Inter VLAN routing - Cisco SG300-28

I'm trying to replicate a client’s parent/child domain in a test environment – I’m assuming (I don’t know for sure their exact setup) that they will have enterprise level networking setup, so potentially layer 2 workgroup switches with routers doing layer 3 as well as firewall device(s) doing access control

In our test environment we have two DC’s set up and client PC’s – one DC for the parent domain and one for the child domain and it’s the default two way transitive trust between the parent/child - I'm using a Cisco SG300-28 port switch to connect the DC's and clients

I have each DC on a trunk port on the SG300-28 – which is running in layer 3 mode – and two VLAN’s – 10 and 20 – with their respective subnets in DHCP scope, one per DC – the DC’s both have access to VLAN 10 and 20 via their trunk ports - the clients in each domain are on access ports within their specific VLAN – parent on VLAN 10 10.10.10.0/24 and child on VLAN 20 10.10.11.0/24

I’ve tried creating an ACL which would permit clients on the child domain to connect to a license server on the parent domain which I thought was working as the application can connect and obtain a license, however as test I removed the ACL from the interface it was applied to and the client was still able to get a license – as a further test we created rules for the specific ports on the windows firewall on the two DC’s as well as the license server, then disabled these – however the application can still get a license

Any ideas why this would work regardless of the ACL and firewall rules being applied?  I wonder if it is due to the trunking, however I don’t see another way of having the VLAN’s routing?
Jason MurphyAsked:
Who is Participating?
 
JustInCaseCommented:
I hope I did it right. :)

Better way (the way you already configured ACL just it is applied to other SVI):
interface vlan 20
 name CHILD.PARENT_TEST
 ip address 10.10.11.254 255.255.255.0
 service-acl input DENY_FILE_AND_LDAP
!
interface vlan 10
 name PARENT_TEST
 ip address 10.10.10.254 255.255.255.0
!
ip access-list extended DENY_FILE_AND_LDAP
deny tcp 10.10.11.0 0.0.0.255 any 10.10.10.0 0.0.0.255 139 ace-priority 20
deny tcp 10.10.11.0 0.0.0.255 any 10.10.10.0 0.0.0.255 389 ace-priority 40
deny tcp 10.10.11.0 0.0.0.255 any 10.10.10.0 0.0.0.255 445 ace-priority 60
permit ip any any ace-priority 80

Open in new window

In this case traffic that is denied will be dropped on VLAN 20 SVI (exiting VLAN).

Other way to do it:
interface vlan 10
 name PARENT_TEST
 ip address 10.10.10.254 255.255.255.0
 service-acl input DENY_FILE_AND_LDAP
!
ip access-list extended DENY_FILE_AND_LDAP
deny tcp 10.10.10.0 0.0.0.255 139 10.10.11.0 0.0.0.255 any ace-priority 20
deny tcp 10.10.10.0 0.0.0.255 389 10.10.11.0 0.0.0.255 any ace-priority 40
deny tcp 10.10.10.0 0.0.0.255 445 10.10.11.0 0.0.0.255 any ace-priority 60
permit ip any any ace-priority 80 

Open in new window

However, in this case traffic would come to hosts in 10.10.10.0/24 and then return traffic would be blocked.
0
 
JustInCaseCommented:
Typical problems regarding applying ACLs to interface (if ACL is correctly written):
1. more often -> ACL is applied in wrong direction (IN instead of OUT)
2. less often -> ACL is applied to wrong interface
3. rarest -> both 1. and 2.

If above suggestions did not resolve issue, can you, please, paste ACLs and configuration of interfaces where ACLs are applied (and provide IP address of servers).
0
 
atlas_shudderedSr. Network EngineerCommented:
If you are trying to filter between the VLANs you will need to create VACLs at the SVI.

Run a traceroute from the PC to the license server and post.  If the license server is reachable as next hop with no intermediary hops, then you aren't going to hit an ACL as all traffic will remain at layer 2 an transit the local broadcast.  If there is an intermediary hop, this is where you will want to place the ACL and the points that Predrag points out above come into full force.
0
Ultimate Tool Kit for Technology Solution Provider

Broken down into practical pointers and step-by-step instructions, the IT Service Excellence Tool Kit delivers expert advice for technology solution providers. Get your free copy now.

