09-04-2007 08:50 AM
I have 2 vlans configured on a CSS11501. I do not want these vlans to be able to communicate with each other. Right now each vlan has a connection to an ASA.
It appears that the CSS is routing between the vlans. I want the traffic to have to traverse the firewall.
Is this possible? Thanks.
09-04-2007 12:04 PM
I think that the only way to avoid routing
between Vlans on a CSS is to use ACLs.
Syed
09-04-2007 12:14 PM
I tried to write an acl and ended up blocking all traffic through the CSS. I'm not sure why it did that...
circuit VLAN200
ip address 192.168.200.2 255.255.255.0
circuit VLAN201
ip address 192.168.201.2 255.255.255.0
acl 1
clause 10 deny any 192.168.200.0 255.255.255.0 destination 192.168.201.0 255.255.255.0
apply circuit-(VLAN201)
The above config blocked all communication to vlan 200 and vlan 201 from anywhere. Why would it block traffic to vlan 200, the acl isn't even applied there?? Would I have to add...
clause 20 permit any any destination any
Is there any good documentation on writing acl's on the CSS? I havent found any.
09-04-2007 12:36 PM
Here's what I was looking for...
http://www.cisco.com/en/US/products/hw/contnetw/ps792/products_tech_note09186a0080093dec.shtml
"When the CSS has ACLs enabled, the box defaults to denying all traffic on all VLANs. In order to allow traffic through the CSS, you must configure an ACL for each VLAN to permit the traffic through the box that you desire. An explicit deny all clause exists at the end of every ACL. VLANs that do not have an ACL applied do not allow any traffic through until you configure an ACL that allows traffic."
09-04-2007 01:39 PM
from my expirence with ACL on the CSS, it's weired.
once you enabled the ACL on the CSS box through the command "acl enable", by default and if there is no acl defined it will implicitly deny all the traffic for all the vlans.
so i belive in your case you will need to define 2 acl and apply them on each circuit vlan and yes you have to add this clause at the end of each VLAN:
clause 20 permit any any destination any
and it will take some time after you change the ACL to notice the change effective.
Hasan
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: