help! network admin wannabe in trouble! ( ROUTING )

[mryoso]

( Linux Router ) --> ( 3com firewall ) --> ( 4950 ) --> ( sm, xm switches ) --> (subnets ) --> (hosts)


the router, firewall, 4950 and the switches share the same network ( core network )
the hosts will be under different subnets ( eg, x.x.100.x, x.x.101.x )


i want to be able to have the hosts access the internet without being able to see the core network.

i tried routing using the 4950, and the linux box..
but so far, its seems that, for the hosts to have internet access they have to be able to access the switches..

i tried adding the core and subnets to the route table of the linux box ( cisco router has no eth card yet )... but if i do they seem to magically share everything!

as you can see im at a loss, ive been at this for the past 5 days! help me pls! what i need is some kind of selective routing to allow the hosts only to contact the router and not access the core network ( the router is on the core network btw ). our consultant has said it needs to be done by the 4950 but so far ive not found an option to enable it... even with the layer 3 upgrade...

anyone pls help!!!!

 

[L3Guy]

First cut; I agree with your consultant. If you want to block vlan access, it has to be done on the L3 closest to the vlans.

However, I need a little help with components. Who makes a 4950 ? Which 3Com firewall? Does the Linux box act as the internet router? sm and xm switches? I am assuming you have a small group of hosts that need internet access without access to proprietary systems.

The basic ways to do this:
Create a separate network/vlan. Connect it to the DMZ of the firewall on the outside of your network. Several variations.
Use policy routing on the Layer 3 device to send traffic to the firewall. Let the firewall rules determine access.
Use filters on the L3 device. Example, if source address is 192.x.x.x and destination 10.y.y.y, next hop nul0:

If you want to e-mail me a diagram, feel free.

Regards;

Doug

 

[mryoso]

hey thanks for the reply


>First cut; I agree with your consultant. If you want to block vlan access, it has to be done on the L3 closest to the vlans.

i was hoping to tackle the vlan issue later, although all the switches have already been configured with vlans ( i just added it to them ). do u mean that this has to be solved via vlan ? forgive me im a real newbie...

>However, I need a little help with components. Who makes a 4950 ? Which 3Com firewall? Does the Linux box act as the internet router? sm and xm switches? I am assuming you have a small group of hosts that need internet access without access to proprietary systems.

3com 4950 switch, for now the linux box acts as a temporary internet router ( consultant says if possible not to focus the routing on the linux box.... he says the 4950 is the "key" ).... 3com SUper Stack III 3300 XM and SM switches.. yup we have a couple of hundred hosts ( on different subents ).. needing access to the net and to mail servers ( not yet a problem.. coz it hasnt been transferred to the old network ..) yes you are right.. they shouldnt be able to access the switches.. firewall.. router <-- ( gateway(?!) )...




>The basic ways to do this:
Create a separate network/vlan. Connect it to the DMZ of the firewall on the outside of your network. Several variations.
Use policy routing on the Layer 3 device to send traffic to the firewall. Let the firewall rules determine access.
Use filters on the L3 device. Example, if source address is 192.x.x.x and destination 10.y.y.y, next hop nul0:

hmmm... honestly i cant fully understant this... in the 4950 switch there are options for which networks are allowed access ... or denial... hmmm, ill be back this monday ( gmt +8) to try to find the settings for this.. ive been looking at the options.. but im not sure ive found filters in there... with the routing option you can place, the network address ( destination ), the subnet mask and the gateway... and a vlan id that's all... for now i removed the firewall to simplify things... also, i do not know a next hop nul0....

im learning stuff everyday.. unfortunately.. it is insufficient..! help! pls?

ive been reading pdfs from 3com/cisco.. but apparently layer 3 switching for the 4950 is only an upgrade and therefore lacks the necesary instructions to make it work...



>If you want to e-mail me a diagram, feel free.

done, i hope it can help you help me!


thanks!

