cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Anonymous
Not applicable

7100 question - restrict VLAN access

Jump to solution


I want to create a 3 vlan in the 7100 but I don't want the traffic to have access to vlan's 1 & 2. How do I do this? Thanks

Message was edited by: matt - updated title to reflect question

Labels (1)
0 Kudos
1 Solution

Accepted Solutions
Anonymous
Not applicable

Re: 7100 question

Jump to solution

Right.  Create a new security zone (policy-class) and assign interface vlan 3 to it.  This is an IP interface.  You'll need a NAT overload policy (Internet Connection Sharing) to allow traffic from VLAN 3 to the Internet.  That's basically the gist of it.  Traffic from this new security zone to anywhere else will be blocked unless you were to add policies.

If the 7100 will be a DHCP server for WiFi clients, then you'll need to allow traffic to the 7100 itself so that DHCP requests aren't blocked.  You don't want guests to be able to access the http/https/telnet/ssh management interfaces, so consider allowing only bootp/dhcp (I think just UDP 67) from 10.10.200.0/24 to self.  This is describing a policy/rule you'll add to the new security zone.

Does that help?  I recommend thorough testing afterward. 

View solution in original post

0 Kudos
14 Replies
Anonymous
Not applicable

Re: 7100 question

Jump to solution

Hi tschupp:

The 7100, like other AOS switches, can provide multiple Layer 2 VLANs and traffic will be inherently private to each VLAN, unless you also setup an IP interface for each VLAN and provide inter-VLAN routing.  This article provides a very good explanation about VLANs (Layer 2) and VLAN interfaces (Layer 3):  The difference between VLANs and VLAN interfaces

If you merely create VLAN 3 without creating a VLAN interface (with IP address), then you're all set to achieve your goal.  Simply set some access ports for VLAN 3 and you'll have a separate network.

However, if you plan to have an IP interface in VLAN 3, then the firewall must be enabled.  Interface vlan 3 (the ip interface) must be in a separate policy-class (security zone) from interface vlan 1 and 2.  The default behavior is for all traffic to be blocked between different security zones, so you must create firewall rules to allow any traffic between them you might want.  Here's a useful guide for setting up the firewall:   Configuring the Firewall (IPv4) in AOS

Does that point you in the right direction?  Don't hesitate to follow up or ask for clarification!

Best,

CJ

Anonymous
Not applicable

Re: 7100 question

Jump to solution

I didn't think to also link to the Inter-VLAN Routing guide.  Great info: 

Anonymous
Not applicable

Re: 7100 question

Jump to solution

The customer is putting in a wireless network in their building. They want to allow visitors to connect to the wifi so they have access to the web but not the local network. Vlans 1 & 2 use 10.10.10.xxx and 10.10.20.xxx. The 3rd vlan would use 10.10.200.xxx so since I am assigning these ip's I am guessing I need the vlan interface and should be able to only allow internet access through the firewall and block anything directed to the vlans 1 & 2?

Anonymous
Not applicable

Re: 7100 question

Jump to solution

Right.  Create a new security zone (policy-class) and assign interface vlan 3 to it.  This is an IP interface.  You'll need a NAT overload policy (Internet Connection Sharing) to allow traffic from VLAN 3 to the Internet.  That's basically the gist of it.  Traffic from this new security zone to anywhere else will be blocked unless you were to add policies.

If the 7100 will be a DHCP server for WiFi clients, then you'll need to allow traffic to the 7100 itself so that DHCP requests aren't blocked.  You don't want guests to be able to access the http/https/telnet/ssh management interfaces, so consider allowing only bootp/dhcp (I think just UDP 67) from 10.10.200.0/24 to self.  This is describing a policy/rule you'll add to the new security zone.

Does that help?  I recommend thorough testing afterward. 

0 Kudos
Anonymous
Not applicable

Re: 7100 question

Jump to solution

I must be doing something wrong. I can surf but I can still ping a phone on 10.10.20.5 from an ip on vlan 3.