 
Jason MurphyAuthor Commented:
Thanks for suggestions

There is no other device between the client PCs, DCs and switch - no routing or external routing, so don't think SVI's will come into it

I'll try and tracert to the license server and port though

Will advise

Thank you
0
 
atlas_shudderedSr. Network EngineerCommented:
Where are you routing between the two VLANs?  If not on an SVI then is it a router?  Firewall?  Can you share a diagram of the network?
0
 
Jason MurphyAuthor Commented:
Hi

Its inter-VLAN routing between two VLAN's on one SG-300 28 port switch in layer 3 mode

Essentially, ports 1-12 are VLAN 10 (access ports) ports 13-24 are VLAN 20 (access ports)

I have the Parent domain DC in port 1 and the child domain DC in port 13

The clients are on the remaining ports within their respective domain/VLANs

I'm trying to stop a parent domain user logged onto a parent domain client PC obtaining a license from a dongle in a child domain client PC which is using port 339 - I'm going to remove the other port requirements for the time being and may even create separate ACL's for those

I've tried applying the ACL to the VLAN and to the range of interfaces and neither seems to work, the parent domain user on a parent domain PC can still get a license from the child domain license dongle PC

This is all a non production test environment - no external access or routing

Hope that helps

Thanks

Jason
0
 
atlas_shudderedSr. Network EngineerCommented:
Okay, if you have two different VLANs, there has to be a router somewhere in the mix.  Whether that is an actual router, a firewall or SVIs with local routing on the switch, it still has to exist somewhere.  That is where you will to apply your ACLs.

Let me ask it like this.  On the switch, what is the default-gateway?  On VLAN 10, what is the default gateway for the host IP configuration?  On VLAN 20, what is the default gateway for the host IP configuration?
1
 
Jason MurphyAuthor Commented:
Hi

interface VLAN 10 is 10.10.10.254
interface VLAN 20 is 10.10.11.254

management VLAN 1 is the switch address 192.168.1.254

clients in each domain have their d/g as the same - vlan 10 clients are 10.10.10.254 vlan 20 clients are 10.10.11.254

no router is in the setup nor any SVI's

Hope that helps

Jason
0
 
atlas_shudderedSr. Network EngineerCommented:
So just the switch then?  If so, please post the config and output from show cdp ne.
0
 
JustInCaseCommented:
If there is no routing anywhere, hosts from different VLANs can't "talk to each other"
Somewhere traffic must be routed from one VLAN to another VLAN for hosts to be able to talk (Typically - L3 switch, router or firewall). Check on which device is located default gateway, that's the point where packets are starting to be routed (leave current VLAN).
0
 
Jason MurphyAuthor Commented:
Hi

Ignore the permit test license dongle and ICMP ACL's, they are not currently applied

TEST#sh run

config-file-header
TEST
v1.4.2.4 / R800_NIK_1_4_194_194
CLI v1.0
set system mode router

