VLAN Security

dohogue · ‎09-12-2008

I currently have a 2960 witch with 2 VLANs on it (VLAN 99 and VLAN 102). The switches are connected to two 4507s via trunks.

I want the host in VLAN 99 to be able to communicate with only limited host in VLAN 102 on the 2 4507s.

I have included a drawing.

The only way I can figure to do that is by putting access-list on all the intefaces in the 4507, of course this makes no since.

Any ideas would be appreciated.

Thanks

merryllem · ‎09-12-2008

The only place you would need to put an ACL is on vlan interface of VLAN 90.

ip access-list ext hello

permit ip h.h.h.h n.n.n.n h.h.h.h n.n.n.n

Int vlan 90

ip access-group hello in

dohogue · ‎09-12-2008

Are you talking about putting an ACL on the int VLAN 99 on each of the 4507s?

I thought of that but felt that would only control traffic going to that particular int on either of the 2 4507s. It would not control traffic on any other interface.

I dont think the 4507 supports VACLs and isn't that what you are speaking of?

Marwan ALshawi · ‎09-12-2008

first of all VACL filter trafic withing the same valn while ur case between two diffrent vlans

u can achived as mentioned by the prevouse post through ACL and apply it to vlan 99

for example lets say valn 99 is 10.99.1.0/24

and vlan 2 is 10.2.1.0/24

u want hosts in vlan 99 to communicate with only two hosts for eaxmple 10.2.1.1 and 10.2.1.2

access-list 100 permit ip 10.99.1.0 0.0.0.255 host 10.2.1.1

access-list 100 permit ip 10.99.1.0 0.0.0.255 host 10.2.1.2

interface vlan 99

ip access-group 100 in

by the way those permited hosts in vlan 2 will only be able to communicate with hosts in vlan 99 because this ACL will filter the returen path for communication from 2 to 99 as well

if helpful Rate