is config files as well as simple diagram.
Basically it has one Cisco 2911 router, one 3560switch and two PC. Config is already there.
I just uninstalled 6.1, install 6.0 and paste the config, shared 6.0 pkt file . Took 3 minutes.


6.1
http://goo.gl/iWMIIH

6.0
http://goo.gl/XHG7Zu
0
Don JohnstonInstructorCommented:
I can open the file but it still crashes Packet Tracer every now and then.

But... Once I fixed all the configuration errors, it works exactly as we've said. the 172.16.0.2 device can access the internet but not the hosts on the 192.168.0.0 network.
0
Don JohnstonInstructorCommented:
PC>ping 182.168.1.2

Pinging 182.168.1.2 with 32 bytes of data:

Reply from 182.168.1.2: bytes=32 time=0ms TTL=126
Reply from 182.168.1.2: bytes=32 time=0ms TTL=126
Reply from 182.168.1.2: bytes=32 time=0ms TTL=126
Reply from 182.168.1.2: bytes=32 time=0ms TTL=126

Ping statistics for 182.168.1.2:
    Packets: Sent = 4, Received = 4, Lost = 0 (0% loss),
Approximate round trip times in milli-seconds:
    Minimum = 0ms, Maximum = 0ms, Average = 0ms

PC>ping 192.168.0.2

Pinging 192.168.0.2 with 32 bytes of data:

Reply from 172.16.0.1: Destination host unreachable.
Reply from 172.16.0.1: Destination host unreachable.
Reply from 172.16.0.1: Destination host unreachable.
Reply from 172.16.0.1: Destination host unreachable.

Ping statistics for 192.168.0.2:
    Packets: Sent = 4, Received = 0, Lost = 4 (100% loss),

PC>

Open in new window

0
bominthuAuthor Commented:
Could you please share the config as well as your pkt file ?

Thanks
0
Don JohnstonInstructorCommented:
Sure.

Building configuration...

Current configuration : 2576 bytes
!
version 12.2
no service timestamps log datetime msec
no service timestamps debug datetime msec
no service password-encryption
!
hostname Switch
!
no logging console
!
ip routing
!
spanning-tree mode pvst
!
interface FastEthernet0/1
 switchport access vlan 100
 switchport mode access
!
interface FastEthernet0/2
 switchport access vlan 100
 switchport mode access
!
interface FastEthernet0/3
 switchport access vlan 100
 switchport mode access
!
interface FastEthernet0/4
 switchport access vlan 100
 switchport mode access
!
interface FastEthernet0/5
 switchport access vlan 100
 switchport mode access
!
interface FastEthernet0/6
 switchport access vlan 100
 switchport mode access
!
interface FastEthernet0/7
 switchport access vlan 100
 switchport mode access
!
interface FastEthernet0/8
 switchport access vlan 100
 switchport mode access
!
interface FastEthernet0/9
 switchport access vlan 100
 switchport mode access
!
interface FastEthernet0/10
 switchport access vlan 100
 switchport mode access
!
interface FastEthernet0/11
 switchport access vlan 200
 switchport mode access
!
interface FastEthernet0/12
 switchport access vlan 200
 switchport mode access
!
interface FastEthernet0/13
 switchport access vlan 200
 switchport mode access
!
interface FastEthernet0/14
 switchport access vlan 200
 switchport mode access
!
interface FastEthernet0/15
 switchport access vlan 200
 switchport mode access
!
interface FastEthernet0/16
 switchport access vlan 200
 switchport mode access
!
interface FastEthernet0/17
 switchport access vlan 200
 switchport mode access
!
interface FastEthernet0/18
 switchport access vlan 200
 switchport mode access
!
interface FastEthernet0/19
 switchport access vlan 200
 switchport mode access
!
interface FastEthernet0/20
 switchport access vlan 200
 switchport mode access
!
interface FastEthernet0/21
!
interface FastEthernet0/22
!
interface FastEthernet0/23
!
interface FastEthernet0/24
 switchport trunk allowed vlan 100,200
 switchport trunk encapsulation dot1q
 switchport mode trunk
!
interface GigabitEthernet0/1
!
interface GigabitEthernet0/2
!
interface Vlan1
 no ip address
 shutdown
!
interface Vlan100
 description This-is-DataVlan
 ip address 192.168.0.2 255.255.255.0
!
interface Vlan200
 description This-is-for-GUEST
 ip address 172.16.0.1 255.255.255.0
 ip access-group 100 in
!
ip classless
ip route 0.0.0.0 0.0.0.0 192.168.0.1 
!
access-list 100 deny ip any 192.168.0.0 0.0.0.255
access-list 100 permit ip any any
!
line con 0
!
line aux 0
!
line vty 0 4
 login
!
!
!
end

Open in new window


Building configuration...

