Preventing access to VLANs

Unanswered Question
Jun 2nd, 2009
User Badges:

Hi, here is a task i have to accomplish for one of my clients:

VLAN 704 10.23.4.0/24,

VLAN 705 10.23.5.0/24,

VLAN 706 10.23.6.0/24,

I need to seperate these 3 environment so they are not accessible from each other.


VLAN704 has no access to VLAN705 and VLAN706

VLAN705 has no access to VLAN704 and VLAN706

VLAN706 has no access to VLAN704 and VLAN705.


The VLANS are on 4500 L3 switch.


There is existing ACL that could be used:

ip access-list extended ACL-Block

permit ip 192.168.11.0 0.0.0.255 host 10.16.23.51

deny ip host 192.168.11.104 10.16.0.0 0.3.255.255

deny ip 10.16.0.0 0.3.255.255 host 192.168.11.104

Is is good enough to accomodate existing ACL with lines:

deny ip 10.23.4.0 0.0.0.255 10.23.5.0 0.0.0.255

permit ip any any


or something else should be done?

Thanks


  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Loading.
Jon Marshall Tue, 06/02/2009 - 15:07
User Badges:
  • Super Blue, 32500 points or more
  • Hall of Fame,

    Founding Member

  • Cisco Designated VIP,

    2017 LAN, WAN

Dragan


You could do the following


access-list 101 deny ip 10.23.4.0 0.0.0.255 10.23.5.0 0.0.0.255

access-list 101 deny ip 10.23.4.0 0.0.0.255 10.23.6.0 0.0.0.255

access-list 101 permit ip 10.23.4.0 0.0.0.255 any


int vlan 704

ip access-group 101 in



access-list 102 deny ip 10.23.5.0 0.0.0.255 10.23.4.0 0.0.0.255

access-list 102 deny ip 10.23.5.0 0.0.0.255 10.23.6.0 0.0.0.255

access-list 102 permit ip 10.23.5.0 0.0.0.255 any


int vlan 705

ip access-group 102 in


access-list 103 deny ip 10.23.6.0 0.0.0.255 10.23.4.0 0.0.0.255

access-list 103 deny ip 10.23.6.0 0.0.0.255 10.23.5.0 0.0.0.255

access-list 103 permit ip 10.23.6.0 0.0.0.255 any


int vlan 706

ip access-group 103 in



Alternatively you could look at vrf-lite which provides complete separation on the control plane but this may be more complex than you need.


Jon

Jon Marshall Tue, 06/02/2009 - 15:17
User Badges:
  • Super Blue, 32500 points or more
  • Hall of Fame,

    Founding Member

  • Cisco Designated VIP,

    2017 LAN, WAN

Andre


Private vlans are typically used when you have the same subnet but you want to limit connectivity between devices within that subnet.


But Dragan's example has 3 separate vlans using 3 separate IP subnets so i'm not sure how private vlans would be applicable here.


Jon

mahmoodmkl Tue, 06/02/2009 - 21:32
User Badges:
  • Gold, 750 points or more

Hi


In addition to the above posts one simple thing i can suggest is not to create SVI's on the L3 switch which will disable the routing among them.


Thanks

Mahmood

Dragan Milojevic Thu, 06/04/2009 - 07:14
User Badges:

Thank you gents.

This ACl will be live for two months only, after that subnets will be removed. SVIs are must thins on this switch since the switch is used for other subnets/SVIs. I think acl will work as temp/quick solution.

Thank you all for responces.


Actions

This Discussion