4

I want to:

a) segment several departments into VLANs with the hopes of restricting access between them completely (Sales never needs to talk to Support's workstations or printers and vice-versa) or b) certain IP addresses and TCP/UDP ports across VLANS -- i.e. permitting the Sales VLAN to access the CRM Web Server in the Server VLAN on port 443 only.

Port-wise, I'll need a 48-port switch and another 24-port switch to go with the two existing 24-port Layer 2 switches (Linksys); I'm looking at going with D-Links or HP Procurves as Cisco is out of our price range.

Question #1:

From what I understand (and please correct me if I'm wrong), if the Servers (VLAN10) and Sales (VLAN20) are all on the same 48-port switch (or two stacked 24-port switches), afaik, the switch "knows" what VLANs and ports each device belongs to and will switch packets between them; I can also apply ACLs to restrict access between VLANs at this point. Is this correct?

Question #2:

Now lets say that Support (VLAN30) is on a different switch (one of the Linksys) switches.

I'm assuming I'll need to trunk (tag) switch #2's VLANs across to switch #1, so switch #1 sees switch #2's VLAN30 (and vice-versa). Once Switch #1 can "see" VLAN30, I'm assuming I can then apply ACLs as stated in Question #1. Is this correct?

Question #3:

Once Switch #1 can see all the VLANs, can I achieve the seemingly "Layer 3" ACL filtering of restricting access to Server VLAN on only certain TCP/UDP ports and IP addresses (say, only permitting 3389 to the Terminal Server, 192.168.10.4/32). I say "seemingly" because some of the Layer 2 switches mention the ability to restrict ports and IP addresses through the ACLs; I (perhaps mistakenly) thought that in order to have Layer 3 ACLs (packet filtering), I'd need to have at least one Layer 3 switch acting as a core router.

If my assumptions are incorrect, at which point do you need a Layer 3 switch for inter-VLAN routing vs. inter-VLAN switching? Is it generally only when you need that higher-level packet filtering ability between your departments?

WuckaChucka
  • 375
  • 3
  • 8
  • 23

1 Answers1

3

Keep in mind that, fundamentally, if two hosts are configured with IP addresses in different subnets those hosts will need to communicate through one or more routers with interfaces in their respective subnets in order to communicate. A "layer 3 switch" isn't anything more than a router with the ability to create virtual interfaces that are exposed to the broadcast medium of a VLAN.

re: #1 - To conceptualize VLANs, just imagine that the ports in each VLAN are a physically disperate switch. In a flaw-free VLAN implementation (where traffic can't "leak" between VLANs) that's the effective behavior-- each VLAN acts as a separate switch. ACLs applied at layer 2 will name only MACs (and, if the switch supports quasi-layer 1 ACLs, ports). Any ACLs naming IP addresses, TCP ports, etc, aren't layer 2 ACLs. (There may be switches that have "layer 2.5" functionality whereby they examine the payloads of IP packets without actually being able to route packets, but I'd be wary of such things.)

re: #2 - VLAN tags allow the traffic of multiple VLANs to be carried on a single port, typically called a "trunk". You can conceptualize them as virtually subdividing a connection between two devices into smaller "ports" that each carry the traffic for a single VLAN. There's nothing you can do with "trunking" that you couldn't do by using multiple non-trunked ports, but using trunk ports and tagging packets allows you to carry the traffic of multiple VLANs between physically disperate switches w/o using a large number of physical ports for inter-switch links.

re: #3 - Routing IP between different subnets (irrespective of VLANs-- it's typically convenient to have a 1:1 relationship between VLANs and subnets, but it's not required) requires a routing capability. If you need to route IP between different subnets then you need a router. It could be an embedded layer 3 entity in a switch, or it could be a "router on a stick". Anything that can route IP between different subnets is a router. re: ACLs - Like I said in #1-- I'd be wary of a device that did "quasi layer 3" functions. Either it's a router or it isn't.

A couple decent background questions:

Community
  • 1
Evan Anderson
  • 141,071
  • 19
  • 191
  • 328
  • Thanks for taking the time to answer this. So based on my requirements (2 workstation VLANs, 1 server VLAN), if I want to do any sort of Layer 3 ACL, I need a Layer 3 capable switch in the equation to be able to do this? The quasi-L3 ACLs were specifically in the D-Link 3100; it states that "ingress ports" are filtered according to IP/TCP/UDP/port, but doesn't mention routing, so I guess this would be kind of useful for say a web server on access port #15 with an ACL that only permits incoming TCP 80 or 443 traffic to possible mitigate a worm or another machine using that access port. – WuckaChucka Jun 16 '10 at 03:32
  • Another question: is this overkill? Are other SMBs doing this sort of thing (Layer 3 ACL/inter-VLAN routing)? I'm hesitant to do router-on-a-stick; seems like it would be a major bottleneck trying to cope with dozens of workstations trying to access servers over one "stick" interface. – WuckaChucka Jun 16 '10 at 03:34
  • SMB or SOHO or enterprise doesn't matter - SMB sec requirements may be more than an enterprise's. All L3 switches do routing. That's why they are L3. Note that their capacity can be questionable at times. I prefer my switches to stay at L2 and get a RouterBoard / Linux as GW & Fwall. – Konrads Jun 16 '10 at 13:03
  • @wuckachucka: On a modern gigabit Ethernet LAN (with reasonable monitoring) running Windows w/ H-node NetBIOS name resolution I'm comfortable w/ 200+ client computers in the same broadcast domain w/o seeing any perceptible problems with broadcast traffic. If you're doing IP multicast or using some applications that rely on broadcast traffic then YMMV. Having said that, *real* layer 3 switches (that will route 64 byte packets at wire speed) are cheap, if you don't mind that you don't have the full feature-set of a router (dynamic routing protocols, wire-speed ACLs, etc). – Evan Anderson Jun 16 '10 at 16:48
  • I'm going to post another more narrowly-scoped question regarding throughput. – WuckaChucka Jun 16 '10 at 19:32