VLAN Routing in Cisco 3750

Hi Guys,
I have configured a new VLAN 60 for the WLAN Guest network, and it works fine.
The employees traffic is on VLAN 1.
No routing between them for security reasons.

I have been asked to give the Guest Network access to some of the printers that currently belong only to the employees VLAN.

I'm thinking that the best way to achive this is to create a "PRINTERS VLAN 16" and give access to that VLAN 16 from both the employees and the guests vlans.

What do I need?
Can you please send me Cisco IOS commands to allow routing from VLAN 60 (Guests) to VLAN 16 (Printers) and block everything else?
In other words VLAN 60 should not be able to connect to any other vlan (only exception VLAN 16 for printing).

Thanks.
cargexAsked:
Who is Participating?
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

JustInCaseCommented:
You can create access-list like this and assign it to interface VLAN 60

access-list 100 permit ip <vlan 60 IP address range> <printer IP address or IP address range>
access-list 100 deny ip <vlan 60 IP address range> 172.16.0.0 0.15.255.255
access-list 100 deny ip <vlan 60 IP address range> 10.0.0.0 0.255.255.255
access-list 100 deny ip <vlan 60 IP address range> 192.168.0.0 0.0.255.255
access-list 100 deny ip <vlan 60 IP address range>  169.254.0.0 0.0.255.255
access-list 100 deny ip <vlan 60 IP address range> 224.0.0.0 15.255.255.255
access-list 100 deny ip <vlan 60 IP address range> 127.0.0.0 0.255.255.255
access-list 100 permit ip any any

interface vlan 60
ip access-group 100 in

This will permit access to internet, and printers while it will block traffic to current and VLANS that you can create later (private address space).
0
cargexAuthor Commented:
Hi Predrag,
Please bear with me as I always thought access-lists were just for routers.
I'm going to guess that we can treat the vlan as if it was a router interface.

Since my goal is to isolate the Guest network (VLAN 60) and allow them access only to one specific printer (maybe more than one in the future but for now just one) then the fastest way to do this is to deny the traffic from VLAN 60 to go out of the VLAN.

So, having in mind what I just said, and your suggestion, this is the configuration I have come up with:

10.10.70.21 is the printer IP in VLAN 1
192.168.60.0/24 is the Guest network in VLAN 60


// This is to permit access from vlan 60 to the specific printer in vlan 1
# access-list 60 permit ip 192.168.60.0 0.0.0.255 10.10.70.21

// This is to deny any other traffic
# access-list 60 deny ip any any

// Now I can apply this access-list to the VLAN 60
# interface vlan 60
# ip access-group 60 out

Can you please review this and tell me if I'm in the right track here?
0
JustInCaseCommented:
# access-list 60 permit ip 192.168.60.0 0.0.0.255 10.10.70.21
# access-list 60 deny ip any any

# interface vlan 60
# ip access-group 60 out
If you do just this two lines
you did try  to permit access to printers from VLAN 60, kill any other traffic including internet
and apply all of that in wrong direction (so this will kill all traffic since only hit will be deny any any)
:)
Logic is:
IN direction - is for traffic leaving VLAN and entering routing module (going IN routing module)
OUT direction - is for traffic entering VLAN from routing module (going OUT from routing module)

you need at least this if you want your guests to have internet access

# access-list 60 permit ip 192.168.60.0 0.0.0.255 10.10.70.21
# access-list 60 deny ip 192.168.60.0 0.0.0.255 10.10.70.0 0.0.0.255
# access-list 60 permit ip any any

# interface vlan 60
# ip access-group 60 in

So, this will
permit access to printer
deny access to any other host in VLAN 1 from VLAN 60 (if that is right subnet mask)
and permit all other traffic
0
Top Threats of Q1 & How to Defend Against Them

WEBINAR: Join WatchGuard CTO and our Threat Research Team on Aug. 2nd to hear the findings from our Q1 Internet Security Report! Learn more about the top threats detected in the first quarter and how you can defend your business against them!

cargexAuthor Commented:
Pedrag,
Ok I think I'm getting the hang of this.

Couple of questions:
Does it matter that I have the firewall connected with an IP in VLAN 60 (192.168.60.10).

My guess is that since the firewall is a device with a valid IP attached to VLAN 60 then if I set the gateway of the devices producing traffic that needs to reach the Internet in VLAN 60 to the firewall (192.168.60.10) then I don't need to worry about that traffic, that traffic will reach the Internet no matter what ACL rules I create.
Is this correct?

