I have the following scenario:
Firewall - L3Switch - 2 x L2Switch
This is for a network used for building machines. There will be four VLANs configured on the switches, with the L3 switch being the default gateway for all VLANs (using L3 VLAN interfaces). What I'd like to have happen is for the VLANs to only use the default route (which will be to the internet via the firewall) and not be able to route between themselves. Sounds easy - use access-lists or PBR I hear you say. However, the default gateway addresses will be changing regularly as the machines are built with their final IP addresses. So I would need to filter by VLAN, rather than IP range. Or is there any way of setting a port to not allow traffic through that has a destination back on the same port? Even easier would be a way of deleting directly-connected routes from the routing table - is that possible?
Any help appreciated.
Many switches allow for ingress filtering. So you could actually have a group of ports tha you are using for this purpose and assign them to the proper vlan for the machines you are building at the time. Configure an acl that blacks them from talking to the rest of your internal IP address then a permit IP any any at the end. Keep in mind, this doesn't protect the pc's that you are building from your network, but will protect your network from the pc's you are building.
You can use
1. Private VLANs (PVLANs) and
2. VLAN Access Control Lists (VACLs)
Here is the technical information in detail:
Chetan - the problem is that the ingress interfaces are VLAN interfaces, each in a different Primary VLAN, so I don't think Private VLANs would work. It looks like VACLs are only supported on 6500 switches as well - I only have a 3560. Thanks though!
Paul - Thanks for that, I suspect that will be the way I go. It's not pretty, but I was just having a think about having an RFC1918 ACL that I apply to each VLAN interface that stops any traffic going in on those interfaces from going to any of the other VLAN interfaces and only going to the internet. Maybe I could use PBR as well - I'll give it some thought...
Thanks for the suggestions!