This is in the GUI

Policy Action-NAT

Destination security zone- any security zone

interface- eth 0/0

Anonymous
Not applicable

Re: 7100 question

Jump to solution

Maybe try to change destination zone to your public/outside zone.  Sorry--don't meant to throw random suggestions at you.    If you prefer to attach your config, it might be productive.  Just be sure to sanitize it and expunge sensitive info.  Definitely passwords, pre-shared keys, WiFi passwords (as applicable).  You might want to remove phone numbers too, and anything you don't want the world to see.

Anonymous
Not applicable

Re: 7100 question

Jump to solution

That seems to be working now thanks but explain the bootp/dhcp further.

I have a policy that allows NAT to the public security zone and a traffic selector of permit any.

I have a policy that allows self bound traffic with a traffic selector of permit any.

Where would I put the info for UDP 67?

Anonymous
Not applicable

Re: 7100 question

Jump to solution

I'm a little rusty in the GUI (it's a fantastic interface; I should spend more time there).  I think you edit the policy so that source network is any; source port any.  Destination network any; destination port UDP 67 (bootps).  You can get to these granular settings by clicking the "Permit" line in the list of selectors.

CJ

Anonymous
Not applicable

Re: 7100 question

Jump to solution

I am new to the board and couldn't figure out how to add an attachment. So here it is.
!
!
! ADTRAN, Inc. OS version R10.11.0.HA.E
! Boot ROM version A2.06.B2.01
! Platform: NetVanta 7100, part number 1200796E1
! Serial number LBADTN1206AF838
!
!

clock timezone -6-Central-Time
!
ip subnet-zero
ip classless
ip routing
ipv6 unicast-routing
domain-name
domain-proxy
name-server 10.72.53.75 8.8.8.8
!
!
no auto-config
!
event-history on
no logging forwarding
no logging email
!
no service password-encryption
!
portal-list "phones" ftp
!

