EdgeSwitch - VLANs and Limiting Inter-VLAN Routing (Access-Lists)

 Overview


Readers will learn how to configure Inter-VLAN routing on an EdgeSwitch through the use of Switch Virtual Interfaces (SVI), which is a routable VLAN interface.

 book_25x25.png  Notes & Requirements:

Applicable to EdgeSwitch 1.7.1 + firmware in all EdgeSwitch models. Knowledge of the Command Line Interface (CLI) and basic networking knowledge is required. Please see the Related Articles below for more information and see the attachments for the configurations used in this article.

 

Equipment used in this article:

- EdgeSwitch-8-150W (ES-8-150W)

- EdgeRouter-X (ER-X)

- UniFi AC-Lite (UAP-AC-Lite)

- Test clients (Host, Laptop and Server)


Table of Contents


  1. Network Diagram
  2. Steps - Access-List Format
  3. Steps - VLANs and VLAN-Interfaces
  4. Steps - Create and Apply Access-Lists
  5. Steps - Testing & Verification
  6. Related Articles


Network Diagram


Back to Top

The network topology is shown below. The following interfaces are in use on the EdgeSwitch (ES) and the EdgeRouter (ER).

ER-X

  • eth0 (WAN)
  • eth1 (LAN) - 10.255.12.1/30

ES-8

  • 0/1 (tagged) - VLAN10
  • 0/1 (untagged) - VLAN99
  • 0/2 (untagged) - VLAN20
  • 0/3 (untagged) - VLAN20
  • 0/8 (routed) - 10.255.12.2/30

The UAP will tag the wireless network with VLAN10. The management traffic of the UAP itself will arrive untagged on the 0/1 port and will be placed in VLAN99 (native VLAN). The host and the server will be placed in VLAN20. Each client will receive a DHCP address from the ES and will route all traffic through the switch to the ER.


Steps - Access-List Format


Back to Top

The rules related to Access-List (ACL) formatting are shown below. It is possible to match traffic based on IP and MAC addressing, as well as protocols such as UDP and TCP.

Basic IPv4 ACL

ip access-list <name>
permit/deny ip [source-network + wildcard-mask] [destination-network + wildcard-mask]

In this case the ACL with match on all IPv4 traffic types based on the source and destination network ranges.

  • source-network - The subnet where the traffic is sourced
  • wildcard-mask - Inverted subnet-mask (for example a wildcard 0.0.0.255 is equal to a 255.255.255.0 subnet mask)
  • destination-network - The subnet where the traffic is headed

Basic TCP/UDP ACL

ip access-list <name>
permit/deny tcp/udp [src-network + wildcard-mask] eq src-port [dst-network + wildcard-mask] eq dst-port

In this case the ACL will match on either UDP or TCP traffic based on the source and destination network ranges and ports.

  • eq - Stands for 'equal to' and is used to match on a specific port
  • source-port - The UDP or TCP source port
  • destination-port - The UDP or TCP destination port

Any and Explicit Deny

It is also possible to substitute the source and/or destination networks with 'any'. In this case all (source or destination) traffic will be matched. At the end of every ACL is a hidden explicit deny statement, meaning that all traffic that is not matched in the ACL will be dropped. For example, you create an ACL that only denies a certain range:

ip access-list <name>
deny ip 10.0.10.0 0.0.0.255 any

The outcome of this ACL is that all traffic will be blocked (not just 10.0.10.0/24). To overcome this behavior add a default permit at the end of the ACL: 

ip access-list <name>
 deny ip 10.0.10.0 0.0.0.255 any
 permit ip any any

Now all traffic will be allowed, except traffic that is explicitly blocked in earlier statements (10.0.10.0/24).

