3 Replies Latest reply on Oct 6, 2014 10:33 AM by jayh

    Multi-Tenant Separate vlans Netvanta 7100

    3l3mn8r New Member

      Customer has 7100 and 6355 connected with GRE/VPN Tunnels.  At the 6355 location the customer wants to lease phone and data but wants them on separate vlans.  I am not sure about the easiest way to do this.

       

      7100 location vlans

      10.10.10.0 Data

      10.10.20.0 Voice

      6355 location vlans

      10.10.11.0 Data

      10.10.21.0 Voice

      I have added additional vlans for new customer

      New Tenant vlans

      192.168.16.0 Data

      192.168.26.0 Voice

       

      Currently production network has GRE/VPN Tunnel between sites.  Customer is ok with them being a part of the Voice network but does not want tenant to have access to their data network.  Not sure if I just create the new vlans and vlan interfaces, create allow statements, etc.   I have created allow and discards for data vlans in the past but not sure how to do it when the voice vlan is in use and to allow them access. Any help or advice with this type of configuration is greatly appreciated.

       

      7100 Config

       

       

      vlan 1

        name "Default"

      !

      vlan 2

        name "VoIP"

      !

      ip flow top-talkers

        monitor port 5060 UT

      !

      interface eth 0/0

        description WAN

        ip address    255.255.255.0

        ip address    255.255.255.0  secondary

        ip access-policy Public

        ip crypto map VPN

        media-gateway ip primary

        traffic-shape rate 1000000

        qos-policy out VOIP

        no awcp

        no shutdown

        no lldp send-and-receive

      !

      !

      !

      interface vlan 1

        ip address  10.10.10.1  255.255.255.0

        ip access-policy Private

        media-gateway ip primary

        no shutdown

      !

      interface vlan 2

        ip address  10.10.20.1  255.255.255.0

        ip access-policy Private

        media-gateway ip primary

        no shutdown

      !

      !

      interface t1 1/1

        system-timing primary

        tdm-group 1 timeslots 1-24 speed 64

        no shutdown

      !

      !

      interface pri 1

        description pri 1

        connect t1 1/1 tdm-group 1

        no shutdown

      !

      !

      !

      interface tunnel 1 gre ip

        description Tunnel

        ip address  10.100.100.1  255.255.255.252

        ip mtu 1397

        ip access-policy Tunnel

        media-gateway ip primary

        tunnel source

        tunnel destination

        keepalive 60 5

        bandwidth 100000

        no shutdown

      !

      !

      interface tunnel 2 gre ip

        description Tunnel 

        ip address  10.100.101.1  255.255.255.252

        ip mtu 1397

        ip access-policy Tunnel

        media-gateway ip primary

        tunnel source

        tunnel destination

        keepalive 60 5

        bandwidth 100000

        no shutdown

      !

      !

      interface tunnel 3 gre ip

        description Tunnel

        ip address  10.100.102.1  255.255.255.252

        ip mtu 1397

        ip access-policy Tunnel

        media-gateway ip primary

        tunnel source

        tunnel destination

        keepalive 60 5

        bandwidth 100000

        no shutdown

      !

      !

      isdn-group 1

        connect pri 1

      !

      ip access-list standard NAT

        remark Internet Connection Sharing

        permit any

      !

      !

      ip access-list extended Admin

        remark Admin Access

       

      !

      ip access-list extended InterVLAN

        remark Voice / Data VLAN Traffic

        permit ip 10.10.10.0 0.0.0.255  10.10.20.0 0.0.0.255

        permit ip 10.10.20.0 0.0.0.255  10.10.10.0 0.0.0.255

      !

      ip access-list extended self

        remark Traffic to Netvanta

        permit ip any  any     log

      !

      ip access-list extended tunnel

        permit ip any  any

      !

      ip access-list extended VPN-10-vpn-selectors

        permit gre host  host

      !

      ip access-list extended VPN-20-vpn-selectors

        permit gre host   host

      !

      ip access-list extended VPN-30-vpn-selectors

        permit gre host   host

      !

      ip access-list extended web-acl-5

        remark RDP Server

      !

      !

      !

      !

      ip policy-class Private

        allow list VPN-10-vpn-selectors stateless

        allow list VPN-20-vpn-selectors stateless

        allow list VPN-30-vpn-selectors stateless

        allow list self self

        allow list InterVLAN stateless

        allow list tunnel policy Tunnel

        nat source list NAT interface eth 0/0 overload

      !

      ip policy-class Public

        allow reverse list VPN-10-vpn-selectors stateless

        allow reverse list VPN-20-vpn-selectors stateless

        allow reverse list VPN-30-vpn-selectors stateless

        allow list Admin self

        nat destination list web-acl-5 address 10.10.10.2

      !

      ip policy-class Tunnel

        allow list VPN-10-vpn-selectors stateless

        allow list VPN-20-vpn-selectors stateless

        allow list VPN-30-vpn-selectors stateless

        allow list self self

        allow list tunnel policy Private

        allow list tunnel policy Tunnel

      !