file SSD indicator encrypted
@
ssd-control-start
ssd config
ssd file passphrase control unrestricted
no ssd file integrity control
ssd-control-end cb0a3fdb1f3a1af4e4430033719968c0
!
vlan database
vlan 10,20
exit
voice vlan oui-table add 0001e3 Siemens_AG_phone________
voice vlan oui-table add 00036b Cisco_phone_____________
voice vlan oui-table add 00096e Avaya___________________
voice vlan oui-table add 000fe2 H3C_Aolynk______________
voice vlan oui-table add 0060b9 Philips_and_NEC_AG_phone
voice vlan oui-table add 00d01e Pingtel_phone___________
voice vlan oui-table add 00e075 Polycom/Veritel_phone___
voice vlan oui-table add 00e0bb 3Com_phone______________
bonjour interface range vlan 1
ip access-list extended Permit_Test_License_Dongle
permit tcp 10.10.11.0 0.0.0.255 any 10.10.10.7 0.0.0.0 4720-4721 ace-priority 20
permit udp 10.10.11.0 0.0.0.255 any 10.10.10.7 0.0.0.0 4720-4721 ace-priority 40
permit ip any any ace-priority 60
exit
ip access-list extended ICMP
permit icmp any any any any ace-priority 10
exit
ip access-list extended DENY_FILE_AND_LDAP
deny tcp 10.10.11.0 0.0.0.255 any 10.10.10.0 0.0.0.255 139 ace-priority 20
deny tcp 10.10.11.0 0.0.0.255 any 10.10.10.0 0.0.0.255 389 ace-priority 40
deny tcp 10.10.11.0 0.0.0.255 any 10.10.10.0 0.0.0.255 445 ace-priority 60
permit ip any any ace-priority 80
exit
hostname TEST
management access-list admin
permit
exit
username admin password encrypted ************************************************ privilege 15
username cisco password encrypted ************************************************** privilege 15
username administrator password encrypted ******************************************* privilege 15
ip ssh server
ip telnet server
!
interface vlan 1
 ip address 192.168.1.254 255.255.255.0
 no ip address dhcp
!
interface vlan 10
 name PARENT_TEST
 ip address 10.10.10.254 255.255.255.0
 service-acl input DENY_FILE_AND_LDAP
!
interface vlan 20
 name CHILD.PARENT_TEST
 ip address 10.10.11.254 255.255.255.0
!
interface gigabitethernet1
 switchport mode access
 switchport access vlan 10
!
interface gigabitethernet2
 switchport mode access
 switchport access vlan 10
!
interface gigabitethernet3
 switchport mode access
 switchport access vlan 10
!
interface gigabitethernet4
 switchport mode access
 switchport access vlan 10
!
interface gigabitethernet5
 switchport mode access
 switchport access vlan 10
!
interface gigabitethernet6
 switchport mode access
 switchport access vlan 10
!
interface gigabitethernet7
 switchport mode access
 switchport access vlan 10
!
interface gigabitethernet8
 switchport mode access
 switchport access vlan 10
!
interface gigabitethernet9
 switchport mode access
 switchport access vlan 10
!
interface gigabitethernet10
 switchport mode access
 switchport access vlan 10
!
interface gigabitethernet11
 switchport mode access
 switchport access vlan 10
!
interface gigabitethernet12
 switchport mode access
 switchport access vlan 10
!
interface gigabitethernet13
 switchport mode access
 switchport access vlan 20
!
interface gigabitethernet14
 switchport mode access
 switchport access vlan 20
!
interface gigabitethernet15
 switchport mode access
 switchport access vlan 20
!
interface gigabitethernet16
 switchport mode access
 switchport access vlan 20
!
interface gigabitethernet17
 switchport mode access
 switchport access vlan 20
!
interface gigabitethernet18
 switchport mode access
 switchport access vlan 20
!
interface gigabitethernet19
 switchport mode access
 switchport access vlan 20
!
interface gigabitethernet20
 switchport mode access
 switchport access vlan 20
!
interface gigabitethernet21
 switchport mode access
 switchport access vlan 20
!
interface gigabitethernet22
 switchport mode access
 switchport access vlan 20
!
interface gigabitethernet23
 switchport mode access
 switchport access vlan 20
!
interface gigabitethernet24
 switchport mode access
 switchport access vlan 20
!
interface gigabitethernet28
 description Management
 switchport trunk allowed vlan add 10,20
!
exit
TEST#
0
 
JustInCaseCommented:
Access-list is blocking traffic:
ip access-list extended DENY_FILE_AND_LDAP
deny tcp 10.10.11.0 0.0.0.255 any 10.10.10.0 0.0.0.255 139 ace-priority 20
deny tcp 10.10.11.0 0.0.0.255 any 10.10.10.0 0.0.0.255 389 ace-priority 40
deny tcp 10.10.11.0 0.0.0.255 any 10.10.10.0 0.0.0.255 445 ace-priority 60
!
interface vlan 10
 name PARENT_TEST
 ip address 10.10.10.254 255.255.255.0
 service-acl input DENY_FILE_AND_LDAP

Open in new window

at the end of every access list is implicit deny which means that all traffic directed from  VLAN 10 into routing unit of switch is blocked.
0
 
Jason MurphyAuthor Commented:
Hi

All clients on each VLAN can ping each other by IP and hostname

On each DC is DNS and DHCP scope for respective subnet for VLAN

I thought that permit ip any any ace-priority 80 at the end of my ACL overcame implicit deny?

