cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Highlighted
Contributor
Contributor

Multi-Tenant Separate vlans Netvanta 7100

Customer has 7100 and 6355 connected with GRE/VPN Tunnels.  At the 6355 location the customer wants to lease phone and data but wants them on separate vlans.  I am not sure about the easiest way to do this.

7100 location vlans

10.10.10.0 Data

10.10.20.0 Voice

6355 location vlans

10.10.11.0 Data

10.10.21.0 Voice

I have added additional vlans for new customer

New Tenant vlans

192.168.16.0 Data

192.168.26.0 Voice

Currently production network has GRE/VPN Tunnel between sites.  Customer is ok with them being a part of the Voice network but does not want tenant to have access to their data network.  Not sure if I just create the new vlans and vlan interfaces, create allow statements, etc.   I have created allow and discards for data vlans in the past but not sure how to do it when the voice vlan is in use and to allow them access. Any help or advice with this type of configuration is greatly appreciated.

7100 Config

vlan 1

  name "Default"

!

vlan 2

  name "VoIP"

!

ip flow top-talkers

  monitor port 5060 UT

!

interface eth 0/0

  description WAN

  ip address    255.255.255.0

  ip address    255.255.255.0  secondary

  ip access-policy Public

  ip crypto map VPN

  media-gateway ip primary

  traffic-shape rate 1000000

  qos-policy out VOIP

  no awcp

  no shutdown

  no lldp send-and-receive

!

!

!

interface vlan 1

  ip address  10.10.10.1  255.255.255.0

  ip access-policy Private

  media-gateway ip primary

  no shutdown

!

interface vlan 2

  ip address  10.10.20.1  255.255.255.0

  ip access-policy Private

  media-gateway ip primary

  no shutdown

!

!

interface t1 1/1

  system-timing primary

  tdm-group 1 timeslots 1-24 speed 64

  no shutdown

!

!

interface pri 1

  description pri 1

  connect t1 1/1 tdm-group 1

  no shutdown

!

!

!

interface tunnel 1 gre ip

  description Tunnel

  ip address  10.100.100.1  255.255.255.252

  ip mtu 1397

  ip access-policy Tunnel

  media-gateway ip primary

  tunnel source

  tunnel destination

  keepalive 60 5

  bandwidth 100000

  no shutdown

!

!

interface tunnel 2 gre ip

  description Tunnel 

  ip address  10.100.101.1  255.255.255.252

  ip mtu 1397

  ip access-policy Tunnel

  media-gateway ip primary

  tunnel source

  tunnel destination

  keepalive 60 5

  bandwidth 100000

  no shutdown

!

!

interface tunnel 3 gre ip

  description Tunnel

  ip address  10.100.102.1  255.255.255.252

  ip mtu 1397

  ip access-policy Tunnel

  media-gateway ip primary

  tunnel source

  tunnel destination

  keepalive 60 5

  bandwidth 100000

  no shutdown

!

!

isdn-group 1

  connect pri 1

!

ip access-list standard NAT

  remark Internet Connection Sharing

  permit any

!

!

ip access-list extended Admin

  remark Admin Access

!

ip access-list extended InterVLAN

  remark Voice / Data VLAN Traffic

  permit ip 10.10.10.0 0.0.0.255  10.10.20.0 0.0.0.255

  permit ip 10.10.20.0 0.0.0.255  10.10.10.0 0.0.0.255

!

ip access-list extended self

  remark Traffic to Netvanta

  permit ip any  any     log

!

ip access-list extended tunnel

  permit ip any  any

!

ip access-list extended VPN-10-vpn-selectors

  permit gre host  host

!

ip access-list extended VPN-20-vpn-selectors

  permit gre host   host

!

ip access-list extended VPN-30-vpn-selectors

  permit gre host   host

!

ip access-list extended web-acl-5

  remark RDP Server

!

!

!

!

ip policy-class Private

  allow list VPN-10-vpn-selectors stateless

  allow list VPN-20-vpn-selectors stateless

  allow list VPN-30-vpn-selectors stateless

  allow list self self

  allow list InterVLAN stateless

  allow list tunnel policy Tunnel

  nat source list NAT interface eth 0/0 overload

!

ip policy-class Public

  allow reverse list VPN-10-vpn-selectors stateless

  allow reverse list VPN-20-vpn-selectors stateless

  allow reverse list VPN-30-vpn-selectors stateless

  allow list Admin self

  nat destination list web-acl-5 address 10.10.10.2

!

ip policy-class Tunnel

  allow list VPN-10-vpn-selectors stateless

  allow list VPN-20-vpn-selectors stateless

  allow list VPN-30-vpn-selectors stateless

  allow list self self

  allow list tunnel policy Private

  allow list tunnel policy Tunnel

!

!

