We help IT Professionals succeed at work.

We've partnered with Certified Experts, Carl Webster and Richard Faulkner, to bring you a podcast all about Citrix Workspace, moving to the cloud, and analytics & intelligence. Episode 2 coming soon!Listen Now

x
Private

Configure VLAN to only access internet on cisco

chiprule
chiprule asked
on
Medium Priority
86 Views
Last Modified: 2020-04-13
Hi Guys,
I'm doing configuring lab my switch cisco sg300.
I set multiple vlans, and I want to permit one specific vlan to only go on internet.
I want this vlan can't contact other vlans and viceversa.

Vlan 1 - 172.16.1.0/30 is for transit
Vlan 50 - 192.168.100.0/24 is the vlan i want to isolate

Vlan 1 interface 172.16.1.2/30
Vlan 50 inteterface 192.168.100.254

I configure DHCP on cisco switch
I have DNS on pfsense firewall

I set this ACL in this way

cisco1.PNGcisco2.PNG
With this config DHCP doesn't work
I can't ping interface of the same subnet (192.168.100.254)
I can ping my firewall (172.16.1.1) but i can't go to internet

Thanks
Comment
Watch Question

CERTIFIED EXPERT
Distinguished Expert 2019

Commented:
Vlan 200 needs to have its won IP segment.
And you would not authorize it to access anything
You should not create any rule that permits it to access
I.e. Do not add access rights to the IP segment of vlan 200 to any other internal/vlan.

Author

Commented:
Hi arnold, sorry but i not understand.
There are my problems:
  • With this config DHCP doesn't work
  • I can't ping interface of the same subnet (192.168.100.254)
  • I can ping my firewall (172.16.1.1) but i can't go to internet


WissamSenior Network Engineer
CERTIFIED EXPERT

Commented:
for dhcp not working it make sense to confirm your dhcp server also I cannot see bootpc and ps allowed
think about it as a device without an ip yet so how would it match your current rules?
it all depends if your dhcp server is within the same vlan/broadcast domain
CERTIFIED EXPERT
Distinguished Expert 2019

Commented:
Each VLAN has its own IP segment.

Where is your existing DHCP server?
You have to use IP helper to forward requests from the VLAN to the DHCP server where the additional IP scope is setup.

Author

Commented:
Hi Wissam and arnold,
thank for replying. DHCP server is the switch itself. I configure various DHCP scope for vlans.
Switch is in layer 3 mode and every vlan has it's own virtual interface on switch.

The absurd thing is if i configure static ip on my client in vlan 200 (192.168.100.0/24)...i can't ping my own gateway (192.168.100.254/24, but I can ping ip on vlan 1 (172.16.1.0/30)!!
Ping from 192.168.100.80 ----> to 192.168.100.254 = Doesn't work
Ping from 192.168.100.80 ----> to 172.16.1.1 = Work!

It make no sense for me
CERTIFIED EXPERT
Distinguished Expert 2019

Commented:
did you configure an IP address for VLAN 200 to be 192.168.100.1 as an example. the DHCP scope you setup did you push scope option 192.168.100.1 what is the feed from which you get internet, it too needs to be configured to handle the 192.168.100.0/24 IP segments as a NAT..

Author

Commented:
If I don't set ACL to vlans, vlans work fine, DHCP and internet access are working.
On top of Cisco i Have PFSense that i configure with all static routes to subnet of switch, Firewall Rules, Nat, Access List.
I repeat all works perfecly fine.

The problem is when i set the ACL (that i sceenshot on first post) that I set to block all inbound and outbound frattic off vlan 200 expet the "allow" to go on internet.

REACAP:
Switch Cisco SG300 in layer 3 mode
PFSense Firewall on vlan 1 (transit vlan) - interface 172.16.1.1/30
CISCO VLAN 1 (transit vlan) - Interface ip 172.16.1.2/30
CISCO VLAN 200 - Client vlan - interface ip 192.168.100.254/32
Computer on vlan 200 - IP from DHCP
Server DHCP: is the Cisco SG300

VLAN 1 - 172.16.1.0/30
VLAN 200 - 192.168.100.0/24

Interface Vlan 1 - 172.16.1.2/30
Interfce Vlan 200 - 192.168.200.254/24

All work fine without problem, 
  • DHCP provides IP for pc on vlan 200
  • PC go in internet (web browsing) from vlan 200
  • from pc on vlan (VLAN 200 - 192.168.100.X) I can ping Gateway of the same subnet (VLAN 200 - 172.16.200.254)


My goal is:
  • isolate VLAN 200 from other vlan
  • Provide VLAN 200 access to internet 

I put this ACL to accomplish my goal, here's a screenshot


After I put this ACL:
  • PC on vlan 200 don't get IP from DHCP
  • IF I put static IP to PC on vlan 200 (192.168.100.80/24), the PC can't ping his gateway (192.168.100.254) but can ping host on vlan 1 (172.16.1.0/30)
  • IF I put static IP to PC on vlan 200 (192.168.100.80/24), the PC don't go to internet (web browsing)
Senior Network Engineer
CERTIFIED EXPERT
Commented:
the VACL is wrong
i would do a deny to the internal subnets i.e. 10.0.0.0/8 172.16.0.0/12 192.168.0.0/16
then permit ip any any
you isolated the vlan from other internal networks and allowed access to the internet
keep in mind re. DHCP traffic udp bootps and bootpc

Not the solution you were looking for? Getting a personalized solution is easy.

Ask the Experts

Author

Commented:
Hi Wissam,
if I deny internal subnet (RFC1918), that deny also vlan 1 - 172.16.1.0/30?

Sorry, but I dont understand what do you mean
"keep in mind re. DHCP traffic udp bootps and bootpc "
Do you mean to make an acl to permit udp bootps and bootpc"? If yes, to which interface?

