Restricting access on VLAN basis?

[xenthressa]

Hey all.

I have a network which is not segmented in any way, everything is connected on VLAN1. Unfortunately the IP addressing is overlapping which means it's impossible for me to segment the network based on function (not all database servers are in the same subnet for example) or based on departments (Department A shares the same subnet as department B). As much as I would be in favor of implementing an addressing scheme that would make it possible to deny/restrict access based on the IP address, the scale of the network makes this something that is not cost effective.

So I'm hoping there is a way to route traffic based on VLANs:

• Everything in Department A is VLAN100
• Everything in Department B is VLAN200
• All Database servers are VLAN300

Is there a way for me to only allow traffic to VLAN300 if the source is VLAN100?
As it stands right now everything is done on layer2. I'm hoping to replace the core switches with Cisco 3750X switches.

If you need any more information, please ask. Any help is welcome

 

[/usr/home]

ACL my friend. You can create an access list and apply it outbound on the 200 vlan. You want to apply your acls closest to the source of traffic.

 

[beersykins]

So I'm hoping there is a way to route traffic based on VLANs:

As it stands right now everything is done on layer2.

That sounds conflicting.
Why do you have the same subnets on different VLANs?

 

[green91]

Sounds like you need to re-address your network.

Think about this: If you have a subnet.. say 192.168.0.0/24 for instance, 192.168.0.0 is your network and 192.168.0.255 is the broadcast.

If you were to untag hosts using 192.168.0.1-125 in VLAN 10, and 126-254 in VLAN 20, it can only do ARP resolutions for the IPs in the same vlan. If youre gateway was .1, everything in VLAN 20 couldn't see the gateway. You could split the subnet, but it sounds like your hosts aren't grouped in a fashion where that is possible.

 

[damacus]

I believe you have 2 options:

1- re-address your networks so Layer 3 makes sense, do your ACLs there. Then you can add VLANs on top of that with relative ease.

2- segment the networks and put inline / transparent firewalls between the various 'zones'. This would allow you to do IP ACLs to prevent various IPs from reaching / being reached from IPs in the other sections, even if they're on the same TCP/IP network.

I strongly favor 1. You'll save yourself so many headaches in the long run...

 

[xenthressa]

Hey guys thanks for the response!

ACL my friend. You can create an access list and apply it outbound on the 200 vlan. You want to apply your acls closest to the source of traffic.

Unfortunately manually creating ACL's is going to require too much management and work. If there had been a consistent addressing scheme I totally agree with you.

That sounds conflicting.
Why do you have the same subnets on different VLANs?

As it stands right now there is only 1 VLAN being used, the Native VLAN.
Right now everything is layer 2, the new 3750X switches will be able to do L3.

2- segment the networks and put inline / transparent firewalls between the various 'zones'. This would allow you to do IP ACLs to prevent various IPs from reaching / being reached from IPs in the other sections, even if they're on the same TCP/IP network.

I will look into this as a possibility.


Unfortunately guys readressing really is not possible, there are several thousand IP adresses some of which even have to be entered by using DIP switches..
This is really a situation that has run competely out of hand over the course of 10 years and I'm not happy about it either but I'm the new guy. Any more ideas are very welcome, thanks.

 

[xenthressa]

Does anyone have any experience using layer 2 Access-lists? Could this be of any help?