Solved

Cisco Switch 3560 - Vlans, Access-lists and Routing

Posted on 2016-11-25
3
26 Views
Last Modified: 2016-11-28
Hi Guys,

Hoping someone can point me in the right direction.

I'm trying to set up some acccess controlled vlans on a 3560 cisco switch.  My requirements are as follows:

Vlan1 (default) is where the router/gateway resides - 192.168.1.1 Router .... 192.168.1.2 Switch Vlan1
Vlan10 to Vlan80 are private individual networks with their own DHCP set for each vlan - 192.168.100.x, 192.168.101.x ...etc

I want Vlan1 to be able to access ALL other Vlans (10 to 80) for gateway purposes, and only want the others (10 - 80) to be able to access their own and vlan1.

I have setup the vlans with dhcp and this is working fine.  I have set up static routes on the router to be able to access each of the other vlans (ie Vlan10  route ... 192.168.100.0    255.255.255.0  >> 192.168.1.2 etc) and configured the default gateway for the whole network to be that router.

I have also setup access-lists to stop traffic between each of the other vlans (10-80) and again this seems to be working fine.

So my problem appears to be with the routing:

Vlans 10 - 80

I can ping from any of the vlans (10-80) to the router 192.168.1.1 and also to vlan1 switch ip 192.168.1.2.  However, I cannot ping beyond these either locally 192.168.1.3..254 or externally DNS 8.8.8.8   The devices locally on Vlan1 are configured to have their default gateway set as the router which has had the static routes inputted.


Vlan 1 default

I can ping comfortably from within the local subnet 192.168.1.x and externally 8.8.8.8   However, I am unable to ping to any of the other vlans (10-80) from any other network device on that vlan besides the switch 192.168.1.2.  I'm unable to try the router as it doesn't have that functionailty, however, it worked the other way round so I assume it's fine.

Below is the configuration minus some of the private info.  Can anyone see any issues with my settings.  I have also included a copy of the static routing table from the router.  I suspected it was the static routing on the router thats not working properly, however, I set a static route on a device on vlan1 and still couldn't get through to anywhere on vlan10-80.  So it make me think, perhaps access-list or routing.  

Any Ideas?




Static Route Table from router Netgear WNR2000

      1      Yes      VLAN80       192.168.107.0      192.168.1.2
       2      Yes      VLAN10       192.168.100.0      192.168.1.2
       3      Yes      VLAN30       192.168.102.0      192.168.1.2
       4      Yes      VLAN40       192.168.103.0      192.168.1.2
       5      Yes      VLAN50       192.168.104.0      192.168.1.2
       6      Yes      VLAN60       192.168.105.0      192.168.1.2
       7      Yes      VLAN70       192.168.106.0      192.168.1.2
       8      Yes      VLAN20       192.168.101.0      192.168.1.2

Cisco Conf


Building configuration...