Basic MAC ACL

mac access-list extended <name>
permit\deny [source-mac + wildcard-mask] [destination-mac + wildcard-mask] 
  • source-mac - The mac address of the host(s)
  • wildcard-mask - Inverted hexadecimal mask (0 through F), where 0 matches the defined value exactly and F matches any value.
  • destination-network - The subnet where the traffic is headed

The MAC Access-List can for example be used to only allow traffic from specific devices based on the Organizationally Unique Identifier (OUI). This is a 24-bit value that makes the first part of the MAC address and is unique to each vendor. For example the OUI value of 80:2A:A8 (among others) identifies devices from Ubiquiti.

mac access-list extended <name>
 permit 80:2A:A8:FF:FF:FF 00:00:00:FF:FF:FF any

The outcome of this ACL is that only traffic sourced from devices using OUI 80:2A:A8 is allowed. The 00:00:00 part in the wildcard-mask matches the first 6 Hexadecimal character exactly. The FF:FF:FF part of the wildcard-mask indicate that any value is matched (this is similar to 0.0.255.255 in IPv4 ACL format).

Apply the ACL to an interface or VLAN

In this article all the Access-Lists will be applied to VLANs, but they can also be applied to specific interfaces. The application options and command-line format change depending on whether the user is in the ‘global’ or in the ‘interface’ configuration mode.

IPv4 ACLs are applied with:

ip access-group <acl-name> [ in | out ] | vlan vlan-id

MAC ACLs are applied with:

mac access-group <acl-name> [ in | out ] | vlan vlan-id
info_i_25x25.png Note: Try to avoid intermixing MAC-based and IP-based Access-Lists that match on the same traffic / hosts. This can lead to unexpected results where traffic is being allowed on the MAC-level for example, but blocked on the IP-level. 

 


Steps - VLANs and VLAN-Interfaces


Back to Top

In this example the ES is running in the default configuration with the addition of SSH management access. The first step is to create the VLANs and associate them to specific ports (tagged or untagged).

CLI_circle.png  CLI STEPS: Access the command line interface (CLI). You can do this by using a program such as PuTTY to connect via SSH, Telnet or the console.

1. Enter privileged mode.

enable

2. Create the VLANs and VLAN-Interfaces (SVIs).

vlan database 
vlan 10,20,99
vlan routing 10 1
vlan routing 20 2
vlan routing 99 3
exit
info_i_25x25.png Note: The format is vlan routing <vlan-id> <interface-id (1-15)>. The interface-id does not need to match the VLAN number and is used to separate the VLAN-Interfaces in the internal switch architecture.

3. Enter configuration mode.

configure

4. Assign the ports to the VLANs created above.

The configuration below untags port 0/2 for VLAN20 and 0/3 for VLAN10 (pvid). Port 0/1 will be tagged for VLAN10 (tagging) with VLAN99 as the native VLAN (pvid) Afterwards unneeded VLANs are excluded from participating on the ports.

interface 0/1
description UAP
vlan tagging 10
vlan pvid 99
vlan participation exclude 1,20
vlan participation include 10
exit

interface 0/2
description Server
vlan pvid 20
vlan participation exclude 1,10,99
vlan participation include 20
exit

interface 0/3
description Host
vlan pvid 20
vlan participation exclude 1,20,99
vlan participation include 20
exit

4. Enable routing functionality on the uplink port (0/8) and assign it an IP address.

interface 0/8
routing
ip address 10.255.12.2 255.255.255.252
exit

5. Associate the SVIs with IP addresses and enable routing.

interface vlan 10
ip address 10.0.10.2 255.255.255.0
routing
exit

interface vlan 20
ip address 10.0.20.2 255.255.255.0
routing
exit

interface vlan 99
ip address 10.0.99.2 255.255.255.0
routing
exit

6. Globally enable routing functionality and create a default route to the ER.

ip routing
ip route 0.0.0.0 0.0.0.0 10.255.12.1
info_i_25x25.png Note: It is recommended to create the default route (and all other routes) using the ip route <network> <mask> <next-hop> statement instead of the ip default-gateway <next-hop> statement. The latter command is intended for EdgeSwitches that operate purely in Layer 2 mode without any added routing functionality.