      !

      !

      ip route 0.0.0.0 0.0.0.0 X.X.X.1

      ip route 10.10.11.0 255.255.255.0 tunnel 1

      ip route 10.10.12.0 255.255.255.0 tunnel 2

      ip route 10.10.13.0 255.255.255.0 tunnel 3

      ip route 10.10.21.0 255.255.255.0 tunnel 1

      ip route 10.10.22.0 255.255.255.0 tunnel 2

      ip route 10.10.23.0 255.255.255.0 tunnel 3

      ip route 192.168.16.0 255.255.255.0 tunnel 1

      ip route 192.168.26.0 255.255.255.0 tunnel 1

       

       

      6355 config

      !

      interface vlan 1

        ip address  10.10.11.1  255.255.255.0

        ip ffe

        access-policy Private

        media-gateway ip primary

        no shutdown

      !

      interface vlan 2

        ip address  10.10.21.1  255.255.255.0

        ip ffe

        access-policy Private

        media-gateway ip primary

        no shutdown

      !

      interface vlan 100

        ip address  192.168.16.1  255.255.255.0

        access-policy Jarrell

        media-gateway ip primary

        no awcp

        no shutdown

      !

      interface vlan 200

        ip address  192.168.26.1  255.255.255.0

        access-policy Jarrell

        media-gateway ip primary

        no awcp

        no shutdown

      !

      !

      interface fxs 0/1

        no shutdown

      !

      interface fxs 0/2

        no shutdown

      !

      !

      interface fxo 0/1

        no shutdown

      !

      interface fxo 0/2

        no shutdown

      !

      !

      interface tunnel 1

        description Tunnel to Chas

        ip address  10.100.100.2  255.255.255.252

        access-policy Tunnel

        media-gateway ip primary

        tunnel mode gre

        tunnel source

        tunnel destination

        keepalive 60 5

        mtu 1397

        bandwidth 100000

        no shutdown

      !

      !

      !

      !

      !

      !

      !

      !

      ip access-list standard NAT

        remark Internet Connection Sharing

        permit any

      !

      !

      ip access-list extended Admin

        remark Admin Access

        permit tcp any  any eq telnet   log

        permit tcp any  any eq https   log

        permit tcp any  any eq ssh   log

        permit gre any  any

      !

      ip access-list extended InterVLAN

        remark Voice / Data VLAN Traffic

        permit ip 10.10.10.0 0.0.0.255  10.10.20.0 0.0.0.255

        permit ip 10.10.20.0 0.0.0.255  10.10.10.0 0.0.0.255

      !

      ip access-list extended self

        remark Traffic to Netvanta

        permit ip any  any     log

      !

      ip access-list extended SIP

        remark SIP Service Provider Traffic

      !

      ip access-list extended tunnel

        permit ip any  any

      !

      ip access-list extended VPN-10-vpn-selectors

        permit gre host   host

      !

      ip access-list extended web-acl-10

        remark Phone Manager

        permit tcp any  host 10.10.10.1 eq www

      !

      ip access-list extended web-acl-8

        remark Jarrell NAT

        permit ip any  any     log

      !

      ip access-list extended web-acl-9

        remark Traffic to Jarrell

        permit ip any  any

      !

      !

      ip policy-class Jarrell

        allow list web-acl-9 self

        allow list web-acl-10

        nat source list web-acl-8 interface eth 0/0 overload

      !

      ip policy-class Private

        allow list VPN-10-vpn-selectors stateless

        allow list self self

        allow list InterVLAN stateless

        allow list tunnel policy Tunnel

        nat source list NAT interface eth 0/0 overload

      !

      ip policy-class Public

        allow reverse list VPN-10-vpn-selectors stateless

        allow list SIP self

        allow list Admin self

      !

      ip policy-class Tunnel

        allow list VPN-10-vpn-selectors stateless

        allow list self self

        allow list tunnel policy Private

      !

      !

      !

      ip route 0.0.0.0 0.0.0.0 X.X.X.1

      ip route 10.10.10.0 255.255.255.0 tunnel 1

      ip route 10.10.12.0 255.255.255.0 tunnel 1

      ip route 10.10.13.0 255.255.255.0 tunnel 1

      ip route 10.10.20.0 255.255.255.0 tunnel 1

      ip route 10.10.22.0 255.255.255.0 tunnel 1

      ip route 10.10.23.0 255.255.255.0 tunnel 1