If this is correct then I don't need the
access-list 60 permit ip any any
0
JustInCaseCommented:
Yes, if you are using firewall attached to VLAN 60, and don't use SVI as default gateway you need just statement
# access-list 60 permit ip 192.168.60.0 0.0.0.255 10.10.70.21
since at the end of ACL is implicit deny any any.
But then again, depending on your design, since you are not using interface VLAN 60 as default gateway I guess that you will need to add static route on your firewall for hosts in VLAN 60 to be able to reach printers, or you can do routing on firewall (if both VLANs are present on firewall), so you can filter traffic on firewall instead on L3 switch.
0
cargexAuthor Commented:
Good Morning Predrag,
You are absolutely right now that I need to give access to the printer in VLAN 1 to the users in VLAN 60 having the firewall as a gateway brings more issues than solutions to the configuration.

Ok, so back to having the SVI as default gateway.

Since the objective is to restrict the traffic in VLAN 60 then I really need the ACL implicit deny any any

So according to your comments I have come up with the following:


10.10.70.21 is the printer IP in VLAN 1
10.10.70.2 is the FW that gives Internet access in VLAN 1
192.168.60.0/24 is the Guest network in VLAN 60

// this is the default route in the 3750
ip route 0.0.0.0 0.0.0.0 10.10.70.2

I'm guessing I can't create a default route by VLAN so once I use the SVI as a gateway the only way for the traffic in VLAN 60 to reach the Internet is passing through VLAN 1

So these are the ACL commands I have come up with given all the facts:

// This is to permit access from vlan 60 to the specific printer in vlan 1
# access-list 60 permit ip 192.168.60.0 0.0.0.255 10.10.70.21

// This is to permit access from vlan 60 to the Internet in vlan 1
# access-list 60 permit ip 192.168.60.0 0.0.0.255 10.10.70.21

// All other traffic will be denied because of the implicit deny at the end

// Now I can apply this access-list to the VLAN 60
# interface vlan 60
# ip access-group 60 in

Please advise.
0
cargexAuthor Commented:
mmhh made a small mistake in the Internet access, here is the correct line for the VLAN 60 to have Internet access through VLAN 1

10.10.70.2 is the FW that gives Internet access in VLAN 1

# access-list 60 permit ip 192.168.60.0 0.0.0.255 10.10.70.2
0
cargexAuthor Commented:
Please advise.
0
JustInCaseCommented:
Uh, this looks like network design problem :(
I'm guessing I can't create a default route by VLAN so once I use the SVI as a gateway the only way for the traffic in VLAN 60 to reach the Internet is passing through VLAN 1
No, you can't. When you set routes you mark next hop to get to specific network (or host) and there is no traffic source as criteria. The way to use traffic source as criteria is policy based routing (PBR).
So, I guess that could be accomplished that way.

Or maybe you can use static routing on your firewall to set static route like this (just need to adapt it to firewall syntax), this would be easiest solution, if it works (I don't see why it should not work).
# ip route 10.10.70.21 255.255.255.255 <ip address of vlan 60 SVI>
So firewall should forward traffic with destination address 10.10.70.21 to SVI.
 
also here is missing part of command
# access-list 60 permit ip 192.168.60.0 0.0.0.255 host 10.10.70.21
# access-list 60 deny ip 192.168.60.0 0.0.0.255 10.10.70.0 0.0.0.255
# access-list 60 permit ip any any
this still should be OK solution if you use SVI on switch as default gateway although all traffic that has any other destination except VLAN 1 range would go through VLAN 1, but it would drop all traffic that have VLAN 1 IP address range as destination.
0

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
JustInCaseCommented:
And, I forgot, you also need ip route to point to SVI of VLAN 1 as next hop to reach VLAN 60 IP address range, on other firewall for VLAN 1 (if firewall is default gateway for VLAN 1).
:)
You should really consider redesigning your network in the near future, so all traffic from your networks end on SVIs (so SVI should be default gateway for your VLANs), and then manipulate your traffic should be very easy. Current design is not flexible, even creating simple change like this one is a problem. To me looks like that design is the biggest issue right now.
But, I guess that would mean a lot of changes in your network.
0
cargexAuthor Commented:
Hi Predrag,
That's the solution, I will create the route in the firewall.

Question:
# access-list 60 permit ip any any

This permit ip any any is to allow the Internet traffic?

I would think that just by allowing access to reach the firewall would be enough?
# access-list 60 permit ip 192.168.60.0 0.0.0.255 host 10.10.70.2

This is because these are the only 2 devices I want VLAN 60 to be able to reach.

What do you think?
0
JustInCaseCommented:
Yes.
permit ip any any - is there to allow internet traffic.
And yes.
That ACL statement is all you need if you use static routes on firewalls.

One route on VLAN's 60 firewall to point to location of printer(s) through interface VLAN 60 on switch, and one route on firewall of VLAN 1 to point to interface VLAN 1 on switch to point as next hop to reach VLAN 60.

That should be easy to achieve.
 :)
0
cargexAuthor Commented:
Hi Predrag,
The solution has been completed.
Your comments are greatly appreciated.

Thank you.
0
JustInCaseCommented:
You are welcome.
0
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Switches / Hubs

From novice to tech pro — start learning today.

Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.