 

[L3Guy]

mryoso;

Thanks for the drawing and the email. For Anyone following, if you can't draw it, it can't be done. (Motto)

I am documenting this for the people following along. I'll send you an e-mail with drawings and additional details.


Starting from the manuals on the 3com 3300 and 3Com 4950, The management address on the switches is on vlan 1.
If you want to not allow users access to the configuration interface of the switches, you must place user ports on a vlan other than vlan1.
Vlan 1 must not be the backbone network.
If you can spare a pc to be on the management network, you might consider not allowing access to that vlan from any other workstation.

If you must have full access from the management pc, the 3Com 4950 has an extensive filter/firewall capability.
Look under access lists in the manual. Gee, what an original name for a filter!
Your diagram showed 7 subnets and the backbone.

An example might be:
Backbone: Vlan 2, 10.1.2.0 255.255.255.0
Vlan A: Vlan 3 10.1.3.0 255.255.255.0
Vlan B: Vlan 4 10.1.4.0 255.255.255.0
Vlan C: Vlan 5 10.1.5.0 255.255.255.0
Vlan D: Vlan 6 10.1.6.0 255.255.255.0
Vlan E: Vlan 7 10.1.7.0 255.255.255.0
Vlan F: Vlan 8 10.1.8.0 255.255.255.0
Vlan G: Vlan 9 10.1.9.0 255.255.255.0
Management: Vlan 1 10.1.1.0 255.255.255.0

The "access lists" might be from
10.1.3.0 deny
10.1.4.0 deny
10,1,5,0 deny
10.1.6.0 deny
10.1.7.0 deny
10.1.8.0 deny
10.1.9.0 deny

Hope this helps;

Doug

 

[L3Guy]

In reading my prevous post, I need to add something.
In order to create a management Vlan on Vlan 1, 802.1Q must be used on all the switch links,
so that the management lan can traverse the network.
The port to the firewall and any servers should NOT be tagged, however.
Tagging is switch to switch, untaged (single vlan) switch to host, rourer, firewall, server, etc.

Doug

 

[mryoso]

<< In reading my prevous post, I need to add something.
In order to create a management Vlan on Vlan 1, 802.1Q must be used on all the switch links,
so that the management lan can traverse the network.
The port to the firewall and any servers should NOT be tagged, however.
Tagging is switch to switch, untaged (single vlan) switch to host, rourer, firewall, server, etc.

Doug >>




hey thanks so much!!!! ill be doing these things tomorrow morning! i really cant wait to try them! i thought the problem could be solved by routing!!!
i hope our network ( NOC ) would be able to access vlan 1 even if its on vlan 2 ( backbone ) is that possible?

 

[mryoso]

<< mryoso;

Thanks for the drawing and the email. For Anyone following, if you can't draw it, it can't be done. (Motto)

I am documenting this for the people following along. I'll send you an e-mail with drawings and additional details.


Starting from the manuals on the 3com 3300 and 3Com 4950, The management address on the switches is on vlan 1.
If you want to not allow users access to the configuration interface of the switches, you must place user ports on a vlan other than vlan1.
Vlan 1 must not be the backbone network.
If you can spare a pc to be on the management network, you might consider not allowing access to that vlan from any other workstation.

If you must have full access from the management pc, the 3Com 4950 has an extensive filter/firewall capability.
Look under access lists in the manual. Gee, what an original name for a filter!
Your diagram showed 7 subnets and the backbone.