!
!
ip firewall
ip firewall stealth
no ip firewall alg msn
no ip firewall alg mszone
no ip firewall alg h323
!
!
!
!
!
!
!
!
!
!
!
no dot11ap access-point-control
!
!
!
!
!
!
!
ip dhcp database local
!
ip dhcp pool "LAN_pool"
  network 10.10.10.0 255.255.255.0
  dns-server 10.10.10.1
  netbios-node-type h-node
  default-router 10.10.10.1
  tftp-server tftp://10.10.10.1
  ntp-server 10.10.10.1
  timezone-offset -6:00
  option 157 ascii TftpServers=0.0.0.0,FtpServers=10.10.20.1:/ADTRAN,FtpLogin=po
lycomftp,FtpPassword=password,Layer2Tagging=True,VlanID=2
!
ip dhcp pool "VoIP_pool"
  network 10.10.20.0 255.255.255.0
  dns-server 10.10.20.1
  netbios-node-type h-node
  default-router 10.10.20.1
  tftp-server tftp://10.10.20.1
  ntp-server 10.10.20.1
  timezone-offset -6:00
  option 157 ascii TftpServers=0.0.0.0,FtpServers=10.10.20.1:/ADTRAN,FtpLogin=po
lycomftp,FtpPassword=password,Layer2Tagging=True,VlanID=2
!
ip dhcp pool "Test 1"
  network 10.10.200.0 255.255.255.0
  dns-server 10.10.200.1
  default-router 10.10.200.1
  tftp-server tftp://10.10.200.1
  ntp-server 10.10.200.1
  timezone-offset -6:00
!
!
!
!
!
!
!
!
!
!
!
!
!
!
vlan 1
  name "Default"
!
vlan 2
  name "VoIP"
!
vlan 3
  name "Test 1"
!
!
interface eth 0/0
  description  Uplink
  ip address dhcp hostname
  ip access-policy Public
  media-gateway ip primary
  no awcp
  no shutdown
  no lldp send-and-receive
!
!
interface eth 0/1
  spanning-tree edgeport
  no shutdown
  switchport access vlan 3
!
!
interface eth 0/2
  spanning-tree edgeport
  no shutdown
  switchport mode trunk
!
!
interface eth 0/3
  spanning-tree edgeport
  no shutdown
  switchport mode trunk
!
!
interface eth 0/4
  spanning-tree edgeport
  no shutdown
  switchport mode trunk
!
!
interface eth 0/5
  spanning-tree edgeport
  no shutdown
  switchport mode trunk
!
!
interface eth 0/6
  spanning-tree edgeport
  no shutdown
  switchport mode trunk
!
!
interface eth 0/7
  spanning-tree edgeport
  no shutdown
  switchport mode trunk
!
!
interface eth 0/8
  spanning-tree edgeport
  no shutdown
  switchport mode trunk
!
!
interface eth 0/9
  spanning-tree edgeport
  no shutdown
  switchport mode trunk
!
!
interface eth 0/10
  spanning-tree edgeport
  no shutdown
  switchport mode trunk
!
!
interface eth 0/11
  spanning-tree edgeport
  no shutdown
  switchport mode trunk
!
!
interface eth 0/12
  spanning-tree edgeport
  no shutdown
  switchport mode trunk
!
!
interface eth 0/13
  spanning-tree edgeport
  no shutdown
  switchport mode trunk
!
!
interface eth 0/14
  spanning-tree edgeport
  no shutdown
  switchport mode trunk
!
!
interface eth 0/15
  spanning-tree edgeport
  no shutdown
  switchport mode trunk
!
!
interface eth 0/16
  spanning-tree edgeport
  no shutdown
  switchport mode trunk
!
!
interface eth 0/17
  spanning-tree edgeport
  no shutdown
  switchport mode trunk
!
!
interface eth 0/18
  spanning-tree edgeport
  no shutdown
  switchport mode trunk
!
!
interface eth 0/19
  spanning-tree edgeport
  no shutdown
  switchport mode trunk
!
!
interface eth 0/20
  spanning-tree edgeport
  no shutdown
  switchport mode trunk
!
!
interface eth 0/21
  spanning-tree edgeport
  no shutdown
  switchport mode trunk
!
!
interface eth 0/22
  spanning-tree edgeport
  no shutdown
  switchport mode trunk
!
!
interface eth 0/23
  spanning-tree edgeport
  no shutdown
  switchport mode trunk
!
!
interface eth 0/24
  spanning-tree edgeport
  no shutdown
  switchport mode trunk
!
!
!
interface gigabit-eth 0/1
  no shutdown
  switchport mode trunk
!
!
interface gigabit-eth 0/2
  no shutdown
  switchport mode trunk
!
!
!
!
interface vlan 1
  ip address  10.10.10.1  255.255.255.0
  ip access-policy Private
  media-gateway ip primary
  no shutdown
!
interface vlan 2
  ip address  10.10.20.1  255.255.255.0
  ip access-policy Private
  media-gateway ip primary
  no shutdown
!
interface vlan 3
  description Test 1
  ip address  10.10.200.1  255.255.255.0
  ip mtu 1500
  ip access-policy "test 1"
  media-gateway ip primary
  no awcp
  no shutdown
!
!
interface fxs 0/1
  description
  no shutdown
!
interface fxs 0/2
  description
  no shutdown
!
!
interface fxo 0/1
  impedance 900r
  no shutdown
!
interface fxo 0/2
  description
  impedance 900r
  no shutdown
!
isdn-number-template 1 prefix "" subscriber NXX-XXXX
isdn-number-template 2 prefix "" national NXX-NXX-XXXX
isdn-number-template 3 prefix 011 international X$
isdn-number-template 4 prefix "" unknown NXX
isdn-number-template 5 prefix "" unknown NXXX
isdn-number-template 6 prefix 1 national NXX-NXX-XXXX
!
!
!
!
!
!
!
ip access-list standard NAT
  remark Internet Connection Sharing
  permit any
!
ip access-list standard wizard-ics
  remark NAT list wizard-ics
  permit any log
!
!
ip access-list extended Admin
  remark Admin Access
  permit tcp any  any eq https   log
  permit tcp any  any eq ssh   log
  permit tcp any  any eq www   log
  permit tcp any  any eq telnet   log
  permit icmp any  any  echo   log
!
ip access-list extended InterVLAN
  remark Voice / Data VLAN Traffic
  permit ip 10.10.10.0 0.0.0.255  10.10.20.0 0.0.0.255
  permit ip 10.10.20.0 0.0.0.255  10.10.10.0 0.0.0.255
!
ip access-list extended self
  remark Traffic to NetVanta
  permit ip any  any     log
!
ip access-list extended web-acl-11
  remark admin
  permit tcp 204.87.167.104 0.0.0.3  any eq www   log
  permit tcp 204.87.167.104 0.0.0.3  any eq telnet   log
  permit tcp 204.87.167.104 0.0.0.3  any eq ssh   log
  permit tcp 204.87.167.104 0.0.0.3  any eq ftp   log
!
ip access-list extended web-acl-15
  permit ip any  any     log
!
ip access-list extended web-acl-4
  remark admin
  permit tcp 204.87.167.104 0.0.0.3  any eq www   log
  permit tcp 204.87.167.104 0.0.0.3  any eq telnet   log
  permit tcp 204.87.167.104 0.0.0.3  any eq ssh   log
  permit tcp 204.87.167.104 0.0.0.3  any eq ftp   log
!
ip access-list extended web-acl-7
  permit ip any  any
!
!
!
!
ip policy-class Private
  allow list self self
  nat source list wizard-ics interface eth 0/0 overload
!
ip policy-class Public
  allow list web-acl-11 self
!
ip policy-class "test 1"
  nat source list wizard-ics interface eth 0/0 overload policy Public
  allow list web-acl-15 self
!
!
!
tftp server
tftp server overwrite
tftp server default-filesystem cflash
http server
http secure-server
no snmp agent
ip ftp server
ip ftp server default-filesystem cflash
no ip scp server
ip sntp server
ip sntp server send-unsynced
!
!
!
!
!
!
!
!
!
sip
sip udp 5060
sip tcp 5060
!
!
!
!
!
!
!
!
!
!
!
!
!

