CSS - Restricting traffic between Vlans ???

Unanswered Question
Sep 4th, 2007

I have 2 vlans configured on a CSS11501. I do not want these vlans to be able to communicate with each other. Right now each vlan has a connection to an ASA.

It appears that the CSS is routing between the vlans. I want the traffic to have to traverse the firewall.

Is this possible? Thanks.

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 4 (1 ratings)
acomiskey Tue, 09/04/2007 - 12:14

I tried to write an acl and ended up blocking all traffic through the CSS. I'm not sure why it did that...

circuit VLAN200

ip address

circuit VLAN201

ip address

acl 1

clause 10 deny any destination

apply circuit-(VLAN201)

The above config blocked all communication to vlan 200 and vlan 201 from anywhere. Why would it block traffic to vlan 200, the acl isn't even applied there?? Would I have to add...

clause 20 permit any any destination any

Is there any good documentation on writing acl's on the CSS? I havent found any.

acomiskey Tue, 09/04/2007 - 12:36

Here's what I was looking for...


"When the CSS has ACLs enabled, the box defaults to denying all traffic on all VLANs. In order to allow traffic through the CSS, you must configure an ACL for each VLAN to permit the traffic through the box that you desire. An explicit deny all clause exists at the end of every ACL. VLANs that do not have an ACL applied do not allow any traffic through until you configure an ACL that allows traffic."

hassan_oudeh Tue, 09/04/2007 - 13:39

from my expirence with ACL on the CSS, it's weired.

once you enabled the ACL on the CSS box through the command "acl enable", by default and if there is no acl defined it will implicitly deny all the traffic for all the vlans.

so i belive in your case you will need to define 2 acl and apply them on each circuit vlan and yes you have to add this clause at the end of each VLAN:

clause 20 permit any any destination any

and it will take some time after you change the ACL to notice the change effective.



This Discussion