Current configuration : 6319 bytes
!
version 12.2
no service pad
no service timestamps debug uptime
no service timestamps log uptime
no service password-encryption
!
hostname ******
!
enable password *****
!
no aaa new-model
system mtu routing 1500
ip subnet-zero
ip routing
ip dhcp excluded-address 192.168.100.1 192.168.100.100
ip dhcp excluded-address 192.168.101.1 192.168.101.100
ip dhcp excluded-address 192.168.102.1 192.168.102.100
ip dhcp excluded-address 192.168.103.1 192.168.103.100
ip dhcp excluded-address 192.168.104.1 192.168.104.100
ip dhcp excluded-address 192.168.105.1 192.168.105.100
ip dhcp excluded-address 192.168.106.1 192.168.106.100
ip dhcp excluded-address 192.168.1.1 192.168.1.100
ip dhcp excluded-address 192.168.107.1 192.168.107.100
!
ip dhcp pool VLAN10
   network 192.168.100.0 255.255.255.0
   default-router 192.168.1.1
   dns-server 8.8.8.8
!
ip dhcp pool VLAN20
   network 192.168.101.0 255.255.255.0
   default-router 192.168.1.1
   dns-server 8.8.8.8
!
ip dhcp pool Vlan30
   network 192.168.102.0 255.255.255.0
   default-router 192.168.1.1
   dns-server 8.8.8.8
!
ip dhcp pool vlan1
   network 192.168.1.0 255.255.255.0
   default-router 192.168.1.1
   dns-server 8.8.8.8
!
ip dhcp pool vlan40
   network 192.168.103.0 255.255.255.0
   default-router 192.168.1.1
   dns-server 8.8.8.8
!
ip dhcp pool vlan50
   network 192.168.104.0 255.255.255.0
   default-router 192.168.1.1
   dns-server 8.8.8.8
!
ip dhcp pool vlan60
   network 192.168.105.0 255.255.255.0
   default-router 192.168.1.1
   dns-server 8.8.8.8
!
ip dhcp pool vlan70
   network 192.168.106.0 255.255.255.0
   default-router 192.168.1.1
   dns-server 8.8.8.8
!
ip dhcp pool vlan80
   network 192.168.107.0 255.255.255.0
   default-router 192.168.1.1
   dns-server 8.8.8.8
!
!
!
!
no file verify auto
spanning-tree mode pvst
spanning-tree extend system-id
!
vlan internal allocation policy ascending
!
!
interface FastEthernet0/1
!
interface FastEthernet0/2
!
interface FastEthernet0/3
!
interface FastEthernet0/4
!
interface FastEthernet0/5
!
interface FastEthernet0/6
!
interface FastEthernet0/7
!
interface FastEthernet0/8
!
interface FastEthernet0/9
 switchport access vlan 80
!
interface FastEthernet0/10
 switchport access vlan 80
!
interface FastEthernet0/11
 switchport access vlan 10
!
interface FastEthernet0/12
 switchport access vlan 10
!
interface FastEthernet0/13
 switchport access vlan 20
!
interface FastEthernet0/14
 switchport access vlan 20
!
interface FastEthernet0/15
 switchport access vlan 30
!
interface FastEthernet0/16
 switchport access vlan 30
!
interface FastEthernet0/17
 switchport access vlan 40
!
interface FastEthernet0/18
 switchport access vlan 40
!
interface FastEthernet0/19
 switchport access vlan 50
!
interface FastEthernet0/20
 switchport access vlan 50
!
interface FastEthernet0/21
 switchport access vlan 60
!
interface FastEthernet0/22
 switchport access vlan 60
!
interface FastEthernet0/23
 switchport access vlan 70
!
interface FastEthernet0/24
 switchport access vlan 70
!
interface GigabitEthernet0/1
!
interface GigabitEthernet0/2
!
interface Vlan1
 ip address 192.168.1.2 255.255.255.0
!
interface Vlan10
 ip address 192.168.100.1 255.255.255.0
 ip access-group 100 in
!
interface Vlan20
 ip address 192.168.101.1 255.255.255.0
 ip access-group 101 in
!
interface Vlan30
 ip address 192.168.102.1 255.255.255.0
 ip access-group 102 in
!
interface Vlan40
 ip address 192.168.103.1 255.255.255.0
 ip access-group 103 in
!
interface Vlan50
 ip address 192.168.104.1 255.255.255.0
 ip access-group 104 in
!
interface Vlan60
 ip address 192.168.105.1 255.255.255.0
 ip access-group 105 in
!
interface Vlan70
 ip address 192.168.106.1 255.255.255.0
 ip access-group 106 in
!
interface Vlan80
 ip address 192.168.107.1 255.255.255.0
!
ip classless
ip http server
!
!
access-list 100 deny   ip 192.168.100.0 0.0.0.255 192.168.101.0 0.0.0.255
access-list 100 deny   ip 192.168.100.0 0.0.0.255 192.168.102.0 0.0.0.255
access-list 100 deny   ip 192.168.100.0 0.0.0.255 192.168.103.0 0.0.0.255
access-list 100 deny   ip 192.168.100.0 0.0.0.255 192.168.104.0 0.0.0.255
access-list 100 deny   ip 192.168.100.0 0.0.0.255 192.168.105.0 0.0.0.255
access-list 100 deny   ip 192.168.100.0 0.0.0.255 192.168.106.0 0.0.0.255
access-list 100 deny   ip 192.168.100.0 0.0.0.255 192.168.107.0 0.0.0.255
access-list 100 permit ip any any
access-list 101 deny   ip 192.168.101.0 0.0.0.255 192.168.102.0 0.0.0.255
access-list 101 deny   ip 192.168.101.0 0.0.0.255 192.168.103.0 0.0.0.255
access-list 101 deny   ip 192.168.101.0 0.0.0.255 192.168.104.0 0.0.0.255
access-list 101 deny   ip 192.168.101.0 0.0.0.255 192.168.105.0 0.0.0.255
access-list 101 deny   ip 192.168.101.0 0.0.0.255 192.168.106.0 0.0.0.255
access-list 101 deny   ip 192.168.101.0 0.0.0.255 192.168.107.0 0.0.0.255
access-list 101 permit ip any any
access-list 102 deny   ip 192.168.102.0 0.0.0.255 192.168.103.0 0.0.0.255
access-list 102 deny   ip 192.168.102.0 0.0.0.255 192.168.104.0 0.0.0.255
access-list 102 deny   ip 192.168.102.0 0.0.0.255 192.168.105.0 0.0.0.255
access-list 102 deny   ip 192.168.102.0 0.0.0.255 192.1.106.0 0.0.0.255
access-list 102 deny   ip 192.168.102.0 0.0.0.255 192.168.107.0 0.0.0.255
access-list 102 permit ip any any
access-list 102 deny   ip 192.168.102.0 0.0.0.255 192.168.106.0 0.0.0.255
access-list 103 deny   ip 192.168.103.0 0.0.0.255 192.168.104.0 0.0.0.255
access-list 103 deny   ip 192.168.103.0 0.0.0.255 192.168.105.0 0.0.0.255
access-list 103 deny   ip 192.168.103.0 0.0.0.255 192.168.106.0 0.0.0.255
access-list 103 deny   ip 192.168.103.0 0.0.0.255 192.168.107.0 0.0.0.255
access-list 103 permit ip any any
access-list 104 permit ip any any
access-list 104 deny   ip 192.168.104.0 0.0.0.255 192.168.106.0 0.0.0.255
access-list 104 deny   ip 192.168.104.0 0.0.0.255 192.168.107.0 0.0.0.255
access-list 104 deny   ip 192.168.104.0 0.0.0.255 192.168.105.0 0.0.0.255
access-list 105 deny   ip 192.168.105.0 0.0.0.255 192.168.106.0 0.0.0.255
access-list 105 deny   ip 192.168.105.0 0.0.0.255 192.168.107.0 0.0.0.255
access-list 105 permit ip any any
access-list 106 deny   ip 192.168.106.0 0.0.0.255 192.168.107.0 0.0.0.255
access-list 106 permit ip any any
!
control-plane
!
!
line con 0
line vty 0
 password *****
 login
 length 0
line vty 1 4
 login
line vty 5 15
 login
!
end
0
Comment
Question by:ianmclachlan
  • 2
3 Comments
 