Current configuration : 1062 bytes
!
version 15.1
no service timestamps log datetime msec
no service timestamps debug datetime msec
no service password-encryption
!
hostname Router
!
no logging console
!
license udi pid CISCO2911/K9 sn FTX15249910
!
spanning-tree mode pvst
!
interface GigabitEthernet0/0
 description This-is-WAN
 ip address 182.168.1.1 255.255.255.0
 ip nat outside
 duplex auto
 speed auto
!
interface GigabitEthernet0/1
 description This-is-Local-LAN
 ip address 192.168.0.1 255.255.255.0
 ip nat inside
 duplex auto
 speed auto
!
interface GigabitEthernet0/2
 no ip address
 duplex auto
 speed auto
 shutdown
!
interface Vlan1
 no ip address
 shutdown
!
ip nat inside source list 101 interface GigabitEthernet0/0 overload
ip classless
ip route 0.0.0.0 0.0.0.0 182.168.1.254 
ip route 172.16.0.0 255.255.255.0 192.168.0.2 
!
access-list 101 permit ip 192.168.0.0 0.0.0.255 any
access-list 101 permit ip 172.16.0.0 0.0.0.255 any
!
line con 0
!
line aux 0
!
line vty 0 4
 login
!
end

Open in new window

0
Don JohnstonInstructorCommented:
Packet Tracer file.
Change .txt to .pkt
Layer-3-Switching.txt
0

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
bominthuAuthor Commented:
Don Johnston

Thanks a lot for sharing. It is too late in my location now. Need to get to work tomorrow.

Will have a look your config tomorrow and get back to you .

Thanks
0
SteveCommented:
Apologies if I've missed anything but can your router handle vlans too?
it's difficult to restrict traffic between vlans when your gateway is on the network being 'blocked'

if your router can have multiple networks you can assign a 'lan' IP on both the normal and the guest networks (using VLANs if possible, but you could connect the router to each network by separate cables if necessary).
this way no traffic ever needs to flow between networks and you have successfully separated your guest network.
0
JustInCaseCommented:
it's difficult to restrict traffic between vlans when your gateway is on the network being 'blocked'
In this case gateway is blocked at L3, but not on L2 layer, traffic that goes to default gateway (such as ping default gateway is blocked), but traffic on L2 that is going to default gateway (passing through default gateway) is not since access list block L3 traffic.

Does somebody needs to write article on subject?
0
bominthuAuthor Commented:
Don Johnston

Sorry for late respond as I was super busy with some projects these days.
I can see which command I issued was wrong and it is fixed now.

But there is something strange. I wanted to add one more vlan which is 10.0.0.0/24 as Internal-2
Internal-2 can go internet no issue but cannot access router IP 192.168.0.1 that makes me unable to access router from that Internal-2 vlan.

Any idea why 10.0.0.0/24 cannot access router IP 192.168.0.1 while any other Vlan (172.16.0.0, etc ) can access router LAN?
Please note there is no Deny access list for Vlan in this.
0
Don JohnstonInstructorCommented:
Would need to know where this new VLAN is located and see the current config to be able to answer that question.
0
bominthuAuthor Commented:
In fact it is Fortigate firewall with Cisco L3 switch . The setup is the same as the topology I shared earlier.

It is just multiple Vlan in L3 switch with Fortigate firewall .

From every Vlan, can access Fortigate LAN interface but only from 10.0.0.0/24 cannot access. However 10.0.0.0/24 can access internet.

What could it be the cause ?
0
Don JohnstonInstructorCommented:
Once again... I would need to know where this new VLAN is located and see the current config to be able to answer that question.

There is no 10.0.0.0 network and there's no firewall in the topology.
0
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Routers

From novice to tech pro — start learning today.