Tek-Tips is the largest IT community on the Internet today!

Members share and learn making Tek-Tips Forums the best source of peer-reviewed technical information on the Internet!

Register Log in
  • Congratulations Chris Miller on being selected by the Tek-Tips community for having the most helpful posts in the forums last week. Way to Go!

Restricting access to VLAN?

Status
Not open for further replies.
pixboy

pixboy

MIS
Nov 21, 2001
153
US
One of our clients has three Catalyst 6000 switches and one 3524-XL switch. We have a separate VLAN set up on the switches for a specific application which is most directly connected to the 3524-XL. One of the NT servers has two NICs -- one on the main VLAN, and one on the second VLAN. This particular server has RRAS installed, and has IP forwarding selected. (I've tried disabling IP forwarding, but it tends to make my VPN connections to the network useless!) This particular server also backs up data from the second VLAN.

We need to prevent users in the main VLAN from accessing anything that's on the second VLAN. Normally, I'd say just disable IP forwarding, since that's what's allowing the traffic to make it from one to the other. But as I mentioned above, that IP forwarding is necessary -- to a very limited user group. (Me, mainly, and any other admin.)

Here's the question:

Is it possible to restrict VLAN-to-VLAN traffic by either MAC or IP address, or by some other means? I'd like to be able to do it this way, rather than recommend the client go out and purchase new switches.

Thanks!

Dan
 
Sort by date Sort by votes
For starters in order to traverse a VLAN to a 2nd VLAN, you router.. since you route, you can play with access-lists. You can construct an access list by IP, host, MAC, Time etc. I just did one for restricting access to a special security device by only one host and one protocol socket.

The access list is applied to the VLAN interface on the routing engine .. router on a stick or the RSM or the MSFC.

Go here and at the bottom on the left side columm is a link for intervlan routing


MikeS
Find me at
"The trouble with giving up civil rights is that you never get them back"
 
Upvote 0 Downvote
I figured access lists were probably the solution. There really isn't a router involved in this situation, as IP forwarding on the NT server (from one NIC -- on the main VLAN -- to another NIC -- on the second VLAN) is what's causing traffic to get there. I've proven this a couple different ways, most simply by disabling IP forwarding. However, as I mentioned, that made it impossible for me to do some remote administration of the network, so that's not a good choice.

Having experience configuring a PIX 520, I figured access lists might do the trick, but I was blanking on how to do them yesterday when I wrote the original post. Since my intention is to block traffic to the second VLAN by IP address (the main VLAN is 192.168.1.0, the second is 192.168.2.0 -- I want to block access from 192.168.1.0 except for a couple specific IPs), I'll look into that.

Thanks!

Dan
 
Upvote 0 Downvote
OK, after nearly a week of playing with this, I'm no closer to a solution. Right now, there is no router that passes traffic between the two networks -- just the IP Forwarding of that NT server.

What I need to be able to do is restrict access to the last 12 ports of the 3524XL switch (which handles the servers in the second VLAN) to machines that are on the same network. (For example, if the main network is 192.168.10.0/24, the second network is 192.168.11.0/24. In that scenario, I'd need to restrict access to FastEthernet ports 13 through 24 on the 3524 [all in VLAN200] to the 192.168.11.0/24 network.)

1. Is this possible?

2. Even if it is possible, will machines that arrive at the 3524XL switch from the main network be seen as coming from the NT server that has IP Forwarding enabled? (A show arp on the 3424XL shows only a few IPs from the main network, and none from the second network. Very strange!)

Ideally, machines in the main network would basically get their packets dropped. (A traceroute from the main network to the second network would go nowhere.)

Help!

Thanks!
 
Upvote 0 Downvote
One possible solution in the 2524XL is to configure the MAC-based port-level security to restrict certain MAC address from gaining access to certain ports. Its similar concept to access list.
 
Upvote 0 Downvote
One possible solution in the 2524XL is to configure the MAC-based port-level security to restrict certain MAC address from gaining access to certain ports. Its a similar concept to access list.
 
Upvote 0 Downvote
Any idea just how you'd do that? (An example, maybe?) Realistically, doing this by MAC addresses would be much more difficult, as I'd have to locate all the MAC addresses of the machines on the second VLAN. The MAC address tables on any of the switches in this particular enterprise (rather large) haven't revealed a lot about the second VLAN's participants. It would be much easier to restrict it to a particular IP block -- allowing, say, 192.168.11.0/24 and denying 192.168.10.0/24 (main network).

Thanks!
 
Upvote 0 Downvote
I don't know if I understand your problem fully.

Correct me if I'm wrong.

You have One NT server with two NICs, turning your server
into a router, which causes unauthorized access between
vlans.

If your Cat6000 has a router card installed or if you have
a router connected to your switches, than you can use access
list to restrict access at L3, but at the cost of more CPU and RAM usage.

To be a little clearer on my suggestion, I would
Restrict access for the two ports that are connected to your(problem)server NICs, I.E. only the MAC address of the two
NICs cards are allowed access through those ports. You will not need to locate all of your MAC address, only the two for the NIC cards in the server assigned respectively to their ports.

That way packets are droped before they are proccessed.

If your hell bent on using AL then here is a quick basic config for you to start with based on the info you’ve provided.

Ip access-list 110 permit ip 192.168.11.0 0.0.0.255 any
Ip access-list 110 deny ip 192.168.10.0 0.0.0.255 any
Ip access-list 110 permit ip any any

Interface f0/1.1
Encap isl 20
Ip address 192.168.11.1 255.255.255.0

Interface f0/1.2
Encap isl 10
Ip address 192.168.10.1 255.255.255.0
Ip access-group 110 in
 
Upvote 0 Downvote
Ah ... Now this is beginning to make sense! I should be able to control access to the specific port the NT server is attached to on the 6000 switch via its MAC address. I'll have to try that.

With the AL example, you gave, it appears it's grouped to one FastEthernet (?) port. Any way of simply grouping it to VLAN200 instead? That VLAN is on FE0/13 through 24, so maybe it'd be just as easy to apply it to all of those.

Thanks!
 
Upvote 0 Downvote
In the router card in the Cat6000 you can set up a
virtual Vlan interface.

i.e.
Interface vlan 200
Encap isl 200 (this is the vlan #)
Ip address 192.168.10.1 255.255.255.0
Ip access-group 110 in

Similar to setting up a loopback interface
 
Upvote 0 Downvote
sorry made a mistake in the cat6000 MSM card you don't
have to set the encapsulation.

In the router card in the Cat6000 you can set up a
virtual Vlan interface.

i.e.
Interface vlan 200
Ip address 192.168.10.1 255.255.255.0
Ip access-group 110 in

Similar to setting up a loopback interface
 
Upvote 0 Downvote
Status
Not open for further replies.

Similar threads

Luzbel
  • Locked
  • Question
Connecting HVAC controller to network
Replies
0
Views
258
Luzbel
Luzbel
Skip Rango
  • Locked
  • Question
how to backup cisco sg500-52p switch
Replies
1
Views
347
madwok
madwok
PThomp3344
  • Locked
  • Question
Trying to connect to Cisco Unified Controller web interface: UC520W-16U-4FXO-K9
Replies
1
Views
303
bdk76
bdk76
WinstonCH
  • Locked
  • Helpful tip
What is wrong with the diagram, there are people who will help to fix it? How do i do the configurat 1
Replies
1
Views
485
BIS
BIS
DTGMI
  • Locked
  • Question
Moving from Juniper SRX-240 to Cisco ??
Replies
0
Views
191
DTGMI
DTGMI

Part and Inventory Search

Sponsor

Back
Top