Limiting Access to Internet Router

**control** · 01-09-2013 08:52 AM

Setup - Layer 3 switch with multiple VLANS. I want to connect a DSL router into one of the switch ports and have only certain VLAN members (call it Vlan 5) use the router for Internet access.

I obviously do not want any risk of Vlan 5 being able to route to other vlans/subnets on the L3 switch.

So far I've configured the switchport that will take the DSL router to be in VLAN 5 and the plan is to have the router dish out IP addresses via DHCP to VLAN 5 members. The DHCP pool is 10.1.1.0 /24

Do I need to have some sort of ACL on the VLAN interface?

The end result is to have 10.1.5.0 /24 network (Vlan 5) totally independent with no risk of traffic being able to traverse other areas of the network.

Is it just a case of adding machines to Vlan 5 switchports and they will pick up DHCP from the router? Any security concerns I would need to look into?

Thanks

**MrXpert** · 01-10-2013 10:20 AM

I think you could use a VACL here or even private vlans. have everything on one subnet with private VLANS but setup VLAN5 has a community which means it can talk to other hosts in that community along with the prom port which I assume you'd need to be the port belonging to the default gateway.
If the switch and the router you have are on different VLANS/SUBNETS you will need the IP Helper address command put onto the interface. At least this is my reading of it.

**atorven** · 01-10-2013 11:12 AM

Why not just use an acl applied to the svi to block traffic going to the other subnets?

**control** · 01-10-2013 02:59 PM

Can I apply an Access List to an actual Vlan Interface on a layer 3 switch? or does it need to be a VACL? (not came acrosss VACL before).

If I want to restrict the 10.1.5.0 /24 traffic to never leave it's vlan (5) and let no other traffic enter into that VLAN (5) - is this easily accomplished and at what level would I apply the ACL?

**networker050184** · 01-10-2013 03:00 PM

Yes you can apply an ACL to an SVI on a L3 switch.

**control** · 01-10-2013 04:07 PM

Can it only be applied in one direction, e.g in or out? Is there a simple ACL I can compile to achieve my goal? ACLs are not something I have much experience with.

**networker050184** · 01-10-2013 04:29 PM

They can be placed in both directions.

**atorven** · 01-10-2013 05:02 PM

Post your exact requirements and I'll put something together.

**control** · 01-10-2013 07:54 PM

Thanks Guys.

So scenario is - layer 3 switch, multiple vlans / multiple subnets and routing between all the vlans done by the switch itself. I have various Access Switches coming off the layer 3 switch.

I created a SVI for VLAN5 (solely for Internet Access) and I have a port in vlan5 which has a basic DSL Internet router connected to it. This dishes out IPs to anyone in VLAN5 so they can get out to Internet.

The Address range being dished out is 10.1.5.0 /24

I don't want there to be any chance of packets from 10.1.5.0 getting out of VLAN 5 and risking the rest of my network as VLAN5 is Internet only. Also, I don't want any packets from the other VLANS/Subnets coming into VLAN 5.

I'm actually just thinking, do I even need to have an SVI created as I'm not actually doing any routing for this VLAN/Subnet. Can I just create the VLAN like I would do on layer 2 switch, and have the DSL router plugged into a port in that VLAN.

That Make sense? I'm making this sound way more complicated than it actually is!

**networker050184** · 01-10-2013 08:20 PM

I'd just put the router in VLAN and not route it like you said. Simple and easy.

Thread: Limiting Access to Internet Router

Thread Tools

Limiting Access to Internet Router

Social Networking & Bookmarks

Bookmarks

Featured Sponsors