VLAN SETUP

Hi.

I am setting up a serviced office on 6 x c2960 switches and using a CISCO C3750 as a core switch.

There is a need for a separate VLAN for each of the offices to allow for security. Each of the offices needs to be private but will need to see a common vlan for the printer pool and also be able to get out to the Internet.

I have created the 100 offices VLANS 100 to 200
Each VLAN has its own scope for instance 10.10.100.0/24 for VLAN 100

I have the printer pool on VLAN 11 10.10.11.0/24
I have my switch on 10.10.9.0/24

I cant seem to allow only the necessary access to the printer pool and internet gateway. I either get no communication. Or I get full inter vlan connectivity.

Please could I get some direction on how to configure up the access for this.
David VoigtsManaging DirectorAsked:
Who is Participating?

[Product update] Infrastructure Analysis Tool is now available with Business Accounts.Learn More

x
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

Don JohnstonInstructorCommented:
You're routing on the 3750 and using ACL's, right?

Make your ACL so that you deny the other IP networks and then allow everything else (if you didn't have internet access, you could just allow traffic to the common networks).

So something like this:
Just keep in mind that writing ACL's is like programming. There are many ways to accomplish the same result.

access-list 10 deny 10.10.20.0 0.0.0.255
access-list 10 deny 10.10.30.0 0.0.0.255
access-list 10 deny 10.10.40.0 0.0.0.255
access-list 10 permit any
access-list 20 deny 10.10.10.0 0.0.0.255
access-list 20 deny 10.10.30.0 0.0.0.255
access-list 20 deny 10.10.40.0 0.0.0.255
access-list 20 permit any
access-list 30 deny 10.10.10.0 0.0.0.255
access-list 30 deny 10.10.20.0 0.0.0.255
access-list 30 deny 10.10.40.0 0.0.0.255
access-list 30 permit any
access-list 40 deny 10.10.10.0 0.0.0.255
access-list 40 deny 10.10.20.0 0.0.0.255
access-list 40 deny 10.10.30.0 0.0.0.255
access-list 40 permit any
int vlan 10
 ip access-group 10 out
int vlan 20
 ip access-group 20 out
int vlan 30
 ip access-group 30 out
int vlan 40
 ip access-group 40 out

Open in new window

0
JustInCaseCommented:
Have in mind that logic of assigning  ACL to VLAN is reversed.

int vlan 40
 ip access-group 40 out

filters traffic that is coming from other VLANs to VLAN 40.

If you want to filter traffic going out of VLAN to other VLANs or internet you need to assign ACL to interface VLAN as
ip access-group 40 in.
0
David VoigtsManaging DirectorAuthor Commented:
Thank you for your prompt response to my question.

The solution looks like I would need a lot of code to get this working as I have a 100 VLANS. Could I use a permit for 10.10.11.0 (printer pool) for the first line and then deny all other 10.10 traffic?

As you can tell CISCO is not my strongest subject.
0
Big Business Goals? Which KPIs Will Help You

The most successful MSPs rely on metrics – known as key performance indicators (KPIs) – for making informed decisions that help their businesses thrive, rather than just survive. This eBook provides an overview of the most important KPIs used by top MSPs.

JustInCaseCommented:
You can do that.
Logic is...
add most specific tasks on top of ACL. And then less specific tasks. At the end of ACL is implicit deny, so in your case you need to allow all other traffic at the end of ACL. (internet etc...)

access-list 100 permit ip any 10.10.11.0 0.0.0.255
access-list 100 deny ip any 10.10.0.0 0.0.255.255
access-list 100 permit ip any any

and then you need to assign it to all VLANs

interface VLAN100
 ip access-group 100 in

This will block all intervlan traffic going out of VLAN100 (at least for 10.10.x.0 networks) except 10.10.11.0 network, and then will also allow all other traffic.
0

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
David VoigtsManaging DirectorAuthor Commented:
Hi.

Sorry for the delay in responding. I am in Myanmar and frequently have no access to the internet. I tried the above but I can still map between VLANS. Please could you kindly have a look at my config file and see what I am missing.

Switch#show run
Building configuration...

