Solved

Cisco Switch 3560 - Vlans, Access-lists and Routing

Posted on 2016-11-25
3
97 Views
Last Modified: 2017-01-14
Hi Guys,

Hoping someone can point me in the right direction.

I'm trying to set up some acccess controlled vlans on a 3560 cisco switch.  My requirements are as follows:

Vlan1 (default) is where the router/gateway resides - 192.168.1.1 Router .... 192.168.1.2 Switch Vlan1
Vlan10 to Vlan80 are private individual networks with their own DHCP set for each vlan - 192.168.100.x, 192.168.101.x ...etc

I want Vlan1 to be able to access ALL other Vlans (10 to 80) for gateway purposes, and only want the others (10 - 80) to be able to access their own and vlan1.

I have setup the vlans with dhcp and this is working fine.  I have set up static routes on the router to be able to access each of the other vlans (ie Vlan10  route ... 192.168.100.0    255.255.255.0  >> 192.168.1.2 etc) and configured the default gateway for the whole network to be that router.

I have also setup access-lists to stop traffic between each of the other vlans (10-80) and again this seems to be working fine.

So my problem appears to be with the routing:

Vlans 10 - 80

I can ping from any of the vlans (10-80) to the router 192.168.1.1 and also to vlan1 switch ip 192.168.1.2.  However, I cannot ping beyond these either locally 192.168.1.3..254 or externally DNS 8.8.8.8   The devices locally on Vlan1 are configured to have their default gateway set as the router which has had the static routes inputted.


Vlan 1 default

I can ping comfortably from within the local subnet 192.168.1.x and externally 8.8.8.8   However, I am unable to ping to any of the other vlans (10-80) from any other network device on that vlan besides the switch 192.168.1.2.  I'm unable to try the router as it doesn't have that functionailty, however, it worked the other way round so I assume it's fine.

Below is the configuration minus some of the private info.  Can anyone see any issues with my settings.  I have also included a copy of the static routing table from the router.  I suspected it was the static routing on the router thats not working properly, however, I set a static route on a device on vlan1 and still couldn't get through to anywhere on vlan10-80.  So it make me think, perhaps access-list or routing.  

Any Ideas?




Static Route Table from router Netgear WNR2000

      1      Yes      VLAN80       192.168.107.0      192.168.1.2
       2      Yes      VLAN10       192.168.100.0      192.168.1.2
       3      Yes      VLAN30       192.168.102.0      192.168.1.2
       4      Yes      VLAN40       192.168.103.0      192.168.1.2
       5      Yes      VLAN50       192.168.104.0      192.168.1.2
       6      Yes      VLAN60       192.168.105.0      192.168.1.2
       7      Yes      VLAN70       192.168.106.0      192.168.1.2
       8      Yes      VLAN20       192.168.101.0      192.168.1.2

Cisco Conf


Building configuration...

