Port as member of multiple VLANs

[ironiemix]

Hello!

So far, all went well I managed to configure the switch as a router, enables dhcp forwarding, set up a default route, all works fine. I was also able to define network groups, conditions an actions, setting up rules, which separated the vlans in the way I want it. I documented the commands (in german) here: http://www.linuxmuster.net/wiki/anwende ... 6450:start

But I think, I diddnt understand all details, because when I think of many Vlans I really need a lot of rules, for a rather simple setup: I want all traffic between each of the Vlans and the Server-Vlan to pass, and all traffic between the Vlans directly denied.

At the moment, I would create for each pair of Vlans a sepreate rule, which seems a bad workaround, given the pairs are growing exponentially with the number of Vlans...

I Suspect, my problem has to do with not understanding the "precedence" parameter when setting up rules. I found the following example which I dont understand:

Code: Select all

policy rule "Allow VoIP-VoIP" precedence 200 condition "VoIP-VoIP" action Permit
policy rule "Allow VoIP-Data" disable precedence 200 condition "VoIP-Data" action Permit
policy rule "Allow Data-Data" precedence 200 condition "Data-Data" action Permit
policy rule "Deny Other" precedence 200 condition "Other" action Deny

It would be great, when anyone could explain what "precendence" and "disable precedence" is meaning here...

Tanks a lot!

Frank

[devnull]

In my eyes : a switch should forward packets in hardware, not implement security policys. Thats what Firewalls are for.
So for your case it will probably be a pain in the *** to get that working.

precedence: think as priority going from highest to lowest until something matches. If you have same precedence the order of input matters (the ones being above other rules win)

edit: As for your wiki: some spelling errors noticed, but otherwise nice content. To consider: a 6450 only can have a specific amount of ARP Adresses in Hardware (afaik 512) with a maximum of 1024, so if you use a 6450 as a coreswitch with enough clients you will find the limit. 6850/6860 or the 6900 are less limited here.. I see a 6450 as a edge switch with possibilities of 10G uplinks. to replace a single netgear.. sure, but as a "Core Switch"? depends on how you define core.

[ironiemix]

Hi!

In my eyes : a switch should forward packets in hardware, not implement security policys. Thats what Firewalls are for.
So for your case it will probably be a pain in the *** to get that working.

Unfortunately, this is not for me to decide, there is an official document which imposes the segmentation in subnets on school networks in Baden-Würrtemberg. The reference implementation is shown with a layer 3 core switch. I am a teacher who has to administer the network with about 120 workstations, for this I get 90 minutes per week. So I will not implement an own solution (not speaking of my lack of knowledge...), I will go with the layer 3 switch...

precedence: think as priority going from highest to lowest until something matches. If you have same precedence the order of input matters (the ones being above other rules win)

O.K., I can imagine that, but what is meant by "disable precedence"?

edit: As for your wiki: some spelling errors noticed, but otherwise nice content. To consider: a 6450 only can have a specific amount of ARP Adresses in Hardware (afaik 512) with a maximum of 1024, so if you use a 6450 as a coreswitch with enough clients you will find the limit. 6850/6860 or the 6900 are less limited here.. I see a 6450 as a edge switch with possibilities of 10G uplinks. to replace a single netgear.. sure, but as a "Core Switch"? depends on how you define core.

I was not aware of that limitation. I had to find an affordable switch which could do layer 3 acls with 10 Gbic ports for the uplinks. So we will see, what happens The fixed workstations are about 120, but eventually there is a szenario with "bring your own device", so there will be many devices in the wifi segments...

Thanks for your advice,

Greetings

Frank

[devnull]

L3 Switch:
segmentation will AFAIK become difficult with more and more VLANs.
You can either
Permit -> Proxy
Deny -> Anything else
or
Deny VLAN1 -> VLAN2
Deny VLAN1 -> VLAN3
Deny VLAN1 -> VLAN4
..
Allow any.

Second Version will quickly become very large, First version will probably deny more then wanted, e.g. ssh, snmp, ..


Afaik its not
"disable precedence" but disabling of the policy rule. you can probably check with

"show active policy rules "

Don't forget to "qos apply" your rules, otherwise they aren't active.

Further i think that everyone needs a "established" rule

policy condition c12 source ip Any destination ip Any established
policy rule r12 precedence 10000 condition c12 action Permit

This will enable established traffic (syn Bit not set) to be permited.