7. (Optional) Globally enable DHCP services.

service dhcp

8. (Optional) Exclude IP addresses that should not be assigned by the DHCP server.

ip dhcp excluded-address 10.0.10.0 10.0.10.10
ip dhcp excluded-address 10.0.20.0 10.0.20.10
ip dhcp excluded-address 10.0.99.0 10.0.99.10

9. (Optional) Create the DHCP pools.

ip dhcp pool VLAN10
lease 0 12 0
dns-server 10.0.20.11
default-router 10.0.10.2
network 10.0.10.0 255.255.255.0
exit

ip dhcp pool VLAN20
lease 0 12 0
dns-server 10.0.20.11
default-router 10.0.20.2
network 10.0.20.0 255.255.255.0
exit

ip dhcp pool VLAN99
lease 0 12 0
dns-server 10.0.20.11
default-router 10.0.99.2
network 10.0.99.0 255.255.255.0
exit
info_i_25x25.png Note: In this example the server at 10.0.20.11 provides DNS services for all the VLANs.

Steps - Create and Apply Access-Lists


Back to Top

After configuring the steps in the previous section, there should be bi-directional communication between all of the VLANs. This is possible because there are Layer-3 interfaces (SVIs) configured on the switch that allow Inter-VLAN routing.

The next step is to limit the communication by only allowing the hosts to connect to specific destinations based on the following requirements:

  1. Block all traffic from the wireless hosts on VLAN10 to VLAN20 and VLAN99, except for DNS traffic going to the server at 10.0.20.11
  2. Block all traffic from the wireless hosts to the ES/ER routed interfaces.
  3. Allow the wireless hosts to ping their gateway address (10.0.10.2) and acquire a DHCP address.
  4. Block all other traffic from the wireless hosts to their gateway address.
  5. Allow traffic from the wireless hosts on VLAN10 to all other destinations.
  6. Allow the server on VLAN20 to reach any destination on the network and manage the ES and ER.
  7. Block the traffic from other hosts on VLAN20 to VLAN10 and VLAN99.
  8. Allow the other hosts on VLAN20 to reach any other destination, except management traffic to the ES and ER interfaces.

Two Access-Lists will be created to satisfy these requirements, one for VLAN10 and one for VLAN20. 

CLI_circle.png  CLI STEPS: Access the command line interface (CLI). You can do this by using a program such as PuTTY to connect via SSH, Telnet or the console.

1. Create an IP Access-List for VLAN that satisfies requirement #1.

ip access-list VLAN10
permit udp any host 10.0.20.11 eq 53
permit tcp any host 10.0.20.11 eq 53
deny ip any 10.0.20.0 0.0.0.255
 deny ip any 10.0.99.0 0.0.0.255

2. Add lines to the IP Access-List that satisfies requirement #2.

 deny ip any 10.255.12.0 0.0.0.3 

3. Add lines to the IP Access-List that satisfies requirement #3 and #4.

 permit icmp any host 10.0.10.2
permit udp any host 10.0.10.2 eq 67
deny ip any host 10.0.10.2

4. Add lines to the IP Access-List that satisfies requirement #5.

 permit ip any any
info_i_25x25.png Note: All lines that are added to an Access-List will be added at the bottom. This is important because an ACL is read from top to bottom and works based on a ‘first match’. This means that any traffic that is permitted, cannot be denied again in a lower line. Use the sequence numbers (10 is first line, then 20, 30, etc...) in order to insert lines into an ACL at the correct spot (or recreate the ACL with the lines in the correct order).