Current configuration : 6319 bytes
!
version 12.2
no service pad
no service timestamps debug uptime
no service timestamps log uptime
no service password-encryption
!
hostname ******
!
enable password *****
!
no aaa new-model
system mtu routing 1500
ip subnet-zero
ip routing
ip dhcp excluded-address 192.168.100.1 192.168.100.100
ip dhcp excluded-address 192.168.101.1 192.168.101.100
ip dhcp excluded-address 192.168.102.1 192.168.102.100
ip dhcp excluded-address 192.168.103.1 192.168.103.100
ip dhcp excluded-address 192.168.104.1 192.168.104.100
ip dhcp excluded-address 192.168.105.1 192.168.105.100
ip dhcp excluded-address 192.168.106.1 192.168.106.100
ip dhcp excluded-address 192.168.1.1 192.168.1.100
ip dhcp excluded-address 192.168.107.1 192.168.107.100
!
ip dhcp pool VLAN10
   network 192.168.100.0 255.255.255.0
   default-router 192.168.1.1
   dns-server 8.8.8.8
!
ip dhcp pool VLAN20
   network 192.168.101.0 255.255.255.0
   default-router 192.168.1.1
   dns-server 8.8.8.8
!
ip dhcp pool Vlan30
   network 192.168.102.0 255.255.255.0
   default-router 192.168.1.1
   dns-server 8.8.8.8
!
ip dhcp pool vlan1
   network 192.168.1.0 255.255.255.0
   default-router 192.168.1.1
   dns-server 8.8.8.8
!
ip dhcp pool vlan40
   network 192.168.103.0 255.255.255.0
   default-router 192.168.1.1
   dns-server 8.8.8.8
!
ip dhcp pool vlan50
   network 192.168.104.0 255.255.255.0
   default-router 192.168.1.1
   dns-server 8.8.8.8
!
ip dhcp pool vlan60
   network 192.168.105.0 255.255.255.0
   default-router 192.168.1.1
   dns-server 8.8.8.8
!
ip dhcp pool vlan70
   network 192.168.106.0 255.255.255.0
   default-router 192.168.1.1
   dns-server 8.8.8.8
!
ip dhcp pool vlan80
   network 192.168.107.0 255.255.255.0
   default-router 192.168.1.1
   dns-server 8.8.8.8
!
!
!
!
no file verify auto
spanning-tree mode pvst
spanning-tree extend system-id
!
vlan internal allocation policy ascending
!
!
interface FastEthernet0/1
!
interface FastEthernet0/2
!
interface FastEthernet0/3
!
interface FastEthernet0/4
!
interface FastEthernet0/5
!
interface FastEthernet0/6
!
interface FastEthernet0/7
!
interface FastEthernet0/8
!
interface FastEthernet0/9
 switchport access vlan 80
!
interface FastEthernet0/10
 switchport access vlan 80
!
interface FastEthernet0/11
 switchport access vlan 10
!
interface FastEthernet0/12
 switchport access vlan 10
!
interface FastEthernet0/13
 switchport access vlan 20
!
interface FastEthernet0/14
 switchport access vlan 20
!
interface FastEthernet0/15
 switchport access vlan 30
!
interface FastEthernet0/16
 switchport access vlan 30
!
interface FastEthernet0/17
 switchport access vlan 40
!
interface FastEthernet0/18
 switchport access vlan 40
!
interface FastEthernet0/19
 switchport access vlan 50
!
interface FastEthernet0/20
 switchport access vlan 50
!
interface FastEthernet0/21
 switchport access vlan 60
!
interface FastEthernet0/22
 switchport access vlan 60
!
interface FastEthernet0/23
 switchport access vlan 70
!
interface FastEthernet0/24
 switchport access vlan 70
!
interface GigabitEthernet0/1
!
interface GigabitEthernet0/2
!
interface Vlan1
 ip address 192.168.1.2 255.255.255.0
!
interface Vlan10
 ip address 192.168.100.1 255.255.255.0
 ip access-group 100 in
!
interface Vlan20
 ip address 192.168.101.1 255.255.255.0
 ip access-group 101 in
!
interface Vlan30
 ip address 192.168.102.1 255.255.255.0
 ip access-group 102 in
!
interface Vlan40
 ip address 192.168.103.1 255.255.255.0
 ip access-group 103 in
!
interface Vlan50
 ip address 192.168.104.1 255.255.255.0
 ip access-group 104 in
!
interface Vlan60
 ip address 192.168.105.1 255.255.255.0
 ip access-group 105 in
!
interface Vlan70
 ip address 192.168.106.1 255.255.255.0
 ip access-group 106 in
!
interface Vlan80
 ip address 192.168.107.1 255.255.255.0
!
ip classless
ip http server
!
!
access-list 100 deny   ip 192.168.100.0 0.0.0.255 192.168.101.0 0.0.0.255
access-list 100 deny   ip 192.168.100.0 0.0.0.255 192.168.102.0 0.0.0.255
access-list 100 deny   ip 192.168.100.0 0.0.0.255 192.168.103.0 0.0.0.255
access-list 100 deny   ip 192.168.100.0 0.0.0.255 192.168.104.0 0.0.0.255
access-list 100 deny   ip 192.168.100.0 0.0.0.255 192.168.105.0 0.0.0.255
access-list 100 deny   ip 192.168.100.0 0.0.0.255 192.168.106.0 0.0.0.255
access-list 100 deny   ip 192.168.100.0 0.0.0.255 192.168.107.0 0.0.0.255
access-list 100 permit ip any any
access-list 101 deny   ip 192.168.101.0 0.0.0.255 192.168.102.0 0.0.0.255
access-list 101 deny   ip 192.168.101.0 0.0.0.255 192.168.103.0 0.0.0.255
access-list 101 deny   ip 192.168.101.0 0.0.0.255 192.168.104.0 0.0.0.255
access-list 101 deny   ip 192.168.101.0 0.0.0.255 192.168.105.0 0.0.0.255
access-list 101 deny   ip 192.168.101.0 0.0.0.255 192.168.106.0 0.0.0.255
access-list 101 deny   ip 192.168.101.0 0.0.0.255 192.168.107.0 0.0.0.255
access-list 101 permit ip any any
access-list 102 deny   ip 192.168.102.0 0.0.0.255 192.168.103.0 0.0.0.255
access-list 102 deny   ip 192.168.102.0 0.0.0.255 192.168.104.0 0.0.0.255
access-list 102 deny   ip 192.168.102.0 0.0.0.255 192.168.105.0 0.0.0.255
access-list 102 deny   ip 192.168.102.0 0.0.0.255 192.1.106.0 0.0.0.255
access-list 102 deny   ip 192.168.102.0 0.0.0.255 192.168.107.0 0.0.0.255
access-list 102 permit ip any any
access-list 102 deny   ip 192.168.102.0 0.0.0.255 192.168.106.0 0.0.0.255
access-list 103 deny   ip 192.168.103.0 0.0.0.255 192.168.104.0 0.0.0.255
access-list 103 deny   ip 192.168.103.0 0.0.0.255 192.168.105.0 0.0.0.255
access-list 103 deny   ip 192.168.103.0 0.0.0.255 192.168.106.0 0.0.0.255
access-list 103 deny   ip 192.168.103.0 0.0.0.255 192.168.107.0 0.0.0.255
access-list 103 permit ip any any
access-list 104 permit ip any any
access-list 104 deny   ip 192.168.104.0 0.0.0.255 192.168.106.0 0.0.0.255
access-list 104 deny   ip 192.168.104.0 0.0.0.255 192.168.107.0 0.0.0.255
access-list 104 deny   ip 192.168.104.0 0.0.0.255 192.168.105.0 0.0.0.255
access-list 105 deny   ip 192.168.105.0 0.0.0.255 192.168.106.0 0.0.0.255
access-list 105 deny   ip 192.168.105.0 0.0.0.255 192.168.107.0 0.0.0.255
access-list 105 permit ip any any
access-list 106 deny   ip 192.168.106.0 0.0.0.255 192.168.107.0 0.0.0.255
access-list 106 permit ip any any
!
control-plane
!
!
line con 0
line vty 0
 password *****
 login
 length 0
line vty 1 4
 login
line vty 5 15
 login
!
end
0
Comment
Question by:ianmclachlan
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 2
3 Comments
 
