cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
400
Views
4
Helpful
4
Replies

CSS - Restricting traffic between Vlans ???

acomiskey
Level 10
Level 10

I have 2 vlans configured on a CSS11501. I do not want these vlans to be able to communicate with each other. Right now each vlan has a connection to an ASA.

It appears that the CSS is routing between the vlans. I want the traffic to have to traverse the firewall.

Is this possible? Thanks.

4 Replies 4

I think that the only way to avoid routing

between Vlans on a CSS is to use ACLs.

Syed

I tried to write an acl and ended up blocking all traffic through the CSS. I'm not sure why it did that...

circuit VLAN200

ip address 192.168.200.2 255.255.255.0

circuit VLAN201

ip address 192.168.201.2 255.255.255.0

acl 1

clause 10 deny any 192.168.200.0 255.255.255.0 destination 192.168.201.0 255.255.255.0

apply circuit-(VLAN201)

The above config blocked all communication to vlan 200 and vlan 201 from anywhere. Why would it block traffic to vlan 200, the acl isn't even applied there?? Would I have to add...

clause 20 permit any any destination any

Is there any good documentation on writing acl's on the CSS? I havent found any.

Here's what I was looking for...

http://www.cisco.com/en/US/products/hw/contnetw/ps792/products_tech_note09186a0080093dec.shtml

"When the CSS has ACLs enabled, the box defaults to denying all traffic on all VLANs. In order to allow traffic through the CSS, you must configure an ACL for each VLAN to permit the traffic through the box that you desire. An explicit deny all clause exists at the end of every ACL. VLANs that do not have an ACL applied do not allow any traffic through until you configure an ACL that allows traffic."

from my expirence with ACL on the CSS, it's weired.

once you enabled the ACL on the CSS box through the command "acl enable", by default and if there is no acl defined it will implicitly deny all the traffic for all the vlans.

so i belive in your case you will need to define 2 acl and apply them on each circuit vlan and yes you have to add this clause at the end of each VLAN:

clause 20 permit any any destination any

and it will take some time after you change the ACL to notice the change effective.

Hasan

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: