So we have a router, with a switch card interface, 8 ports
Say I have 4 VLANs (A,B,C,D) on it, with 2 switch ports in each.
Each VLAN (i.e. all ports) can communicate with each other, because naturally they are all connected to the one router…
But say I only wanted A & C, and B & D, to be able to see and communicate with each other, how would this be done?
I was thinking possible NAT, but I'm sure there's some industry standard way of doing it?
Best Answer
While Ron and Ron's answers actually enable routing but prevent traffic, their suggestions still pack both host groups into the same routing instance.
There's another way to think about this:
a) VRF-lite
This essentially creates two almost completely (well, they share the hardware ressources...) separated routing instances in one box.
Things might get a bit tricky (but not impossible) if both VRFs are to share the same (single) internet access and "upstream" interface. But you actually didn't ask about that. Some licensing might be required to allow to configure VRF-lite, depending on the model.
Also, if you'd still like to allow some traffic from one VRF to the other, things tend to get a bit messy (route leaking, earring cables and things like that), that will bleak out the nice VRF separation we just established with purpose. Don't pursue the VRF-lite approach in that case.
Here's what to do for VRF-lite:
b) Zone based firewalling
Essentially the same as the Rons proposed, but there's an advanced way with a lot more text and config items. This may require a SEC license on your router.
The key points about ZBFW are:
I made some assumptions, based on what you let us know so far. I took some liberties, which might actually be beyond your question's scope. I think you'll spot the parts that don't actually apply to your given situation.
The config items will now come in a different order than they should be applied. IOS will bark if you paste them in this order. I do this deliberately, to make the configuration layers of ZBFW a bit more clear. (in real life, do it bottom-up: ACLs, class-maps, policy-maps, zones, zone-pairs, interfaces-to-zones).
Please note: half of this comes from a real life setup, half is composed freehandedly. Please point me to any typos or item misspelled config item names.
Let's start with defining zones. A zone may span mutliple Layer 3 interfaces of a given router, but one interface may only ever be part of exactly one zone.
The interfaces need to be assigned to a zone. In the real world, you'd to this at the very end - else you'd impact traffic already flowing through the router. The nat inside/outside bits are already there, too.
Then, we need some zone-pairs, and each has its own service policy applied. A zone-pair is unidirectional; you only need one if you have traffic patterns initiating in the given direction. Note the absence of a zone-pair defintion for AC-to-BD and BD-to-AC.
And now we need multiple MQC constructs with
policy-map
,class-map
andaccess-list
, as we all love or hate them from QoS. You'll notice that I may be overdoing it a little with having an almost complete policy-map/class-map/access-list tuple per zone-pair, with little re-use of common items. That's how I think - can't help it.The policy maps of "type inspect" define what is to happen to the different classes of traffic: pass, inspect or drop. Each zone-pair gets its own policy map (see above).
Of course we have to define what classes of traffic we consider. That's done with class-maps of "type inspect" and a few ACLs (matching on "protocol" also works).
First, a few item's we'll be reusing (note the "COMMON" in the config item name)
Then, each per-zone-pair policy-map gets its specific class map. Again, you'll notice that there is no class-map defining traffic allowed to go from AC to BD or vice-versa.
Internet to/from AC:
Internet to/from BD:
So much for ZBFW. Some of the items need to be kept coordinated with the given NAT/portfowarding setup.
Here's the NATty things to do, with NAT overload to the outside interface, and a handful of port forwardings back in.
ADDON:
In your comment, you mentioned "SBC" - as in Session Border Controller, I presume? This might call for the introduction of the "SELF" zone, if traffic/service is to be terminated on the router itself. I can't help there - haven't worked with it. One ressource for it: https://community.cisco.com/t5/security-documents/zbfw-self-zone-integration/ta-p/3154572