Thanks

Jason
0
 
atlas_shudderedSr. Network EngineerCommented:
Okay.  This command:

set system mode router

Open in new window


Enables routing on the switch.

These commands:

interface vlan 1
 ip address 192.168.1.254 255.255.255.0
 no ip address dhcp
!
interface vlan 10
 name PARENT_TEST
 ip address 10.10.10.254 255.255.255.0
 service-acl input DENY_FILE_AND_LDAP
!
interface vlan 20
 name CHILD.PARENT_TEST
 ip address 10.10.11.254 255.255.255.0

Open in new window


Build the SVI's associated to the VLANs referenced on each.

These SVI's are where you are going to have to build your VACLs.  If I am understanding what you are trying to do and everything above, the following is the ACL you are attempting to apply:

interface vlan 10
 name PARENT_TEST
 ip address 10.10.10.254 255.255.255.0
 service-acl input DENY_FILE_AND_LDAP

Open in new window

<---------------

If so, change directionality of the ACL and retest:

from:
service-acl input DENY_FILE_AND_LDAP

Open in new window


to
service-acl output DENY_FILE_AND_LDAP

Open in new window

0
 
JustInCaseCommented:
Sorry, I overlooked permit any any - my bad :)
so traffic only to specific ports is denied

deny tcp 10.10.11.0 0.0.0.255 any 10.10.10.0 0.0.0.255 139 ace-priority 20
deny tcp 10.10.11.0 0.0.0.255 any 10.10.10.0 0.0.0.255 389 ace-priority 40
deny tcp 10.10.11.0 0.0.0.255 any 10.10.10.0 0.0.0.255 445 ace-priority 60
permit ip any any ace-priority 80
0
 
JustInCaseCommented:
input direction when ACL is applied to vlan SVI means --> traffic from VLAN goes into routing unit.... So generally that ACL should never deny any traffic.
since in your case input from VLAN 10 into router source IP addresses will be 10.10.10.0/24

So, changing direction suggested by atlas_shuddered could work, or you could rewrite ACl and keep the same direction.
0
 
Jason MurphyAuthor Commented:
Hi

OK guys thanks I'll try output instead of input

I thought though that the SG series switches only did ACL ingress

Thanks

Jason
0
 
atlas_shudderedSr. Network EngineerCommented:
Jason -

If the directionality  change won't input then go with Predrag's suggestion and move the ACL to the other VLAN.  You'll need to swap the ACE IP values but that should be all.  Additionally, it will keep the undesirable traffic from ever hitting the routing plane and eating resources just to be dropped on the outbound side.
0
 
Jason MurphyAuthor Commented:
Hi

Yes I just tried changing to service-acl output but input is only option I get

So I should try swapping my source vlan and destination vlan around in the acl config and applying on the other vlan?

Jason
0
 
JustInCaseCommented:
Sorry I am too hasty and too tired.