The completed Access-List for VLAN10 looks like:

ip access-list VLAN10
permit udp any host 10.0.20.11 eq 53
permit tcp any host 10.0.20.11 eq 53
deny ip any 10.0.20.0 0.0.0.255
deny ip any 10.0.99.0 0.0.0.255
deny ip any 10.255.12.0 0.0.0.3
permit icmp any host 10.0.10.2
permit udp any host 10.0.10.2 eq 67
deny ip any host 10.0.10.2
permit ip any any
exit

5. Apply the Access-List to VLAN10 in the inbound direction.

ip access-group VLAN10 vlan 10 in

6. Create an IP Access-List that satisfies requirement #6.

ip access-list VLAN20
permit ip host 10.0.20.11 any

7. Add lines to the IP Access-List that satisfies requirement #7.

 deny ip any 10.0.10.0 0.0.0.255
deny ip any 10.0.99.0 0.0.0.255

8. Add lines to the IP Access-List that satisfies requirement #8.

 deny tcp any host 10.0.20.2 eq 22 8 
deny tcp any host 10.0.20.2 eq 443
deny tcp any 10.255.12.0 0.0.0.3 eq 22
deny tcp any 10.255.12.0 0.0.0.3 eq 443
permit ip any any
info_i_25x25.png Note: All of these examples define the source-address range as ‘any’. It is also possible to define the source-range as the actual range of the VLAN. For example: deny ip 10.0.20.0 0.0.0.255 10.0.10.0 0.0.0.255.

The completed Access-List for VLAN10 looks like:

ip access-list VLAN20
permit ip host 10.0.20.11 any
deny ip any 10.0.10.0 0.0.0.255
deny ip any 10.0.99.0 0.0.0.255
deny tcp any host 10.0.20.2 eq 22
deny tcp any host 10.0.20.2 eq 443
deny tcp any 10.255.12.0 0.0.0.3 eq 22
deny tcp any 10.255.12.0 0.0.0.3 eq 443
permit ip any any
exit

9. Apply the Access-List to VLAN20 in the inbound direction.

ip access-group VLAN20 vlan 20 in

Steps - Testing & Verification


Back to Top

After configuring the ports and VLANs, verify the connections/state using the following commands:

1. The VLAN port state of the switchport interfaces:

show interfaces switchport general 
Intf PVID Ingress Acceptable Untagged Tagged Forbidden Dynamic
Filtering Frame Type Vlans Vlans Vlans Vlans
--------- ----- ---------- ---------- --------- --------- --------- ---------
0/1 99 Disabled Admit all 99 10 1,20
0/2 20 Disabled Admit all 20 1,10,99
0/3 20 Disabled Admit all 20 1,10,99

show interfaces switchport 0/1
VLAN Membership Mode: General
General Mode PVID: 99
General Mode Untagged VLANs: 99
General Mode Tagged VLANs: 10
General Mode Forbidden VLANs: 1,20

show interfaces switchport 0/2
VLAN Membership Mode: General
General Mode PVID: 20
General Mode Untagged VLANs: 20
General Mode Tagged VLANs:
General Mode Forbidden VLANs: 1,10,99

show interfaces switchport 0/3
VLAN Membership Mode: General
General Mode PVID: 20
General Mode Untagged VLANs: 20
General Mode Tagged VLANs:
General Mode Forbidden VLANs: 1,10,99

2. The state of the routed interface and SVIs:

show ip interface 0/8
Routing interface status....................... Up
Primary IP address............................. 10.255.12.2/255.255.255.252
Method......................................... Manual
Routing Mode................................... Enable
Administrative Mode............................ Enable
Active State................................... Active
Encapsulation Type............................. Ethernet
IP MTU......................................... 1500

show ip interface brief
Interface State IP Address IP Mask TYPE Method
---------- ----- --------------- --------------- --------------- ------
0/8 Up 10.255.12.2 255.255.255.252 Primary Manual
vlan 10 Up 10.0.10.2 255.255.255.0 Primary Manual
vlan 20 Up 10.0.20.2 255.255.255.0 Primary Manual
vlan 99 Up 10.0.99.2 255.255.255.0 Primary Manual

show ip route
Route Codes: C - Connected, S - Static
Default Gateway is 10.255.12.1

S 0.0.0.0/0 [1/0] via 10.255.12.1, 00h:04m:36s, 0/8
C 10.0.10.0/24 [0/0] directly connected, 4/1
C 10.0.20.0/24 [0/0] directly connected, 4/2
C 10.0.99.0/24 [0/0] directly connected, 4/3
C 10.255.12.0/30 [0/0] directly connected, 0/8

