Cisco 2948G-L3 Subnet Security 2

[farris25x]

We just recently purchased a Cisco 2948G-l3 layer 3 switch, in hopes to replace our Windows Router. In the process of installing the Router/Switch we found that our separation of networks on the FastEthernet ports was quite a task. We were not able to find a solution. Here is what we are facing.

We have 4 network subnets.

x.x.1.x is our private wired network on VLan 1
x.x.3.x is our private wireless network on VLan 2
x.x.4.x is our public wireless network on VLan 2
x.x.5.x is our private non-dhcp wired network on VLan 5

So far on out 2948G-L3 we have port configurations as follows:

Port 1 - x.x.2.2 (connected to our firewall x.x.2.1)
Port 2 - x.x.1.3 (our private wired gateway)
Port 3 - x.x.3.1 (our private wireless gateway)
Port 4 - x.x.4.1 (our public wireless gateway)
Port 5 - x.x.5.1 (our private non-dhcp wired gateway)

Port 1 should accept traffic from all networks.
Port 2 should block traffic from 4.x and 5.x and accept 1.x, 2.x, and 3.x.
Port 3 should block traffic from 4.x and 5.x and accept 1.x, 2.x, and 3.x.
Port 4 should block 1.x, 3.x, and 5.x and accept 2.x and 4.x.
Port 5 should block 1.x, 3.x, and 4.x and accept 2.x and 5.x.

Not too complicated, but from what I've found out I cannot use ACL's to filter traffic, that is I can't use them on the FastEthernet Ports, only gigabit. I've tried some limited VLan settings, but have found nothing to work too well. Is there anything that I should be taking a look at to do this or should I find some alternate form of filtering?

 

[Phobos1821]

Create your access lists, and link them to the VLAN interface. This will acomplish what you are looking for. You will not be able to directly tie a layer3 access list, to a layer2 port.

Example

access-list 100 permit 192.168.1.0 0.0.0.255 host 192.168.1.3
access-list 100 permit 192.168.2.0 0.0.0.255 host 192.168.1.3
access-list 100 permit 192.168.3.0 0.0.0.255 host 192.168.1.3

etc.. etc...

These access lists will only let you talk to the gateway, and not devices on the other network. I would recommend changing them to

access-list 103 permit 192.168.3.0 0.0.0.255 192.168.5.0 0.0.0.255
Etc...

 

[ADB100]

With the 2948G-L3 you need to configure Bridge-Groups and BVI's. Once you have the BVI's configured (equivilent of interface VLAN X on newer switches 3550 etc) you can apply your ACL's to the BVI interfaces. There is a good document on CCO about configuring the 2948G-L3, 4908G-L3 and 4232G-L3 module as these all share the same IOS features.

I am a bit surprised to say you '...recently purchased...' a 2948G-L3 as these are quite old switches (EOL?) so unless you bought this second hand I would question your supplier?

Good luck

Andy

 

[farris25x]

So, I tried what you guys said and ran into a few issues. First, I get a message stating the "ACL's not support on BVI". That sounds bad to me. And second once completed the BVI's change their state to down. Now, to prevent from spending too much time typing in each line, I went ahead and typed out my config in notepad and copied that into the terminal connection. Here is what I copied, which took me a few tries to get some kinks out, but this seemed to run smooth.

config t
access-list 101 permit ip 192.168.1.0 0.0.0.255 192.168.2.0 0.0.0.255
access-list 101 permit ip 192.168.2.0 0.0.0.255 192.168.2.0 0.0.0.255
access-list 101 permit ip 192.168.3.0 0.0.0.255 192.168.2.0 0.0.0.255
access-list 101 permit ip 192.168.4.0 0.0.0.255 192.168.2.0 0.0.0.255
access-list 101 permit ip 192.168.5.0 0.0.0.255 192.168.2.0 0.0.0.255
access-list 102 permit ip 192.168.1.0 0.0.0.255 192.168.1.0 0.0.0.255
access-list 102 permit ip 192.168.2.0 0.0.0.255 192.168.1.0 0.0.0.255
access-list 102 permit ip 192.168.3.0 0.0.0.255 192.168.1.0 0.0.0.255
access-list 103 permit ip 192.168.1.0 0.0.0.255 192.168.3.0 0.0.0.255
access-list 103 permit ip 192.168.2.0 0.0.0.255 192.168.3.0 0.0.0.255
access-list 103 permit ip 192.168.3.0 0.0.0.255 192.168.3.0 0.0.0.255
access-list 104 permit ip 192.168.2.0 0.0.0.255 192.168.4.0 0.0.0.255
access-list 104 permit ip 192.168.4.0 0.0.0.255 192.168.4.0 0.0.0.255
access-list 105 permit ip 192.168.2.0 0.0.0.255 192.168.5.0 0.0.0.255
access-list 105 permit ip 192.168.5.0 0.0.0.255 192.168.5.0 0.0.0.255
bridge 1 protocol ieee
int fa1
bridge-group 1
exit
bridge irb
int bvi 1
ip address 192.168.2.3 255.255.255.0
ip access-group 101 in
ip access-group 101 out
exit
bridge 1 route ip
bridge 2 protocol ieee
int fa2
bridge-group 2
exit
int bvi 2
ip address 192.168.1.2 255.255.255.0
ip access-group 102 in
ip access-group 102 out
exit
bridge 2 route ip
bridge 3 protocol ieee
int fa3
bridge-group 3
exit
int bvi 3
ip address 192.168.3.11 255.255.255.0
ip access-group 103 in
ip access-group 103 out
exit
bridge 3 route ip
bridge 4 protocol ieee
int fa4
bridge-group 4
exit
int bvi 4
ip address 192.168.4.2 255.255.255.0
ip access-group 104 in
ip access-group 104 out
exit
bridge 4 route ip
bridge 5 protocol ieee
int fa5
bridge-group 5
exit
int bvi 5
ip address 192.168.5.11 255.255.255.0
ip access-group 105 in
ip access-group 105 out
exit
bridge 5 route ip
end

Is there something I need to change in my config file? Another thing I noticed is that in the ip settings for the BVI's I can't seem to use an ip from the same network as any other interface. What is that about? Is it going to work if I just give them some obscure ip addresses like 6.1, 7.1, 8.1, 9.1, and 10.1? Thank you for your help so far. And, yes we did purchase our switch/router from a second-hand company, refurbished. Thanks again.

 

[farris25x]

Anyone have any tips for me in the above situation?

 

[ADB100]

Hi

If you can't apply the ACL to the sub-interfaces you are not going to be able to do this. I seem to remember this issue when I was putting some 4908G-L3 switches in a few years ago (same IOS code as the 2948G-L3). You may have to manually enable (no shut) the BVI interfaces, but to be honest if you can't apply the ACL's to the BVI interfaces then you won't be able to do what you want to achieve.
I would suggest maybe getting a new switch such as a 3550 (now EOL as well), 3560 or 3750.

You can't have overlapping IP addresses on any of you interfaces - this is by design and the router/switch will generate an error and will not accept the commands.

Andy