I have a several VLANs on OS9000. For every VLAN is configured IP interface. But for one VLAN, for security reasons, I don't want to have routing to and from other VLANs. Also, I want that VLAN, have IP interface (for testing purpose).
Please, is it possible to configure this? Some special command for doing this or using ACL?
Regards,
nikolami
OS9000 IP interface for VLAN but without routing
Re: OS9000 IP interface for VLAN but without routing
you don't need ACL. By default routing between the interfaces is active. with the following command you can disable this.
> ip interface IF-TEST no forwarding
regards Silvio
> ip interface IF-TEST no forwarding
regards Silvio
-
nikolami
Re: OS9000 IP interface for VLAN but without routing
Quick and effective answer. Thank you Silvio.
However, as usual, there are more requests from customer side.
General network design is shown on following picture.
L2 access switches and L3 central switch. For now, 4 services are needed in network (service 1 is video surveillance, service 2 and service 3 are some enterprise applications, and service 4 is Internet access). Every service has its own separate VLAN.
Service 1 – no exchange data with other services, but server for video surveillance has to be visible via Internet (for remote surveillance). Cameras should not be visible via Internet.
Service 2 - exchange data with service 3.
Service 4 – Internet access.
Central switch is full L3 switch (OS6850 or OS9600 with advanced routing software). I have some doubts how to implement requested services in the network? What are tasks of central switch and what of Router (with firewall functionality).
I suppose that for service 1 must be on router be implemented NAT 1-1 (one public IP address will be mapped to one private server address)?
Problem with service 2 is that some PCs which belong to that service must access to Internet. But Internet access is in another VLAN. Maybe to define NAT to map 1-many (one public IP address to several private addresses)?
I suppose, that sooner or later, for purpose of remote management all servers will be accessible via Internet. So, 4 public addresses are needed and several NAT rules to be configured on router?
I appreciate any suggestion for configuring switches and router for this network design.
Regards,
nikolami
However, as usual, there are more requests from customer side.
General network design is shown on following picture.
L2 access switches and L3 central switch. For now, 4 services are needed in network (service 1 is video surveillance, service 2 and service 3 are some enterprise applications, and service 4 is Internet access). Every service has its own separate VLAN.
Service 1 – no exchange data with other services, but server for video surveillance has to be visible via Internet (for remote surveillance). Cameras should not be visible via Internet.
Service 2 - exchange data with service 3.
Service 4 – Internet access.
Central switch is full L3 switch (OS6850 or OS9600 with advanced routing software). I have some doubts how to implement requested services in the network? What are tasks of central switch and what of Router (with firewall functionality).
I suppose that for service 1 must be on router be implemented NAT 1-1 (one public IP address will be mapped to one private server address)?
Problem with service 2 is that some PCs which belong to that service must access to Internet. But Internet access is in another VLAN. Maybe to define NAT to map 1-many (one public IP address to several private addresses)?
I suppose, that sooner or later, for purpose of remote management all servers will be accessible via Internet. So, 4 public addresses are needed and several NAT rules to be configured on router?
I appreciate any suggestion for configuring switches and router for this network design.
Regards,
nikolami
Re: OS9000 IP interface for VLAN but without routing
right - you need a NAT router. The OmniSwitches can't work as NAT router.I suppose that for service 1 must be on router be implemented NAT 1-1 (one public IP address will be mapped to one private server address)?
Best way is port-forwarding at the FW for a specific port to the video server. So you can also solve the second question.
right. so port forwarding at the router is for access from outsite necessary.Problem with service 2 is that some PCs which belong to that service must access to Internet. But Internet access is in another VLAN. Maybe to define NAT to map 1-many (one public IP address to several private addresses)?
You have to deside, what is the gateway for your clients: L3-switch or router. If you use the L3 switch than you need a static route to the router. Benefit is that internal traffic will not go via router/FW.
In your L3 switch you can establish some policies (ACL) for managing the wished traffic. By default routing is active and all traffic is allowed - so we need to deny specific traffic.
here an example for your video:
policy network group video 192.168.1.0 mask 255.255.255.0
policy condition deny_video_1 source network group video destination ip any
policy condition deny_video_2 source ip any destination network group video
policy condition allow_video_server_1 source ip 192.168.1.x destination ip any
policy condition allow_video_server_2 source ip any destination ip 192.168.1.x
policy action allow disposition allow
policy action deny disposition deny
policy rule allow_video_server_1 precedence 100 condition allow_video_server_1 action allow
policy rule allow_video_server_2 precedence 95 condition allow_video_server_2 action allow
policy rule deny_video_1 precedence 50 condition deny_video_1 action deny
policy rule deny_video_2 precedence 50 condition deny_video_2 action deny
qos apply
with this example you can built your own rules.
regards Silvio
-
nikolami
Re: OS9000 IP interface for VLAN but without routing
Thank you very much Silvio for detailed answer, which includes ACL, as well.
Information which are available now shows that all services are client-server based, i.e. most traffic is between clients and server. Inter-VLAN traffic won't be intensive. Of course, Internet service is between PCs and Internet "cloud". I think that for this situation, router/firewall will offer more flexibility and security with its policies than switch with ACL?!
Bottleneck in this situation is link between central L3 switch and router/firewall, which has lower throughput than links between switches.
Actually, for now, only device between central L3 switch and ISP's router will be classical firewall with 100Mbps throughput. Do we need router, or this firewall (with OSPF,RIP, BGP supports) will be enough?
What do you think about this solution?
Regards,
nikolami
Information which are available now shows that all services are client-server based, i.e. most traffic is between clients and server. Inter-VLAN traffic won't be intensive. Of course, Internet service is between PCs and Internet "cloud". I think that for this situation, router/firewall will offer more flexibility and security with its policies than switch with ACL?!
Bottleneck in this situation is link between central L3 switch and router/firewall, which has lower throughput than links between switches.
Actually, for now, only device between central L3 switch and ISP's router will be classical firewall with 100Mbps throughput. Do we need router, or this firewall (with OSPF,RIP, BGP supports) will be enough?
What do you think about this solution?
Regards,
nikolami
Re: OS9000 IP interface for VLAN but without routing
you have give the anwer by yourself:Information which are available now shows that all services are client-server based, i.e. most traffic is between clients and server. Inter-VLAN traffic won't be intensive. Of course, Internet service is between PCs and Internet "cloud". I think that for this situation, router/firewall will offer more flexibility and security with its policies than switch with ACL?!
Right. For policies to restrict the internal traffic you should use the central l3 switch. It should also be the gateway for all your clients/server. And only internet traffic should send with a static-route to the FW (with more ACL).Bottleneck in this situation is link between central L3 switch and router/firewall, which has lower throughput than links between switches.
Like said above your L3 switch should be the GW (=Router) for all internal nets. You need routes at L3 switch and at internet router (=FW). You can set the routes staticly or exchange this via OSPF/Rip.....Actually, for now, only device between central L3 switch and ISP's router will be classical firewall with 100Mbps throughput. Do we need router, or this firewall (with OSPF,RIP, BGP supports) will be enough?
regards Silvio
-
nikolami
Re: OS9000 IP interface for VLAN but without routing
Thank you Silvio for comments.
I agree with you.
Regards,
nikolami
I agree with you.
Regards,
nikolami
