Buy or Renew
Buy or Renew
Cisco + Splunk: It’s a new day for your data. Learn more.
 
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
358
Views
5
Helpful
3
Replies

Security between VLANS on 3560's

ciscopower
Level 1
Level 1

‎04-13-2007 01:18 AM - edited ‎03-05-2019 03:26 PM

Hi Experts,

Hopefully you can help me out with this issue. I have dual 3560 switches providing intervlan routing functions for a few vlans, including one VLAN for connection to an ASA and one VLAN for Guest Wireless Access.

Basically, what i want to do is limit access to the Guest VLAN 4 so that it can only access the ASA Vlan 2 to get internet access and not be able to communicate with other vlans. There is a DHCP server in Vlan 101 so access is needed for this, we are also running HSRP and OSPF so these need to be not blocked. Can anybody help me with an access list config??? Attached is the show run form one of the switches.

Many Thanks.

Phil

Labels:
Preview file
7 KB
0 Helpful
3 Replies 3

Edison Ortiz
Hall of Fame
Hall of Fame

‎04-14-2007 04:03 PM

I recommend going with private vlans.

http://www.cisco.com/univercd/cc/td/doc/product/lan/cat3560/12225see/scg/swpvlan.htm

0 Helpful

dbellaze
Level 4
Level 4

‎04-14-2007 08:19 PM

I don't think you need to implement private VLANs. You could also configure your 3560's as DHCP servers for the guest network so you do not have to allow anything into your internal network. Unless you have a layer three device inside the guest network that you need to share routing information with I would suggest marking the guest network interfaces passive for OSPF.

Below is an example of the configuration you could apply to your 3560's.

Assume the following info for the example.

HSRP Address 192.168.1.1

Primary 3560 192.168.1.2

Secondary 3560 192.168.1.3

DHCP Server 10.0.0.100

DNS Server 10.0.0.101 (just in case)

Line 1 allows OSPF and HSRP.

Lines 2 and 3 allow ICMP to your routers and HSRP address.

Line 4 permits DHCP requests

Line 5 permits DNS requests (just in case)

Lines 96, 97, and 98 deny the guest network to any RFC 1918 addresses. If you are not using RFC 1918 addresses internally or you have public DMZ's you will need to add statements for those in the ACL.

Line 99 allows the guest network to the internet.

The

Primary 3560 -

ip access-list extended guest_acl

1 permit ip host 192.168.1.3 224.0.0.0 0.0.0.255

2 permit icmp any 192.168.1.0 0.0.0.3 echo

3 permit icmp any 192.168.1.0 0.0.0.3 echo-reply

4 permit udp any host 10.0.0.100 eq 67

5 permit udp any host 10.0.0.101 eq 53

96 deny ip any 10.0.0.0 0.255.255.255

97 deny ip any 172.16.0.0 0.15.255.255

98 deny ip any 192.168.0.0 0.0.255.255

99 permit ip any any

interface vlan 4

desc Guest

ip access-group guest_acl in

Secondary 3560 -

ip access-list extended guest_acl

1 permit ip host 192.168.1.2 224.0.0.0 0.0.0.255

2 permit icmp any 192.168.1.0 0.0.0.3 echo

3 permit icmp any 192.168.1.0 0.0.0.3 echo-reply

4 permit udp any host 10.0.0.100 eq 67

5 permit udp any host 10.0.0.101 eq 53

96 deny ip any 10.0.0.0 0.255.255.255

97 deny ip any 172.16.0.0 0.15.255.255

98 deny ip any 192.168.0.0 0.0.255.255

99 permit ip any any

interface vlan 4

desc Guest

ip access-group guest_acl in

Daniel

ciscopower
Level 1
Level 1
In response to dbellaze

‎04-15-2007 02:15 AM

Daniel,

Many thanks for you reply this is most helpful. I will implement this when next on site. Thanks Again.

Phil

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card