Thanks!
WissamSenior Network Engineer
CERTIFIED EXPERT

Commented:
the answer for DHCP depends where your DHCP server is sitting - what is the ip address of your DHCP server
and for the transit subnet, you don’t need to allow it on your rule, the only exception would be if you want to see the hop in a traceroute. otherwise that’s how you would isolate the segment from accessing other networks in your lan and only allow internet.
the VACL should be removed as well. unless you want to deny users of the same subnet to communicate with each other.
CERTIFIED EXPERT
Distinguished Expert 2019

Commented:
VLAN 50 172.16.0.0/24 IP address 172.16.0.1
VLAN 200 192.168.100.0/24 IP 192.168.100.150


The switch then has under the DHCP server
1: scope 172.16.0.0/24 allocatable IPS 172.16.0.2-254 scope option default router 172.16.0.1 Name server: .... VLAN 50
2) scope 192.168.100.0/24 allocatable 192.168.100.1-149 151-254 scope option default router 192.168.100.150 Name servers can only be external

note the switch is just that a switch, where is its feed coming from?
That Firewall/router must be setup to NAT both 172.16.0.0/24 and 192.168.100.0/24 to allow these IPs access to the net

the ACL depends on what device is in use. Whether you have an explicit deny
deny 192.168.100.0/24 172.16.0.0/24 any which will often be on the external firewall. and on the switch ACL



...
CERTIFIED EXPERT
Top Expert 2014

Commented:
Why are you doing the routing at the switch? 
WissamSenior Network Engineer
CERTIFIED EXPERT

Commented:
SG300 is a layer 3 switch and is capable of performing basic layer 3 routing (still better than having a router on stick to the. firewall)
his design “with a transit vlan” is ideal.
CERTIFIED EXPERT
Top Expert 2014

Commented:
I disagree. It complicates filtering, as demonstrated. It is only ideal for basic routing where no filtering or access-control is required. 

Author

Commented:
Hi Guys,
thank for your responses.
For some one, I'm not discussing architecture...witch in any case is good for my scenario. I have a single uplink 1Gbps to my firewall. Switching packets with L3 switch is always faster than router in-a-stick in my scenario, no question.

Recap:
Vlan 1
subnet 172.16.1.0/30
int: 172.16.1.2

Vlab 200
subnet 192.168.100.0/24
int:   192.168.100.254

I make some changes...i change acl:
permit vlan 200 to vlan 1
permit vlan 1 to vlan 200
permit vlan 200 to 192.168.100.254
permit 192.168.100.254 to vlan 200
Deny vlan 200 to RFC1918
Deny RFC1918 to vlan 200
Permit all




Now this is situation from vlan 200 (192.168.100.0/24):
  • DHCP now Work - OK!
  • Now I CAN go to internet - OK!
  • Vlan is isolated from other vlan - OK!
  • I can ping from vlan 200, the default gateway of vlan 200 (192.168.100.254/24) - OK!

I can't understand why i must set a explicit permit to the interface of vlan 200 in order to be reacheable from the clients in the same vlan.
It's the same vlan, it's the same subnet, the same switch...and I must do explicit permit...
WissamSenior Network Engineer
CERTIFIED EXPERT

Commented:
think about Acl before the layer 3 interface
so packet arriving to switch will be checked for permit/deny before hitting your layer 3 interface
CERTIFIED EXPERT
Distinguished Expert 2019

Commented:
Routing on the switch is one thing, what is the setup on the router that is facing the internet? It is the one performing the NAT that masks your RFC1918 IP addresses from the network and sends them out to the internet and then reverses the process.

If you do not configure the router/firewall to NAT the new IP segment, 192.168.100.0/24 .

Usually the setup is
Internet <=> router <=> switch for LAN
VLANs defined on the router are also defined on the switch.
Level 3 allows the offloading of the processing within the switch without the need to run all the way back to the router through the use of ACLs as you have
....

Author

Commented:
Hi arnold,
There was a misunderstanding.
-I've already set my firewall with static router, nat ecc
-I've already configure my switch in layer 3 mode with all vlans, interface vlans and static routing to firewall
----All this configuration works perfectly----

My goal was to "isolate" a specific vlan (vlan 200) from other vlan both inbound and outbound.
I set ACL.
That ACL doesn't work.

-I open question in EE--

After troubleshooting I notice that my ACL was set in wrong manner.
I fix ACL.
ACL now work perfectly.
These are the acl after the correction



The only question left open was, "Why I must set explicit permit on interface in order to reach the same interface from the same subnet"?
After same research: Because Cisco ACL works it this manner :)
CERTIFIED EXPERT
Top Expert 2014

Commented:
I have a single uplink 1Gbps to my firewall. Switching packets with L3 switch is always faster than router in-a-stick in my scenario, no question.
Agreed, however if you only have 2 VLANS and you're blocking one from the other it's completely pointless to employ L3 at the switch. 
WissamSenior Network Engineer
CERTIFIED EXPERT

Commented:
@chiprule the answer to your question is that the ACL filtering applies before the packet reaches the layer3 vlan interface , if you don’t allow it still your internet traffic will be routed successfully, the allow you are applying will help you ping the devices gateway and for traceroute
Access more of Experts Exchange with a free account
Thanks for using Experts Exchange.

Create a free account to continue.

Limited access with a free account allows you to:

  • View three pieces of content (articles, solutions, posts, and videos)
  • Ask the experts questions (counted toward content limit)
  • Customize your dashboard and profile

*This site is protected by reCAPTCHA and the Google Privacy Policy and Terms of Service apply.

OR

Please enter a first name

Please enter a last name

8+ characters (letters, numbers, and a symbol)

By clicking, you agree to the Terms of Use and Privacy Policy.