Allowing a different subnet access through VLAN1 - IOS

[ajtsystems]

Hi,

I need to allow a different LAN connected but a different switch access through my outer to its trusted interface.

I am runnning a fairly complex VPN setup but currently dont have any access lists on the vlan1 interface

If I create an access list for the subnet and then aplly this to the vlan1 would this work.

Does a Cisco blok all subnets except its own trust subnet?

 

[unclerico]

Can you explain in more detail?

I hate all Uppercase... I don't want my groups to seem angry at me all the time! =)
- ColdFlame (vbscript forum)

 

[ajtsystems]

OK, here goes:

There is an HP Procurve Layer3 switch which joins 2 networks:

Network 1 - 10.3.128.0/24
Network 2 - 172.19.13.0/24
Hanging off this switch currently is a Juniper VPN router on Network 1 which has 2 servers connected on the same network (10.3.128.0/24)

At the moment there are some workstations on Network 2 that can communicate with network 1 through the HP procurve switch into the Juniper. They can access both servers on Network 1.

Anyway, this week I replaced the Juniper with a Cisco 857 but when I plugged it in users on network 2 compained they could no longer get to Network 1.

It looks like the Juniper by default allows Any <> Any accross its trust interface (Vlan1 on the Cisco) but the Cisco only allows local traffic.

Question: How how can I allow Any <> any across Vlan 1 using ACLs?

I hope this makes sense

 

[unclerico]

So these servers are physically plugged into the 857??

I hate all Uppercase... I don't want my groups to seem angry at me all the time! =)
- ColdFlame (vbscript forum)

 

[ajtsystems]

Hi Unclerico,

Yes the 2 servers are plugged directly into the Cisco 857. The upstream kit and the network 2 are not mine, so past the HP switch I couldn't tell you what is configured but from experience I would say somewhere upstream possibly on the HP is a static route pointing to network 1

 

[VinceWhirlwind]

What is the interface config on the Procurve L3 switch interface that links to the Router?

 

[ajtsystems]

Hi,

Unfortunately I do not look after this switch, however it does uplink to the Juniper

 

[VinceWhirlwind]

Well, the first bit that makes no sense is that you have the same network segment (10.3.128.0) connected to 3 different interfaces on the same router.
Either I've misunderstood, or you have an abominable network design.
I'd straighten out the design before worrying about how the devices are actually configured.

 

[imbadatthis]

Vince, its a 857w, all three ports are switch ports in vlan 1. it can only handle ONE vlan .. maybe 2 if you kinda push it but thats about it.

as for the vlan2 people not reaching vlan 1 it could be due to 857's inability to handle more than one vlan.

We must go always forward, not backward
always up, not down and always twirling twirling towards infinity.

 

[VinceWhirlwind]

OK, so the 857W can't be used to route between two different LANs?

I know I've configured one of those little Cisco routers to have two wireless networks trunked back to a LAN on seperate VLANs, I guess it wasn't an 857W.

I'd say there is definitely a major design issue to address.

You need to address the basics:
- where is inter-VLAN routing going to take place?
- which interfaces have the default GW address for each network?

 

[imbadatthis]

Wireless wise, I think it can handle multiple connections / subnets (i've tried two and it has worked) but the ports are permanently in vlan1 and it does not support tagging...

I think in ajtsystems's case it might have been better to keep the juniper box...

We must go always forward, not backward
always up, not down and always twirling twirling towards infinity.

 

[VinceWhirlwind]

I've dug out my old config - according to my filename this was an 871W.

It had two radio interfaces, two VLAN interfaces, and two bridge interfaces with IP addresses on them, and both VLANs were trunked back to the network:

!
interface FastEthernet2
switchport trunk native vlan 20
switchport mode trunk
spanning-tree portfast
!

and an access list on the VLAN interface to seperate the two subnets:

!
interface Vlan10
no ip address
ip access-group 110 out
bridge-group 10
!

But again, I go back to "design" - do that first before deciding what hardware you need. This includes finding out how the switch is configured and what its role is in the network, precisely.

 

[ajtsystems]

I have managed to get it working. Firstly the IP address I had given vlan1 on the 857 was clashing with th eIP address of the gateway interface to the other network - I only found this out by talking to the other network chap.

The reason the Juniper had to go was because it was not ADSL 2+ compatible .

I guess the fact that all 4 ports on the 857 are in vlan1 and a basically a switch negate the requirement for an any<>any ACL to allow the other network through...

HTH...
Thanks