Solved: 3560 VACL Config

Rory Hamaker · ‎10-26-2011

Well I hate posting dumb questions, but I always get good help from here so here I go again. I have a series of 3560's (one of which is the "main" switch that handles VTP) that are fibered together to run a development and test network here at my organization. I have 8 vlans setup on them each of which with a coordinating 192.168.x.x ip address (IE vlan 1 is 192.168.1.x, vlan 2 is 192.168.2.x etc...). All of my servers are on vlan 1 and have static addresses. I need vlan 1 to be able to communicate with anyone on the network regardless of their vlan. Currently the main switch is doing layer three routing so every vlan can see every other vlan. I need to be able to break them off into the following break down: vlan 1 sees all and all can see vlan 1, vlan 2-4 can talk to each other and vlan 1, then everything else can only communicate with itself and vlan 1. I dont know if i have the equipment to support this just using the 3560's or not, but i cant seem to find a place to start trying to figure it out. If someone could point me the right direction i certainly dont mind digging for more info, i just cant find a starting point.

Jon Marshall · ‎10-26-2011

Rory

vlan 2 acl

access-list 102 permit ip 192.168.2.0 0.0.0.255 192.168.1.0 0.0.0.255

access-list 102 permit ip 192.168.2.0 0.0.0.255 192.168.3.0 0.0.0.255

access-list 102 permit ip 192.168.2.0 0.0.0.255 192.168.4.0 0.0.0.255

int vlan 2

ip access-group 102 in

access-list 103 permit ip 192.168.3.0 0.0.0.255 192.168.1.0 0.0.0.255

access-list 103 permit ip 192.168.3.0 0.0.0.255 192.168.2.0 0.0.0.255

access-list 103 permit ip 192.168.3.0 0.0.0.255 192.168.4.0 0.0.0.255

int vlan 3

ip access-group 103 in

access-list 104 permit ip 192.168.4.0 0.0.0.255 192.168.1.0 0.0.0.255

access-list 104 permit ip 192.168.4.0 0.0.0.255 192.168.2.0 0.0.0.255

access-list 104 permit ip 192.168.4.0 0.0.0.255 192.168.3.0 0.0.0.255

int vlan 4

ip access-group 104 in

then for the other vlans simply use an new acl per vlan with just the one line as below and applto the relevant vlan interface

access-list 105 permit ip 192.168..0 0.0.0.255 192.168.1.0 0.0.0.255

Jon

View solution in original post

Jon Marshall · ‎10-26-2011

Rory

vlan 2 acl

access-list 102 permit ip 192.168.2.0 0.0.0.255 192.168.1.0 0.0.0.255

access-list 102 permit ip 192.168.2.0 0.0.0.255 192.168.3.0 0.0.0.255

access-list 102 permit ip 192.168.2.0 0.0.0.255 192.168.4.0 0.0.0.255

int vlan 2

ip access-group 102 in

access-list 103 permit ip 192.168.3.0 0.0.0.255 192.168.1.0 0.0.0.255

access-list 103 permit ip 192.168.3.0 0.0.0.255 192.168.2.0 0.0.0.255

access-list 103 permit ip 192.168.3.0 0.0.0.255 192.168.4.0 0.0.0.255

int vlan 3

ip access-group 103 in

access-list 104 permit ip 192.168.4.0 0.0.0.255 192.168.1.0 0.0.0.255

access-list 104 permit ip 192.168.4.0 0.0.0.255 192.168.2.0 0.0.0.255

access-list 104 permit ip 192.168.4.0 0.0.0.255 192.168.3.0 0.0.0.255

int vlan 4

ip access-group 104 in

then for the other vlans simply use an new acl per vlan with just the one line as below and applto the relevant vlan interface

access-list 105 permit ip 192.168..0 0.0.0.255 192.168.1.0 0.0.0.255

Jon

Rory Hamaker · ‎10-26-2011

Jon, and I just apply this at the VTP server switch correct? Or do i need to make the lists on each sub switch as well?

Jon Marshall · ‎10-26-2011

Rory

You apply to the L3 vlan interfaces for each vlan so whichever switch that is ie. it should be only the switch that is responsible for routing between the vlans. It is nothing to do with VTP.

Reading your post again it looks like it is the "main" switch that is doing the inter-vlan routing so apply them there.

Jon

Rory Hamaker · ‎10-26-2011

You are correct, my "main" swtich does all the layer 3 switching. I will get them applied, and thank you so much for answering this for me. I am sure this seems trivial but i have been banging my head on the wall all morning.

Rory Hamaker · ‎10-26-2011

Well Jon i tried that and that seemed to break network connectivity between vlans. My DHCP server is on the .1 vlan and i was testing with computers on the .3 vlan. When i applied the access-list that you gave me i was no longer able to get DHCP addresses. I copied a snippet of the sh run for you hopefully that will help to identify my error. You'll notice some of the vlan numbers are a little different than what my original post was, i just used that for ease of explanation.

interface Vlan3

ip address 192.168.3.1 255.255.255.0

ip access-group 103 in

ip helper-address 192.168.1.8

ip helper-address 192.168.1.78

!

interface Vlan4

ip address 192.168.4.1 255.255.255.0

ip helper-address 192.168.1.8

ip helper-address 192.168.1.78

!

interface Vlan5

ip address 192.168.5.1 255.255.255.0

ip helper-address 192.168.1.8

ip helper-address 192.168.1.78

!

interface Vlan6

ip address 192.168.1.254 255.255.255.0

!

interface Vlan7

ip address 192.168.7.1 255.255.255.0

ip helper-address 192.168.1.8

ip helper-address 192.168.1.78

!

interface Vlan8

ip address 192.168.8.1 255.255.255.0

ip helper-address 192.168.1.8

ip helper-address 192.168.1.78

!

interface Vlan9

ip address 192.168.6.1 255.255.255.0

ip helper-address 192.168.1.8

!

interface Vlan20

no ip address

!

router eigrp 563

redistribute static

no eigrp log-neighbor-changes

!

ip default-gateway 192.168.1.254

ip http server

no ip http secure-server

!

logging esm config

access-list 1 permit 192.168.1.8

access-list 103 permit ip 192.168.3.0 0.0.0.255 192.168.1.0 0.0.0.255

!

line con 0

logging synchronous

line vty 0 4

login local

transport input ssh

line vty 5 15

login local

transport input ssh

!

end

Kishore Chennupati · ‎10-26-2011

Hi Rory,

I believe the problem is that your access-lists come into affect only after the devices have got an ip address. However , for DHCP server to give out addresses, it needs to get the bootps from the machines which is currently getting dropped because the current acl doesnt allow it.

please add this to your acl and then it should all work. Let me know how you go

access-list 103 permit udp any host 255.255.255.255 eq bootps

access-list 103 permit udp any 192.168.1.0 0.0.0.255 eq bootps

HTH

Regards,

Kishore