No announcement yet.

Advice - InterVLAN Routing

  • Filter
  • Time
  • Show
Clear All
new posts

  • Advice - InterVLAN Routing

    Hiya, great forum this...

    I current have 200+ servers running across 10+ VLAN's, I need to have blocked access for some, limited access to others etc etc, sure you know the type of thing...

    When I looked at this 4-5 years ago, in the end I went with Cisco 3750's in a stackwise stack, now it all works great but boy was it a pain to setup, the main issue being (I used CLI for this) being how ugly all the access lists become, you can group etc, and basically its just really hard to manage, and easy to make mistakes...

    Anyway, time to replace these switch's, I got some test units, so I am going to get them upgraded see if things have improved (would be nice for ease to at least be able to see all this via a GUI).

    So my question you ask...

    So this is a larger network, latency, speed and reliance is important, and the 3750 have delivered on this big time, but what are others doing? is there a better way of achieving this??

    I am looking around for answers and have tried (pretty unsuccessfully) to get a road map via from Cisco, but though it would be worth see what others are doing...


  • #2
    Re: Advice - InterVLAN Routing

    Are we talking blocking access from users in the same vlan? Can use VACL's for that. If its between vlan's the better option is access-lists on your SVI's or routed interfaces. You could always use PACL's at the access port for the hosts but its more configuration than using VACL's as now you have to apply your ACL's per port and not per SVI or L3 interface.

    Another option would be to drop in a ASA maybe in transparent mode? This way in transparent you dont have to renumber your network. If you had a 6000 series you could purchase a FWSM and filter on that.

    I also use 3750's (and a few 3560's) in stackwise configuration with ACL's as well at our remote sites. We currently use 4506's at our core. Yes the ACL's can get long but as long as its well documented I would roll with that. The configuration isn't bad at all as long as you know the CLI (The web interface on the switches is just plain bad, don't know why anyone would use it)

    Also cisco now recommends you run Layer3 between your switch blocks. By switch blocks I mean a stack in a closet, per floor etc... In other words don't span your vlans between switch blocks and just run layer 3 between them (if possible)
    Last edited by auglan; 6th September 2012, 13:05.
    CCNA, CCNA-Security, CCNP
    CCIE Security (In Progress)


    • #3
      Re: Advice - InterVLAN Routing

      Hey thanks for the reply, nice to hear what you think...

      We only filter between VLAN's so it sounds like the 3750's are still the way to go...

      I setup a little test as I have a couple of spare, and I did find that the Cisco Network Assistant was actually pretty good, I did it all via the CLI last time, and that made it pretty hard going...

      Also last time I set it up like this...

      Think I must have had a week of stupid, as made my life much harder... (there's rather more than this, but you get my drift)

      vlan access-map map-vlan-12-dmz 10
      action forward
      match ip address vlan-12-dmz-allow
      vlan access-map map-vlan-12-dmz 20
      action drop
      match ip address vlan-12-dmz-deny
      vlan access-map map-vlan-12-dmz 30
      action forward

      vlan filter map-vlan-12-dmz vlan-list 12

      ip access-list extended vlan-12-dmz-allow
      permit tcp

      ip access-list extended vlan-12-dmz-deny
      permit tcp

      Using my test setup it now looks like this...

      interface Vlan105
      ip address
      ip access-group Limit-SP-Access in

      ip access-list extended Limit-SP-Access
      deny ip host host
      permit ip any any

      Well that's just a little easier So looks like 3750 for replacement with a little more port speed is my way to go...

      ASA in transparent mode BTW is a good idea, I have used this in the past, and its pretty funky when setup...

      Interesting about Cisco recommendation around using Layer3 between blocks, so this is more routing than switching right? guess its all become one and the same

      Thanks again for you insight...


      • #4
        Re: Advice - InterVLAN Routing

        Yeah typically you use VACL's when filtering within the vlan. The reason being is that VACL's have no "direction" such as in or out. So if you use a VACL to filter between vlans you have to permit it from the source but also have to permit from the destination back to the source. When using ACL's on the Layer 3 interface or SVI then you can choose the input or output option depending on the flow.

        Yeah with Layer 3 switches becoming mainstream, I guess cisco see's it beneficial to route between switch blocks instead of using Layer 2. This way you dont have to worry about spanning tree convergence timers or issues between your switch blocks.
        CCNA, CCNA-Security, CCNP
        CCIE Security (In Progress)