CSS - Restricting traffic between Vlans ???

Unanswered Question
Sep 4th, 2007
User Badges:
  • Green, 3000 points or more

I have 2 vlans configured on a CSS11501. I do not want these vlans to be able to communicate with each other. Right now each vlan has a connection to an ASA.


It appears that the CSS is routing between the vlans. I want the traffic to have to traverse the firewall.


Is this possible? Thanks.

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 4 (1 ratings)
Loading.
Syed Iftekhar Ahmed Tue, 09/04/2007 - 12:04
User Badges:
  • Blue, 1500 points or more

I think that the only way to avoid routing

between Vlans on a CSS is to use ACLs.


Syed

acomiskey Tue, 09/04/2007 - 12:14
User Badges:
  • Green, 3000 points or more

I tried to write an acl and ended up blocking all traffic through the CSS. I'm not sure why it did that...


circuit VLAN200

ip address 192.168.200.2 255.255.255.0


circuit VLAN201

ip address 192.168.201.2 255.255.255.0


acl 1

clause 10 deny any 192.168.200.0 255.255.255.0 destination 192.168.201.0 255.255.255.0

apply circuit-(VLAN201)


The above config blocked all communication to vlan 200 and vlan 201 from anywhere. Why would it block traffic to vlan 200, the acl isn't even applied there?? Would I have to add...


clause 20 permit any any destination any


Is there any good documentation on writing acl's on the CSS? I havent found any.


acomiskey Tue, 09/04/2007 - 12:36
User Badges:
  • Green, 3000 points or more

Here's what I was looking for...


http://www.cisco.com/en/US/products/hw/contnetw/ps792/products_tech_note09186a0080093dec.shtml


"When the CSS has ACLs enabled, the box defaults to denying all traffic on all VLANs. In order to allow traffic through the CSS, you must configure an ACL for each VLAN to permit the traffic through the box that you desire. An explicit deny all clause exists at the end of every ACL. VLANs that do not have an ACL applied do not allow any traffic through until you configure an ACL that allows traffic."

hassan_oudeh Tue, 09/04/2007 - 13:39
User Badges:

from my expirence with ACL on the CSS, it's weired.

once you enabled the ACL on the CSS box through the command "acl enable", by default and if there is no acl defined it will implicitly deny all the traffic for all the vlans.


so i belive in your case you will need to define 2 acl and apply them on each circuit vlan and yes you have to add this clause at the end of each VLAN:

clause 20 permit any any destination any


and it will take some time after you change the ACL to notice the change effective.


Hasan

Actions

This Discussion