Anonymous
Not applicable

Re: 7100 question

Jump to solution

I would add an ACL (AOS uses access-lists only to match traffic, not to take action; we'll use this ACL in a policy later):


!


ip access-list extended guest-dhcp


  remark guest-dhcp


  permit udp any  any eq bootps


!


Then edit the Private policy-class (note the policy to allow traffic between the two VLANs in the Private zone):


!


ip policy-class Private


  allow list self self


  allow list InterVLAN policy Private


  nat source list wizard-ics interface eth 0/0 overload policy Public


!


Last, the "test 1" zone:


!


ip policy-class "test 1"


  allow list guest-dhcp self


  nat source list wizard-ics interface eth 0/0 overload policy Public


!


Significant points:

  • policy-classes (security zones) block everything (ingress) by default; allow/NAT through only what you need
  • policy-classes are processed top-down--this is critical
    • The NAT overload (ICS) policy should be last, normally, because it will match everything if first

Cheers,

CJ

Anonymous
Not applicable

Re: 7100 question

Jump to solution

I made the changes but now only dhcp seems to work. I can't surf from this vlan.

Anonymous
Not applicable

Re: 7100 question

Jump to solution

DNS issue.  You'll need to also allow DNS into the 7100 since that's the DNS server you give out in DHCP.  Or else give guest clients outside DNS servers (OpenDNS are great, for example, 208.67.222.222 208.67.220.220).  I think you're almost there!

CJ

Anonymous
Not applicable

Re: 7100 question

Jump to solution

That may have done it. I seem to be working again. Time to do some testing. Thanks

Anonymous
Not applicable

Re: 7100 question

Jump to solution

Awesome!