Routing

last person joined: 2 days ago 

Ask questions and share experiences about ACX Series, CTP Series, MX Series, PTX Series, SSR Series, JRR Series, and all things routing, including portfolios and protocols.

  • 1.  Allow VLAN Access to Default Route and deny to other VLANs

    Posted 11-09-2015 08:19

    Hi, 

     

    I am really struggling to conceptualise how to get this to work, and would really appriciate some suggestions. 

     

    Setup

     

    Retail VLAN (VLAN 203) 

    Range: 10.2.23.0/24

    Default Gateway: 10.2.23.1

     

    Internet VLAN (VLAN 2)

    Range: 10.2.2.0/24

    Default Gateway: 10.2.2.1

     

    Plus many various corporate VLANs

    Corp VLAN (VLAN 10)

    Range: 10.2.10.0/24

    Default Gateway: 10.2.10.1

     

    The default route for the router is:

     

    route 0.0.0.0/0 next-hop 10.2.2.1

     

    Question

     

    Is there a way for us to restrict access from the Retail VLAN (203) to all other VLANs and still allow it to access the default route to the Internet of 10.2.2.1?

     

    There is also going to be a chance that we would want inbound access from other VLANs to the Retail VLAN, so do not want to completely remove routes to and from this network if possible. 

     

    We also have a large number of VLANs and do not wish to go to each VLAN and restrict inbound access from the Retail VLAN each time a new VLAN is created. 

     

    I hope I have provided a good enough explanation, if not please ask me for more details. I would really appreciate some help with this.

     

    Josh 

     

     



  • 2.  RE: Allow VLAN Access to Default Route and deny to other VLANs

    Posted 11-10-2015 02:56

    From you description, I assume you have the layer 3 gateway for all these VLANs on a switch.

     

    The simpliest way to achieve your goal is to get the layer 3 gateway for the retail VLAN removed from the switch and placed onto the Firewall.  This way your switching is all layer 2 and cannot use those layer 3 RVI on the switch and must go to the firewall in order to reach the retail VLAN.

     

    Once on the firewall you put the retail gateway into a separate zone and creating the rules for access you desire will be straight forward.



  • 3.  RE: Allow VLAN Access to Default Route and deny to other VLANs

    Posted 11-17-2015 06:34

    Thanks Steve,

     

    Do you have any other suggestions other than removing the RVI?

     

    We have a managed service and do not have direct control over the Firewall. I was hoping to keep everything at the switch level as all internal routing is done via our Layer 3 EX switches.

     

    Thanks

     

    Josh



  • 4.  RE: Allow VLAN Access to Default Route and deny to other VLANs
    Best Answer

    Posted 11-18-2015 03:21

    On the switch side you can try to apply and manage firewall filters on the RVI for the VLAN.  This is harder and more manual than using a firewall rule because these filters are packet based and do not maintain a session table.  So for permitted traffic you need to be careful that BOTH directions are working.

     

    One option will be to create one on the retail VLAN that drops traffic with a destination of the corporate VLAN ip segments.

     

    The alternative approach is to apply a filter that drops source address of the retail VLAN applied to all of the corpoate VLAN RVI.

     

    You create the filters under firewall filter and apply them to the interfaces.



  • 5.  RE: Allow VLAN Access to Default Route and deny to other VLANs

    Posted 11-18-2015 03:39

    Thanks Steve, I feared that this might be the solution...