!

ip route 0.0.0.0 0.0.0.0 X.X.X.1

ip route 10.10.11.0 255.255.255.0 tunnel 1

ip route 10.10.12.0 255.255.255.0 tunnel 2

ip route 10.10.13.0 255.255.255.0 tunnel 3

ip route 10.10.21.0 255.255.255.0 tunnel 1

ip route 10.10.22.0 255.255.255.0 tunnel 2

ip route 10.10.23.0 255.255.255.0 tunnel 3

ip route 192.168.16.0 255.255.255.0 tunnel 1

ip route 192.168.26.0 255.255.255.0 tunnel 1

6355 config

!

interface vlan 1

  ip address  10.10.11.1  255.255.255.0

  ip ffe

  access-policy Private

  media-gateway ip primary

  no shutdown

!

interface vlan 2

  ip address  10.10.21.1  255.255.255.0

  ip ffe

  access-policy Private

  media-gateway ip primary

  no shutdown

!

interface vlan 100

  ip address  192.168.16.1  255.255.255.0

  access-policy Jarrell

  media-gateway ip primary

  no awcp

  no shutdown

!

interface vlan 200

  ip address  192.168.26.1  255.255.255.0

  access-policy Jarrell

  media-gateway ip primary

  no awcp

  no shutdown

!

!

interface fxs 0/1

  no shutdown

!

interface fxs 0/2

  no shutdown

!

!

interface fxo 0/1

  no shutdown

!

interface fxo 0/2

  no shutdown

!

!

interface tunnel 1

  description Tunnel to Chas

  ip address  10.100.100.2  255.255.255.252

  access-policy Tunnel

  media-gateway ip primary

  tunnel mode gre

  tunnel source

  tunnel destination

  keepalive 60 5

  mtu 1397

  bandwidth 100000

  no shutdown

!

!

!

!

!

!

!

!

ip access-list standard NAT

  remark Internet Connection Sharing

  permit any

!

!

ip access-list extended Admin

  remark Admin Access

  permit tcp any  any eq telnet   log

  permit tcp any  any eq https   log

  permit tcp any  any eq ssh   log

  permit gre any  any

!

ip access-list extended InterVLAN

  remark Voice / Data VLAN Traffic

  permit ip 10.10.10.0 0.0.0.255  10.10.20.0 0.0.0.255

  permit ip 10.10.20.0 0.0.0.255  10.10.10.0 0.0.0.255

!

ip access-list extended self

  remark Traffic to Netvanta

  permit ip any  any     log

!

ip access-list extended SIP

  remark SIP Service Provider Traffic

!

ip access-list extended tunnel

  permit ip any  any

!

ip access-list extended VPN-10-vpn-selectors

  permit gre host   host

!

ip access-list extended web-acl-10

  remark Phone Manager

  permit tcp any  host 10.10.10.1 eq www

!

ip access-list extended web-acl-8

  remark Jarrell NAT

  permit ip any  any     log

!

ip access-list extended web-acl-9

  remark Traffic to Jarrell

  permit ip any  any

!

!

ip policy-class Jarrell

  allow list web-acl-9 self

  allow list web-acl-10

  nat source list web-acl-8 interface eth 0/0 overload

!

ip policy-class Private

  allow list VPN-10-vpn-selectors stateless

  allow list self self

  allow list InterVLAN stateless

  allow list tunnel policy Tunnel

  nat source list NAT interface eth 0/0 overload

!

ip policy-class Public

  allow reverse list VPN-10-vpn-selectors stateless

  allow list SIP self

  allow list Admin self

!

ip policy-class Tunnel

  allow list VPN-10-vpn-selectors stateless

  allow list self self

  allow list tunnel policy Private

!

!

!

ip route 0.0.0.0 0.0.0.0 X.X.X.1

ip route 10.10.10.0 255.255.255.0 tunnel 1

ip route 10.10.12.0 255.255.255.0 tunnel 1

ip route 10.10.13.0 255.255.255.0 tunnel 1

ip route 10.10.20.0 255.255.255.0 tunnel 1

ip route 10.10.22.0 255.255.255.0 tunnel 1

ip route 10.10.23.0 255.255.255.0 tunnel 1

Labels (4)
0 Kudos
3 Replies
Highlighted
Honored Contributor
Honored Contributor

Re: Multi-Tenant Separate vlans Netvanta 7100

Yes, create the new VLANs and assign different security policies to them such as "Tenant-data".  Then allow NAT to the Internet and deny or discard between the various tenants.

Also, in a multi-VLAN scenario, it's best to avoid using VLAN 1 for production traffic as it is the default native VLAN and if an unconfigured device is connected it could leak traffic where it isn't intended.

Highlighted
Contributor
Contributor

Re: Multi-Tenant Separate vlans Netvanta 7100


Jay,   Does my current config look correct, original message?

Highlighted
Honored Contributor
Honored Contributor

Re: Multi-Tenant Separate vlans Netvanta 7100

If "Jarrell" is your tenant, it looks like it should be good.