LVL 26

Accepted Solution

by:
Predrag Jovic earned 500 total points
Comment Utility
There are configuration errors present (3560 is L3 switch and routing is enabled):
You need default route.

ip route 0.0.0.0 0.0.0.0 x.x.x.x <-- x.x.x.x is most likely 192.168.1.1

ip dhcp pool VLAN10
  network 192.168.100.0 255.255.255.0
  default-router 192.168.1.1
  dns-server 8.8.8.8
!
interface Vlan10
 ip address 192.168.100.1 255.255.255.0
 ip access-group 100 in

Open in new window

default router IP address in DHCP pools are not good, it should match to SVI for that VLAN
ip dhcp pool VLAN10
 default-router 192.168.100.1

Open in new window

also on other device(s) (like 192.168.1.1) you will need to configure route(s) that will point to switch as next hop to reach those VLANs.
So, NOT on this switch.
ip route 192.168.100.0 0.0.3.255 192.168.1.2
ip route 192.168.104.0 0.0.3.255 192.168.1.2

Open in new window


Access list can be shortened to few lines
access-list 100 deny   ip 192.168.100.0 0.0.0.255 192.168.101.0 0.0.0.255

access-list 100 deny   ip 192.168.100.0 0.0.0.255 192.168.102.0 0.0.0.255
access-list 100 deny   ip 192.168.100.0 0.0.0.255 192.168.103.0 0.0.0.255
access-list 100 deny   ip 192.168.100.0 0.0.0.255 192.168.104.0 0.0.0.255
access-list 100 deny   ip 192.168.100.0 0.0.0.255 192.168.105.0 0.0.0.255
access-list 100 deny   ip 192.168.100.0 0.0.0.255 192.168.106.0 0.0.0.255
access-list 100 deny   ip 192.168.100.0 0.0.0.255 192.168.107.0 0.0.0.255
access-list 100 permit ip any any
access-list 100 permit   ip 192.168.100.0 0.0.0.255 host 192.168.100.1
access-list 100 deny   ip 192.168.100.0 0.0.0.255 192.168.100.0 0.0.3.255
access-list 100 deny   ip 192.168.100.0 0.0.0.255 192.168.104.0 0.0.3.255
access-list 100 permit ip any any

Open in new window


Although you don't really don't need the first line - permit access to host 192.168.100.1 except for ping to 192.168.100.1 (or something similar). The same principle goes to all others access lists

And I guess this one is typo (since this is public IP address
access-list 102 deny   ip 192.168.102.0 0.0.0.255 192.1.106.0 0.0.0.255

Also, there is implicit guess that NAT is performed on 192.168.1.1 or some other device and properly configured (for all IP ranges present on this device). Otherwise you will not be able to access internet, but local traffic should be OK.
0
 

Author Comment

by:ianmclachlan
Comment Utility
Excellent.  It worked.   Also, very clever use of the widcards for the VACL's.

Thanks again, have awarded you full points.
0
 
LVL 26

Expert Comment

by:Predrag Jovic
Comment Utility
You are welcome.
0

Featured Post

Top 6 Sources for Identifying Threat Actor TTPs

Understanding your enemy is essential. These six sources will help you identify the most popular threat actor tactics, techniques, and procedures (TTPs).

Join & Write a Comment

When I upgraded my ASA 8.2 to 8.3, I realized that my nonat statement was failing!   The log showed the following error:     %ASA-5-305013: Asymmetric NAT rules matched for forward and reverse flows It was caused by the config upgrade, because t…
Have you experienced traffic destined through a Cisco ASA firewall disappears and you do not know if the traffic stops in the firewall or somewhere else? The solution is the capture feature. This feature was released in 6.2(1) and works in all firew…
It is a freely distributed piece of software for such tasks as photo retouching, image composition and image authoring. It works on many operating systems, in many languages.
Internet Business Fax to Email Made Easy - With eFax Corporate (http://www.enterprise.efax.com), you'll receive a dedicated online fax number, which is used the same way as a typical analog fax number. You'll receive secure faxes in your email, fr…

744 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

8 Experts available now in Live!

Get 1:1 Help Now