Current configuration : 4675 bytes
!
version 12.2
no service pad
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
!
hostname Switch
!
boot-start-marker
boot-end-marker
!
enable secret 5 $1$bJKi$4UJj8C693Nar2u.RFGfe3/
!
!
!
no aaa new-model
switch 1 provision ws-c3750x-24
system mtu routing 1500
ip routing
ip dhcp excluded-address 10.10.103.200 10.10.103.255
ip dhcp excluded-address 10.10.104.1 10.10.104.99
ip dhcp excluded-address 10.10.104.200 10.10.104.255
ip dhcp excluded-address 10.10.105.1 10.10.105.99
ip dhcp excluded-address 10.10.105.200 10.10.105.255
ip dhcp excluded-address 10.10.106.1 10.10.106.99
!
ip dhcp pool 103
   network 10.10.103.0 255.255.255.0
   default-router 10.10.103.1
   dns-server 8.8.8.8
   lease 7
!
ip dhcp pool 104
   network 10.10.104.0 255.255.255.0
   default-router 10.10.104.1
   dns-server 8.8.8.8
   lease 7
!
ip dhcp pool 105
   network 10.10.105.0 255.255.255.0
   default-router 10.10.105.1
   dns-server 8.8.8.8
   lease 7
!
!
!
!
crypto pki trustpoint TP-self-signed-2051208320
 enrollment selfsigned
 subject-name cn=IOS-Self-Signed-Certificate-2051208320
 revocation-check none
 rsakeypair TP-self-signed-2051208320
!
!
crypto pki certificate chain TP-self-signed-2051208320
 certificate self-signed 01
  3082023F 308201A8 A0030201 02020101 300D0609 2A864886 F70D0101 04050030
  31312F30 2D060355 04031326 494F532D 53656C66 2D536967 6E65642D 43657274
  69666963 6174652D 32303531 32303833 3230301E 170D3933 30333031 30303031
  32305A17 0D323030 31303130 30303030 305A3031 312F302D 06035504 03132649
  4F532D53 656C662D 5369676E 65642D43 65727469 66696361 74652D32 30353132
  30383332 3030819F 300D0609 2A864886 F70D0101 01050003 818D0030 81890281
  8100AB46 75820ADC 2D4A0A00 073E3B85 7CBED090 E4AD1345 5486333E 1141179B
  7B265238 BFE31ED3 2582EACD A48151E6 A9CB13EB 96BB302E 0431DB44 C93DCBF3
  9736478A 927603E9 F5E750C1 C264640D FB160A13 8E463758 AAFB3798 390A4E1D
  130A0306 EA709399 5A331E0B E3140387 5DBB9A0C 717055AB 370B27AB 849D7DD8
  BA470203 010001A3 67306530 0F060355 1D130101 FF040530 030101FF 30120603
  551D1104 0B300982 07537769 7463682E 301F0603 551D2304 18301680 149261BC
  E89F8488 CD6312E6 339A443F C8855EB6 6F301D06 03551D0E 04160414 9261BCE8
  9F8488CD 6312E633 9A443FC8 855EB66F 300D0609 2A864886 F70D0101 04050003
  81810014 7B53C8FA E124133C DC69D23F 1D4B5209 24A0100D 9EF3BB80 360BE0A9
  47588071 00E202C4 28CF9F91 B7F7C6BE 3840F638 5A92DF29 217C5FB0 4472F02E
  7D984D3C 42157ADE 283051E3 3C703D3B 4420425C 66670714 7B564EB9 C82BA885
  BD879775 3DEE7874 D388465C 2F031650 B8B517DF 5B77EBF6 304504CB 3F64AF3F 438A37
  quit
spanning-tree mode pvst
spanning-tree extend system-id
!
!
!
!
vlan internal allocation policy ascending
!
!
!
interface FastEthernet0
 no ip address
 no ip route-cache cef
 no ip route-cache
 no ip mroute-cache
!
interface GigabitEthernet1/0/1
!
interface GigabitEthernet1/0/2
!
interface GigabitEthernet1/0/3
!
interface GigabitEthernet1/0/4
!
interface GigabitEthernet1/0/5
!
interface GigabitEthernet1/0/6
!
interface GigabitEthernet1/0/7
!
interface GigabitEthernet1/0/8
!
interface GigabitEthernet1/0/9
!
interface GigabitEthernet1/0/10
!
interface GigabitEthernet1/0/11
!
interface GigabitEthernet1/0/12
!
interface GigabitEthernet1/0/13
 switchport access vlan 103
!
interface GigabitEthernet1/0/14
 switchport access vlan 104
!
interface GigabitEthernet1/0/15
 switchport access vlan 105
!
interface GigabitEthernet1/0/16
!
interface GigabitEthernet1/0/17
!
interface GigabitEthernet1/0/18
!
interface GigabitEthernet1/0/19
!
interface GigabitEthernet1/0/20
!
interface GigabitEthernet1/0/21
!
interface GigabitEthernet1/0/22
!
interface GigabitEthernet1/0/23
!
interface GigabitEthernet1/0/24
!
interface GigabitEthernet1/1/1
!
interface GigabitEthernet1/1/2
!
interface GigabitEthernet1/1/3
!
interface GigabitEthernet1/1/4
!
interface TenGigabitEthernet1/1/1
!
interface TenGigabitEthernet1/1/2
!
interface Vlan1
 ip address 10.10.9.1 255.255.255.0
 ip access-group 100 in
!
interface Vlan103
 ip address 10.10.103.1 255.255.255.0
 ip access-group 100 in
!
interface Vlan104
 ip address 10.10.104.1 255.255.255.0
 ip access-group 100 in
!
interface Vlan105
 ip address 10.10.105.1 255.255.255.0
 ip access-group 100 in
!
ip default-gateway 10.10.9.2
ip classless
ip route 0.0.0.0 0.0.0.0 10.10.9.2
ip http server
ip http secure-server
!
access-list 100 permit ip any 10.10.9.0 0.0.0.255
access-list 100 permit ip any 10.10.11.0 0.0.0.255
access-list 100 deny   ip any 10.10.0.0 0.0.0.255
access-list 100 permit ip any any
!
!
line con 0
line vty 0 4
 password pass
 login
line vty 5 15
 password pass
 login
!
end
0
Don JohnstonInstructorCommented:
Third line of the ACL should be

Access-list 100 deny ip any 10.10.0.0  0.0.255.255
0
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Routers

From novice to tech pro — start learning today.