asked on

VLAN SETUP

Hi.

I am setting up a serviced office on 6 x c2960 switches and using a CISCO C3750 as a core switch.

There is a need for a separate VLAN for each of the offices to allow for security. Each of the offices needs to be private but will need to see a common vlan for the printer pool and also be able to get out to the Internet.

I have created the 100 offices VLANS 100 to 200
Each VLAN has its own scope for instance 10.10.100.0/24 for VLAN 100

I have the printer pool on VLAN 11 10.10.11.0/24
I have my switch on 10.10.9.0/24

I cant seem to allow only the necessary access to the printer pool and internet gateway. I either get no communication. Or I get full inter vlan connectivity.

Please could I get some direction on how to configure up the access for this.

Don Johnston

You're routing on the 3750 and using ACL's, right?

Make your ACL so that you deny the other IP networks and then allow everything else (if you didn't have internet access, you could just allow traffic to the common networks).

So something like this:
Just keep in mind that writing ACL's is like programming. There are many ways to accomplish the same result.

access-list 10 deny 10.10.20.0 0.0.0.255
access-list 10 deny 10.10.30.0 0.0.0.255
access-list 10 deny 10.10.40.0 0.0.0.255
access-list 10 permit any
access-list 20 deny 10.10.10.0 0.0.0.255
access-list 20 deny 10.10.30.0 0.0.0.255
access-list 20 deny 10.10.40.0 0.0.0.255
access-list 20 permit any
access-list 30 deny 10.10.10.0 0.0.0.255
access-list 30 deny 10.10.20.0 0.0.0.255
access-list 30 deny 10.10.40.0 0.0.0.255
access-list 30 permit any
access-list 40 deny 10.10.10.0 0.0.0.255
access-list 40 deny 10.10.20.0 0.0.0.255
access-list 40 deny 10.10.30.0 0.0.0.255
access-list 40 permit any
int vlan 10
 ip access-group 10 out
int vlan 20
 ip access-group 20 out
int vlan 30
 ip access-group 30 out
int vlan 40
 ip access-group 40 out

Open in new window

Predrag Jovic

Have in mind that logic of assigning ACL to VLAN is reversed.

int vlan 40
ip access-group 40 out

filters traffic that is coming from other VLANs to VLAN 40.

If you want to filter traffic going out of VLAN to other VLANs or internet you need to assign ACL to interface VLAN as
ip access-group 40 in.

David Voigts

ASKER

Thank you for your prompt response to my question.

The solution looks like I would need a lot of code to get this working as I have a 100 VLANS. Could I use a permit for 10.10.11.0 (printer pool) for the first line and then deny all other 10.10 traffic?

As you can tell CISCO is not my strongest subject.

ASKER CERTIFIED SOLUTION

Predrag Jovic

membership

This solution is only available to members.

To access this solution, you must be a member of Experts Exchange.

Start Free Trial

David Voigts

ASKER

Hi.

Sorry for the delay in responding. I am in Myanmar and frequently have no access to the internet. I tried the above but I can still map between VLANS. Please could you kindly have a look at my config file and see what I am missing.

Switch#show run
Building configuration...