3. The globally configured DHCP options and pools (if configured):

show ip dhcp global configuration
Service DHCP................................... Enable
Number of Ping Packets......................... 2
Excluded Address............................... 10.0.10.0 to 10.0.10.10
                                                10.0.20.0 to 10.0.20.10
                                                10.0.99.0 to 10.0.99.10
Conflict Logging............................... Enable
Bootp Automatic................................ Disable

show ip dhcp pool configuration all
Pool: VLAN10
Pool Type...................................... Dynamic
Network........................................ 10.0.10.0 255.255.255.0
Lease Time..................................... 0 days 12 hrs 0 mins
DNS Servers.................................... 10.0.20.11
Default Routers................................ 10.0.10.2

Pool: VLAN20
Pool Type...................................... Dynamic
Network........................................ 10.0.20.0 255.255.255.0
Lease Time..................................... 0 days 12 hrs 0 mins
DNS Servers.................................... 10.0.20.11
Default Routers................................ 10.0.20.2

Pool: VLAN99
Pool Type...................................... Dynamic
Network........................................ 10.0.99.0 255.255.255.0
Lease Time..................................... 0 days 12 hrs 0 mins
DNS Servers.................................... 10.0.20.11
Default Routers................................ 10.0.99.2

show ip dhcp binding
IP address Hardware Address Lease Expiration Type
--------------- ----------------- ----------------- ------------------
10.0.10.11 80:2a:a8:8b:bd:01 00:11:51 Automatic (Phone)
10.0.20.11 80:2a:a8:a5:a8:99 00:11:50 Automatic (Server)
10.0.20.12 80:2a:a8:00:80:dc 00:11:46 Automatic (Host)
10.0.99.11 80:2a:a8:99:92:d5 00:11:50 Automatic (UAP)

4. The created Access-Lists and sequence numbers:

show ip access-lists 
Current number of ACLs: 2 Maximum number of ACLs: 50

ACL ID/Name Rules Direction Interface(s) VLAN(s)
--------------- ----- --------- ---------------- ----------
VLAN10 9 inbound 10
VLAN20 8 inbound 20

show ip access-lists VLAN10
ACL Name: VLAN10
Inbound VLAN ID(s): 10

Sequence Number: 10
Action......................................... permit
Match All...................................... False
Protocol....................................... 17(udp)
Destination IP Address......................... 10.0.20.11
Destination IP Wildcard Mask................... 0.0.0.0
Destination L4 Port Keyword.................... 53(domain)

Sequence Number: 20
Action......................................... permit
Match All...................................... False
Protocol....................................... 6(tcp)
Destination IP Address......................... 10.0.20.11
Destination IP Wildcard Mask................... 0.0.0.0
Destination L4 Port Keyword.................... 53(domain)

Sequence Number: 30
Action......................................... deny
Match All...................................... False
Protocol....................................... 255(ip)
Destination IP Address......................... 10.0.20.0
Destination IP Wildcard Mask................... 0.0.0.255

Sequence Number: 40
Action......................................... deny
Match All...................................... False
Protocol....................................... 255(ip)
Destination IP Address......................... 10.0.99.0
Destination IP Wildcard Mask................... 0.0.0.255

Sequence Number: 50
Action......................................... deny
Match All...................................... False
Protocol....................................... 255(ip)
Destination IP Address......................... 10.255.12.0
Destination IP Wildcard Mask................... 0.0.0.3

Sequence Number: 60
Action......................................... permit
Match All...................................... False
Protocol....................................... 1(icmp)
Destination IP Address......................... 10.0.10.2
Destination IP Wildcard Mask................... 0.0.0.0

Sequence Number: 70
Action......................................... permit
Match All...................................... False
Protocol....................................... 17(udp)
Destination IP Address......................... 10.0.10.2
Destination IP Wildcard Mask................... 0.0.0.0
Destination L4 Port Keyword.................... 67

