VLANS & ACLs 1

[darronb]

I am a little confused with the operation of VLANs and ACLs working on the same router and switches

I have a 2621 router with 2 Ethernet ports, connecting to 3550 switches.

I need to set up 2 VLANs, one for Admin and one for General.

Admin is able to see General, but general is not allowed to see Admin.

How is this achievable with VLANs as I understand it, VLANS cannot see each other, or am I missing something.

Do I also have to use ACLs?????

 

[jcoburn142]

Youy could subnet the two networks and implement ACL's in the router. Otherwise, you will need to configure your Switches to create separate VLAN's, then Trunk the Ethernet Ports to the router

 

[baddos]

The 3550 switches are layer3 switches, so I would do all of this on the 3550's and not use the 2621 at all.

Switch A and B would be VTP Servers.

Make a trunk between the switches on both ends

I.E.
configure terminal
interface fastethernet0/1
switchport mode trunk
end

Create an additional VLAN for General

vlan database
vlan 2 name General
vtp server
vtp domain myvtpdomain
apply
exit

On Switch B we want to setup the trunk and the VTP settings.

configure terminal
interface fastethernet0/1
switchport mode trunk
end

vlan database
vtp server
vtp domain myvtpdomain
apply
exit

Now you want to assign IP addresses to the vlans and enable IP routing.

configure terminal
interface vlan1
ip address 1.1.1.1 255.255.255.0
description Administration VLAN
interface vlan2
ip address 2.2.2.1 255.255.255.0
description General VLAN
exit
ip routing
exit

Now if we do a "show ip route" we will see the two routes. I.E 1.1.1.0/24 and the 2.2.2.0/24. The vlans will now communicate freely. We will ensure that the second 3550 has this configuration by doing a "show vtp status" and a "show vlan" on it. The second switch should have pulled down the vlan information from the first switch provided that you setup a switchport trunk properly.

Now just make an ACL that will restrict the "General" VLAN from accessing the "Administration" vlan.

Switch A:

configure terminal
access-list 101 permit tcp any any eq established
access-list 101 deny ip 2.2.2.0 255.255.255.0 1.1.1.0 255.255.255.0 log
access-list 101 permit ip any any
interface vlan1
ip access-group 101 in
end

Finally. Write the running configuration of both switches to memory by either the "write memory" or "copy running-config startup-config" command.

Note:

The IP subnets listed in this configuration are PUBLIC IP addresses and should not be use in your internal LAN. I have simply used them for demonstration only. Replace the 1.1.1.0/24 subnet with your existing subnet and replace the 2.2.2.0/24 subnet with your planned new IP subnet.

 

[darronb]

Thanks very much for such a detailed explanation.

One thing I need to mention, this site also needs to connect to a district router over a T1 line.

Would I need the router, I don't think the switch can support a serial line.

 

[baddos]

Yes... You can through a serial line in that 2621. However, I wouldn't use the router for routing your vlan traffic.

 

[darronb]

Am I correct in saying, If I had two VLANS, Admin and Students, each on there own subnet.

It would be possable the people on the admin VLAN would be able to see people on the students VLAN and visa versa.

NOTE:- a router (2621) is used to connect the switches.

The only way to restrict access would be to use ACLS.

I am a little confused on this subject.

Thanks.

 

[webnetwiz]

Just a quick question. Do these 3550s have Enhanced image or Standard image?

 

[baddos]

darronb... You don't need the 2621 to connect the two switches. You will need it to connect your t1 lines to one of the switches. The 3550's with the configure example I gave will route between Admin and Students.

 

[darronb]

Standard image

Sorry, forget the 2621. Is my last post correct?

 

[baddos]

Yes... You will have to use ACLs to control the access.