An example might be:
Backbone: Vlan 2, 10.1.2.0 255.255.255.0
Vlan A: Vlan 3 10.1.3.0 255.255.255.0
Vlan B: Vlan 4 10.1.4.0 255.255.255.0
Vlan C: Vlan 5 10.1.5.0 255.255.255.0
Vlan D: Vlan 6 10.1.6.0 255.255.255.0
Vlan E: Vlan 7 10.1.7.0 255.255.255.0
Vlan F: Vlan 8 10.1.8.0 255.255.255.0
Vlan G: Vlan 9 10.1.9.0 255.255.255.0
Management: Vlan 1 10.1.1.0 255.255.255.0

The "access lists" might be from
10.1.3.0 deny
10.1.4.0 deny
10,1,5,0 deny
10.1.6.0 deny
10.1.7.0 deny
10.1.8.0 deny
10.1.9.0 deny

Hope this helps;

Doug >>




first, it seems that the access lists dont work... ( the linux router has the following routes : 192.168.1.0, 192.168.73.0, gateway is part of the 192.168.1.0 network )... what irritates me is that i need to have the 73 network on the router for it to get internet access.. and bcoz the 1 network is also in the route they see ach other.. inst there some kind of selective routing? that is, being able to route without the whole network of the routee (?) being exposed?

ive done what u said above.. what happens is still the same. when in vlan b, they cant access the switches ( on def vlan 1 ) but they cant get internet access!!!!!!!!!! help!!!!!

 

[L3Guy]

<< when in vlan b, they cant access the switches ( on def vlan 1 ) but they cant get internet access!!!!!!!!!! >>



Sounds like your vlan tagging isn't working. Also, the 4950 should be routing, with the Linux box handling only the wan conectivity.

If you are using private addresses for your vlans, why don't you post them so I can make a better drawing.
I'll try to get a drawing togather and check my lan for a 3Com 4950.

I know its harder this way, I am used to talking to the people I help.

Doug

 

[mryoso]

<<

<< when in vlan b, they cant access the switches ( on def vlan 1 ) but they cant get internet access!!!!!!!!!! >>



Sounds like your vlan tagging isn't working. Also, the 4950 should be routing, with the Linux box handling only the wan conectivity.

If you are using private addresses for your vlans, why don't you post them so I can make a better drawing.
I'll try to get a drawing togather and check my lan for a 3Com 4950.

I know its harder this way, I am used to talking to the people I help.

Doug >>



current test

router ( linux ) --- > 192.168.1.2/24
4950 - 192.168.1.1
switch ( sm ) -- > 192.168.1.73
host --- > 192.168.73.1 - x


routing table ( the one u c when u type "route" ) is
destination gateway genmask ..... iface
xxx.xxx.xx.xxx * /26 eth0
192.168.1.0 * /24 eth1
192.168.73.0 * /24 eth1
127.0.0.0 * /8 lo
default xxx.xxx.xxx.xxx /0 eth0

networks are
192.168.x-y.z

thanks

 

[mryoso]

help anyone?

 

[L3Guy]

mryoso;

Go to
3com 4950 Manual
Page 75. create 3 vlans.
Vlan 1 is the default vlan.
Vlan 2. User vlan.
Vlan 3. assign the port attached to the router to vlan 3
Turn on 802.1q trucking on the gigabit link between the 4950 and the 3300. Make sure that both vlan 1 and 2 are assigned to the gig port.
Now go to page 91.
Give vlan 3 the address 192.168.1.1
Give vlan 1 the address 192.168.254.1 (this is your new management interface)
Give Vlan 2 the address 192.168.2.1 (this is the new default route for your PC's)
Enable IP routing
add a default route 0.0.0.0/0 192.168.1.2
Now go to page 103.
Block access from 192.168.3.0 to vlan 1, destination address 192.168.254.0

On your 3300, you must create 2 vlans
Vlan 1
Vlan 2
set the gig uplink port to 802.1q
Assign an address of 192.168.254.2 to your 3300
add all ports to vlan 2
add the gig port to vlan 1

remove any multi-net from the interface of the linux box.
add a static route for 192.168.2.0 pointing to 192.168.1.1
add static route for 192.168.254.0 pointing to 192.168.1.1

test that a workstation 192.168.2.20 can access the internet, but cannot access 192.168.1.1
Next test that a workstation on vlan 1 (you will have to add a port on vlan 1 to either the 3300 or the 4950) can access the switches and the internet.
next add a port on the 4950 on vlan 3 and test that the switches are still accessible.