Sequence Number: 80
Action......................................... deny
Match All...................................... False
Protocol....................................... 255(ip)
Destination IP Address......................... 10.0.10.2
Destination IP Wildcard Mask................... 0.0.0.0

Sequence Number: 90
Action......................................... permit
Match All...................................... TRUE

show ip access-lists VLAN20
ACL Name: VLAN20
Inbound VLAN ID(s): 20

Sequence Number: 10
Action......................................... permit
Match All...................................... False
Protocol....................................... 255(ip)
Source IP Address.............................. 10.0.20.11
Source IP Wildcard Mask........................ 0.0.0.0

Sequence Number: 20
Action......................................... deny
Match All...................................... False
Protocol....................................... 255(ip)
Destination IP Address......................... 10.0.10.0
Destination IP Wildcard Mask................... 0.0.0.255

Sequence Number: 30
Action......................................... deny
Match All...................................... False
Protocol....................................... 255(ip)
Destination IP Address......................... 10.0.99.0
Destination IP Wildcard Mask................... 0.0.0.255

Sequence Number: 40
Action......................................... deny
Match All...................................... False
Protocol....................................... 6(tcp)
Destination IP Address......................... 10.0.20.2
Destination IP Wildcard Mask................... 0.0.0.0
Destination L4 Port Keyword.................... 22

Sequence Number: 50
Action......................................... deny
Match All...................................... False
Protocol....................................... 6(tcp)
Destination IP Address......................... 10.0.20.2
Destination IP Wildcard Mask................... 0.0.0.0
Destination L4 Port Keyword.................... 443

Sequence Number: 60
Action......................................... deny
Match All...................................... False
Protocol....................................... 6(tcp)
Destination IP Address......................... 10.255.12.0
Destination IP Wildcard Mask................... 0.0.0.3
Destination L4 Port Keyword.................... 22

Sequence Number: 70
Action......................................... deny
Match All...................................... False
Protocol....................................... 6(tcp)
Destination IP Address......................... 10.255.12.0
Destination IP Wildcard Mask................... 0.0.0.3
Destination L4 Port Keyword.................... 443

Sequence Number: 80
Action......................................... permit
Match All...................................... TRUE

5. The reachability between the hosts:

Server> ping 10.255.12.1 -n 2
Pinging 10.255.12.1 with 32 bytes of data:

Reply from 10.255.12.1: bytes=32 time<1ms TTL=63
Reply from 10.255.12.1: bytes=32 time=1ms TTL=63

Allowed!

Server> ping 10.0.99.2 -n 2
Pinging 10.0.99.2 with 32 bytes of data:

Reply from 10.0.99.2: bytes=32 time=4ms TTL=64
Reply from 10.0.99.2: bytes=32 time=1ms TTL=64

Allowed!

Laptop> nslookup
Default Server: server.ubnt.com
Address: 10.0.20.11

> er-x.ubnt.com
Server: server.ubnt.com
Address: 10.0.20.11

Name: er-x.ubnt.com
Address: 10.255.12.1

> internet.ubnt.com
Server: server.ubnt.com
Address: 10.0.20.11

Name: internet.ubnt.com
Address: 1.0.0.1

Allowed!

Laptop> ping internet.ubnt.com -n 2
Pinging internet.ubnt.com [1.0.0.1] with 32 bytes of data:

Reply from 1.0.0.1: bytes=32 time<1ms TTL=63
Reply from 1.0.0.1: bytes=32 time<1ms TTL=63

Allowed!

Laptop> ping er-x.ubnt.com -n 2
Pinging er-x.ubnt.com [10.255.12.1] with 32 bytes of data:

Request timed out.
Request timed out.

Denied!

Host> ping 10.0.20.11 -n 2
Pinging 10.0.20.11 with 32 bytes of data:

Request timed out.
Request timed out.

Denied!

Host> ping 10.0.99.2 -n 2
Pinging 10.0.99.2 with 32 bytes of data:

Request timed out.
Request timed out.

Denied!

Related Articles


Back to Top