Current configuration : 4675 bytes
!
version 12.2
no service pad
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
!
hostname Switch
!
boot-start-marker
boot-end-marker
!
enable secret 5 $1$bJKi$4UJj8C693Nar2u.RFGfe3/
!
!
!
no aaa new-model
switch 1 provision ws-c3750x-24
system mtu routing 1500
ip routing
ip dhcp excluded-address 10.10.103.200 10.10.103.255
ip dhcp excluded-address 10.10.104.1 10.10.104.99
ip dhcp excluded-address 10.10.104.200 10.10.104.255
ip dhcp excluded-address 10.10.105.1 10.10.105.99
ip dhcp excluded-address 10.10.105.200 10.10.105.255
ip dhcp excluded-address 10.10.106.1 10.10.106.99
!
ip dhcp pool 103
network 10.10.103.0 255.255.255.0
default-router 10.10.103.1
dns-server 8.8.8.8
lease 7
!
ip dhcp pool 104
network 10.10.104.0 255.255.255.0
default-router 10.10.104.1
dns-server 8.8.8.8
lease 7
!
ip dhcp pool 105
network 10.10.105.0 255.255.255.0
default-router 10.10.105.1
dns-server 8.8.8.8
lease 7
!
!
!
!
crypto pki trustpoint TP-self-signed-2051208320
enrollment selfsigned
subject-name cn=IOS-Self-Signed-Certificate-2051208320
revocation-check none
rsakeypair TP-self-signed-2051208320
!
!
crypto pki certificate chain TP-self-signed-2051208320
certificate self-signed 01
3082023F 308201A8 A0030201 02020101 300D0609 2A864886 F70D0101 04050030
31312F30 2D060355 04031326 494F532D 53656C66 2D536967 6E65642D 43657274
69666963 6174652D 32303531 32303833 3230301E 170D3933 30333031 30303031
32305A17 0D323030 31303130 30303030 305A3031 312F302D 06035504 03132649
4F532D53 656C662D 5369676E 65642D43 65727469 66696361 74652D32 30353132
30383332 3030819F 300D0609 2A864886 F70D0101 01050003 818D0030 81890281
8100AB46 75820ADC 2D4A0A00 073E3B85 7CBED090 E4AD1345 5486333E 1141179B
7B265238 BFE31ED3 2582EACD A48151E6 A9CB13EB 96BB302E 0431DB44 C93DCBF3
9736478A 927603E9 F5E750C1 C264640D FB160A13 8E463758 AAFB3798 390A4E1D
130A0306 EA709399 5A331E0B E3140387 5DBB9A0C 717055AB 370B27AB 849D7DD8
BA470203 010001A3 67306530 0F060355 1D130101 FF040530 030101FF 30120603
551D1104 0B300982 07537769 7463682E 301F0603 551D2304 18301680 149261BC
E89F8488 CD6312E6 339A443F C8855EB6 6F301D06 03551D0E 04160414 9261BCE8
9F8488CD 6312E633 9A443FC8 855EB66F 300D0609 2A864886 F70D0101 04050003
81810014 7B53C8FA E124133C DC69D23F 1D4B5209 24A0100D 9EF3BB80 360BE0A9
47588071 00E202C4 28CF9F91 B7F7C6BE 3840F638 5A92DF29 217C5FB0 4472F02E
7D984D3C 42157ADE 283051E3 3C703D3B 4420425C 66670714 7B564EB9 C82BA885
BD879775 3DEE7874 D388465C 2F031650 B8B517DF 5B77EBF6 304504CB 3F64AF3F 438A37
quit
spanning-tree mode pvst
spanning-tree extend system-id
!
!
!
!
vlan internal allocation policy ascending
!
!
!
interface FastEthernet0
no ip address
no ip route-cache cef
no ip route-cache
no ip mroute-cache
!
interface GigabitEthernet1/0/1
!
interface GigabitEthernet1/0/2
!
interface GigabitEthernet1/0/3
!
interface GigabitEthernet1/0/4
!
interface GigabitEthernet1/0/5
!
interface GigabitEthernet1/0/6
!
interface GigabitEthernet1/0/7
!
interface GigabitEthernet1/0/8
!
interface GigabitEthernet1/0/9
!
interface GigabitEthernet1/0/10
!
interface GigabitEthernet1/0/11
!
interface GigabitEthernet1/0/12
!
interface GigabitEthernet1/0/13
switchport access vlan 103
!
interface GigabitEthernet1/0/14
switchport access vlan 104
!
interface GigabitEthernet1/0/15
switchport access vlan 105
!
interface GigabitEthernet1/0/16
!
interface GigabitEthernet1/0/17
!
interface GigabitEthernet1/0/18
!
interface GigabitEthernet1/0/19
!
interface GigabitEthernet1/0/20
!
interface GigabitEthernet1/0/21
!
interface GigabitEthernet1/0/22
!
interface GigabitEthernet1/0/23
!
interface GigabitEthernet1/0/24
!
interface GigabitEthernet1/1/1
!
interface GigabitEthernet1/1/2
!
interface GigabitEthernet1/1/3
!
interface GigabitEthernet1/1/4
!
interface TenGigabitEthernet1/1/1
!
interface TenGigabitEthernet1/1/2
!
interface Vlan1
ip address 10.10.9.1 255.255.255.0
ip access-group 100 in
!
interface Vlan103
ip address 10.10.103.1 255.255.255.0
ip access-group 100 in
!
interface Vlan104
ip address 10.10.104.1 255.255.255.0
ip access-group 100 in
!
interface Vlan105
ip address 10.10.105.1 255.255.255.0
ip access-group 100 in
!
ip default-gateway 10.10.9.2
ip classless
ip route 0.0.0.0 0.0.0.0 10.10.9.2
ip http server
ip http secure-server
!
access-list 100 permit ip any 10.10.9.0 0.0.0.255
access-list 100 permit ip any 10.10.11.0 0.0.0.255
access-list 100 deny ip any 10.10.0.0 0.0.0.255
access-list 100 permit ip any any
!
!
line con 0
line vty 0 4
password pass
login
line vty 5 15
password pass
login
!
end

Don Johnston

Third line of the ACL should be

Access-list 100 deny ip any 10.10.0.0 0.0.255.255