The access lists only block packets that are routed between vlans on the switch. if you use the linux box to route, you bypass all the security that the access lists provide. You also cannot allow access to the users on any address of the management LAN, or security is compromised.

regards;

Doug

 

[mryoso]

>The access lists only block packets that are routed between vlans on the switch. if you use the linux box to route, you bypass all the security that the access lists provide.

this i repeatedly told everyone! huhuhu, they wouldnt believe a newbie like me! er, i wasnt really sure though... lol!

thanks for posting the 4950s manual, i thinks its an updated one too!

just as i was about to do the changes you suggested, our consultant called a meeting.
we had to change our addresses to class a. ( he didnt want vlans crossing subnets, so as not to depend on our layer 3 router so much, the 4950.... )

im sure i can apply the same concepts you've posted here, thanks again!
ill keep you posted....

 

[L3Guy]

Let us know how things go.

If you want to intimidate the consultant, tell him the recommendations came from a Tier 3 support person, who is the 3com specialist in the company. See what he says. Always good to keep the consultants honest.



<< we had to change our addresses to class a. ( he didnt want vlans crossing subnets, so as not to depend on our layer 3 router so much, the 4950.... ) >>


Your consultant is starting to worry me. I personally never recommend over 250 users per subnet, although I have seen recommendations as high as 1000 when Layer 2 switches were new and layer 3 switches had not yet been introduced.
Maybe some of the other professionals or elite members might care to comment.

Best of luck.

Doug

 

[mryoso]

<< mryoso;

Go to
3com 4950 Manual
Page 75. create 3 vlans.
Vlan 1 is the default vlan.
Vlan 2. User vlan.
Vlan 3. assign the port attached to the router to vlan 3
Turn on 802.1q trucking on the gigabit link between the 4950 and the 3300. Make sure that both vlan 1 and 2 are assigned to the gig port.
Now go to page 91.
Give vlan 3 the address 192.168.1.1
Give vlan 1 the address 192.168.254.1 (this is your new management interface)
Give Vlan 2 the address 192.168.2.1 (this is the new default route for your PC's)
Enable IP routing
add a default route 0.0.0.0/0 192.168.1.2
Now go to page 103.
Block access from 192.168.3.0 to vlan 1, destination address 192.168.254.0

On your 3300, you must create 2 vlans
Vlan 1
Vlan 2
set the gig uplink port to 802.1q
Assign an address of 192.168.254.2 to your 3300
add all ports to vlan 2
add the gig port to vlan 1

remove any multi-net from the interface of the linux box.
add a static route for 192.168.2.0 pointing to 192.168.1.1
add static route for 192.168.254.0 pointing to 192.168.1.1

test that a workstation 192.168.2.20 can access the internet, but cannot access 192.168.1.1
Next test that a workstation on vlan 1 (you will have to add a port on vlan 1 to either the 3300 or the 4950) can access the switches and the internet.
next add a port on the 4950 on vlan 3 and test that the switches are still accessible.

The access lists only block packets that are routed between vlans on the switch. if you use the linux box to route, you bypass all the security that the access lists provide. You also cannot allow access to the users on any address of the management LAN, or security is compromised.

regards;

Doug


>>



^ yipee!!!! this post is doing it my man!! im finally having some success, ableit hosts can still see the other networks!!!

ill post back soon!

thanks so much!

 

[L3Guy]

Doug

 

[mryoso]

right now everything's running smoothly...


a test network runs fine, and isnt able to access the router and the 4950! BUT, it CAN telnet the 4950 thru the vlan interface ( gateway ) that it belongs too!

also, if i placed the connection between the router and the 4950 to a vlan other than vlan 1 ( def vlan ).. internet access is lost...



thanks!