Try to apply ACL as it is to different VLAN, it should work OK.
It may require port modification in ACL
0
 
Jason MurphyAuthor Commented:
thanks I will try this and test and provide outcome

Jason
0
 
Jason MurphyAuthor Commented:
unresolved

still not working - ACL applied to VLAN 10 as per last comment :/

interface vlan 10
 name PARENT_TEST
 ip address 10.10.10.254 255.255.255.0
 service-acl input DENY_FILE_AND_LDAP
!
ip access-list extended DENY_FILE_AND_LDAP
deny tcp 10.10.10.0 0.0.0.255 139 10.10.11.0 0.0.0.255 any ace-priority 20
deny tcp 10.10.10.0 0.0.0.255 389 10.10.11.0 0.0.0.255 any ace-priority 40
deny tcp 10.10.10.0 0.0.0.255 445 10.10.11.0 0.0.0.255 any ace-priority 60
permit ip any any ace-priority 80
0
 
JustInCaseCommented:
Not solved. And since Author responses are slow... good luck...
0
 
atlas_shudderedSr. Network EngineerCommented:
Jason - did you try flipping directionality of the ACE statements?
0
 
Jason MurphyAuthor Commented:
Hi

Yes its been applied to both VLANS and I believe in both directions

I take it you mean swap the source and destinations in the ACL over?

Jason
0
 
atlas_shudderedSr. Network EngineerCommented:
yes
0
 
Jason MurphyAuthor Commented:
Hi

I will try and add the ACL to the interfaces rather than the SVI and see how that goes

Thanks

Jason
0
 
Jason MurphyAuthor Commented:
Hi everyone

I've managed to get this working finally - I've been waiting for the engineer assigned to the project to come back so we could test the behavior our client is seeing with the applications getting licences between the parent and child domains

I swapped the source and destination subnets around and applied the ACL to the interface range of VLAN 20, rather than the SVI

ip access-list extended DENY_FILE_AND_LDAP
deny tcp 10.10.11.0 0.0.0.255 139 10.10.10.0 0.0.0.255 any ace-priority 20
deny tcp 10.10.11.0 0.0.0.255 389 10.10.10.0 0.0.0.255 any ace-priority 40
deny tcp 10.10.11.0 0.0.0.255 445 10.10.10.0 0.0.0.255 any ace-priority 60
permit ip any any ace-priority 80

Many thanks for everybody's contributions and apologies this question has been updated so infrequently!

Jason
0
 
JustInCaseCommented:
interface range vlan 20 = interface vlan 20

So, solution was provided long time ago, as it can be seen from above posts.
0
 
Jason MurphyAuthor Commented:
Hi

No I mean I applied to the physical interfaces rather then the SVI

ip interface range gigabitethernet 13-24
service-acl input DENY_FILE_AND_LDAP

Cheers
0
 
JustInCaseCommented:
OK, that is a different approach which is not recommended.

You are actually wasting system resources. Devices typically do not have big TCAMs. It would be recommendable to configure it just on SVI.
Also, all traffic is inspected (even traffic between hosts in the same VLAN), CPU utilization could skyrocket.

If ACL applied to physical ports works correctly, it should work correctly when applied to SVI for the same VLAN.
0
 
Jason MurphyAuthor Commented:
Hi

It doesn't work when applied to the SVI - these SG switches don't run the full blown IOS

It's in a test environment - we're just trying to replicate a behaviour a client is seeing between domain/sub-domain trying to get application licences and database copies - not too concerned about CPU

Cheers
0
 
JustInCaseCommented:
In that case, that's it.
:)
0
 
Jason MurphyAuthor Commented:
Perfect, thanks for your input - every day is a school day :)
0
 
Jason MurphyAuthor Commented:
as per my comments this SG switch IOS version doesn't seem to like the ACL applied to the SVI - the solution was to apply the amended ACL (source and destination subnets reversed) to the VLAN 20 interfaces rather than the VLAN 10 interfaces
0
 
JustInCaseCommented:
Sure...
CLI manual - page 842 states that it can be applied to VLAN.
Command Mode

Interface Configuration (Ethernet, Port-Channel,VLAN) mode
...but you tested it and it is not working. It is good to know that detail (not to waste time in vain). Maybe applying to VLAN does not mean to SVi, but to VLAN itself (VLAN access-list), so maybe I misunderstood sentence (it would not be the first time ;))
1
 
Jason MurphyAuthor Commented:
No problem, I maybe misunderstood too :)
0
 
JustInCaseCommented:
Thanks for feedback.
;)
0
Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

All Courses

From novice to tech pro — start learning today.