LVL 30

Accepted Solution

by:
Predrag Jovic earned 500 total points
ID: 41901407
There are configuration errors present (3560 is L3 switch and routing is enabled):
You need default route.

ip route 0.0.0.0 0.0.0.0 x.x.x.x <-- x.x.x.x is most likely 192.168.1.1

ip dhcp pool VLAN10
  network 192.168.100.0 255.255.255.0
  default-router 192.168.1.1
  dns-server 8.8.8.8
!
interface Vlan10
 ip address 192.168.100.1 255.255.255.0
 ip access-group 100 in

Open in new window

default router IP address in DHCP pools are not good, it should match to SVI for that VLAN
ip dhcp pool VLAN10
 default-router 192.168.100.1

Open in new window

also on other device(s) (like 192.168.1.1) you will need to configure route(s) that will point to switch as next hop to reach those VLANs.
So, NOT on this switch.
ip route 192.168.100.0 0.0.3.255 192.168.1.2
ip route 192.168.104.0 0.0.3.255 192.168.1.2

Open in new window


Access list can be shortened to few lines
access-list 100 deny   ip 192.168.100.0 0.0.0.255 192.168.101.0 0.0.0.255

access-list 100 deny   ip 192.168.100.0 0.0.0.255 192.168.102.0 0.0.0.255
access-list 100 deny   ip 192.168.100.0 0.0.0.255 192.168.103.0 0.0.0.255
access-list 100 deny   ip 192.168.100.0 0.0.0.255 192.168.104.0 0.0.0.255
access-list 100 deny   ip 192.168.100.0 0.0.0.255 192.168.105.0 0.0.0.255
access-list 100 deny   ip 192.168.100.0 0.0.0.255 192.168.106.0 0.0.0.255
access-list 100 deny   ip 192.168.100.0 0.0.0.255 192.168.107.0 0.0.0.255
access-list 100 permit ip any any
access-list 100 permit   ip 192.168.100.0 0.0.0.255 host 192.168.100.1
access-list 100 deny   ip 192.168.100.0 0.0.0.255 192.168.100.0 0.0.3.255
access-list 100 deny   ip 192.168.100.0 0.0.0.255 192.168.104.0 0.0.3.255
access-list 100 permit ip any any

Open in new window


Although you don't really don't need the first line - permit access to host 192.168.100.1 except for ping to 192.168.100.1 (or something similar). The same principle goes to all others access lists

And I guess this one is typo (since this is public IP address
access-list 102 deny   ip 192.168.102.0 0.0.0.255 192.1.106.0 0.0.0.255

Also, there is implicit guess that NAT is performed on 192.168.1.1 or some other device and properly configured (for all IP ranges present on this device). Otherwise you will not be able to access internet, but local traffic should be OK.
0
 

Author Comment

by:ianmclachlan
ID: 41903984
Excellent.  It worked.   Also, very clever use of the widcards for the VACL's.

Thanks again, have awarded you full points.
0
 
LVL 30

Expert Comment

by:Predrag Jovic
ID: 41904085
You are welcome.
0

Featured Post

How Do You Stack Up Against Your Peers?

With today’s modern enterprise so dependent on digital infrastructures, the impact of major incidents has increased dramatically. Grab the report now to gain insight into how your organization ranks against your peers and learn best-in-class strategies to resolve incidents.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

From Cisco ASA version 8.3, the Network Address Translation (NAT) configuration has been completely redesigned and it may be helpful to have the syntax configuration for both at a glance. You may as well want to read official Cisco published AS…
There’s a movement in Information Technology (IT), and while it’s hard to define, it is gaining momentum. Some call it “stream-lined IT;” others call it “thin-model IT.”
Both in life and business – not all partnerships are created equal. As the demand for cloud services increases, so do the number of self-proclaimed cloud partners. Asking the right questions up front in the partnership, will enable both parties …
As a trusted technology advisor to your customers you are likely getting the daily question of, ‘should I put this in the cloud?’ As customer demands for cloud services increases, companies will see a shift from traditional buying patterns to new…

729 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question