cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
460
Views
0
Helpful
6
Replies

Preventing access to VLANs

Hi, here is a task i have to accomplish for one of my clients:

VLAN 704 10.23.4.0/24,

VLAN 705 10.23.5.0/24,

VLAN 706 10.23.6.0/24,

I need to seperate these 3 environment so they are not accessible from each other.

VLAN704 has no access to VLAN705 and VLAN706

VLAN705 has no access to VLAN704 and VLAN706

VLAN706 has no access to VLAN704 and VLAN705.

The VLANS are on 4500 L3 switch.

There is existing ACL that could be used:

ip access-list extended ACL-Block

permit ip 192.168.11.0 0.0.0.255 host 10.16.23.51

deny ip host 192.168.11.104 10.16.0.0 0.3.255.255

deny ip 10.16.0.0 0.3.255.255 host 192.168.11.104

Is is good enough to accomodate existing ACL with lines:

deny ip 10.23.4.0 0.0.0.255 10.23.5.0 0.0.0.255

permit ip any any

or something else should be done?

Thanks

6 Replies 6

Jon Marshall
Hall of Fame
Hall of Fame

Dragan

You could do the following

access-list 101 deny ip 10.23.4.0 0.0.0.255 10.23.5.0 0.0.0.255

access-list 101 deny ip 10.23.4.0 0.0.0.255 10.23.6.0 0.0.0.255

access-list 101 permit ip 10.23.4.0 0.0.0.255 any

int vlan 704

ip access-group 101 in

access-list 102 deny ip 10.23.5.0 0.0.0.255 10.23.4.0 0.0.0.255

access-list 102 deny ip 10.23.5.0 0.0.0.255 10.23.6.0 0.0.0.255

access-list 102 permit ip 10.23.5.0 0.0.0.255 any

int vlan 705

ip access-group 102 in

access-list 103 deny ip 10.23.6.0 0.0.0.255 10.23.4.0 0.0.0.255

access-list 103 deny ip 10.23.6.0 0.0.0.255 10.23.5.0 0.0.0.255

access-list 103 permit ip 10.23.6.0 0.0.0.255 any

int vlan 706

ip access-group 103 in

Alternatively you could look at vrf-lite which provides complete separation on the control plane but this may be more complex than you need.

Jon

Thank you kindly, i will check it and let you know.

Regards

andrels
Level 1
Level 1

How about if we use private-VLANS?

I did that setup long time ago and worked out pretty fine.

You just need to setup correctly what are the isolate ports from the communities etc.

http://www.cisco.com/en/US/docs/switches/lan/catalyst3560/software/release/12.2_44_se/configuration/guide/swpvlan.html

I know that this deployment would be much more difficult comparing with ACL. but in my opinion it would work pretty fine.

Andre

Private vlans are typically used when you have the same subnet but you want to limit connectivity between devices within that subnet.

But Dragan's example has 3 separate vlans using 3 separate IP subnets so i'm not sure how private vlans would be applicable here.

Jon

mahmoodmkl
Level 7
Level 7

Hi

In addition to the above posts one simple thing i can suggest is not to create SVI's on the L3 switch which will disable the routing among them.

Thanks

Mahmood

Thank you gents.

This ACl will be live for two months only, after that subnets will be removed. SVIs are must thins on this switch since the switch is used for other subnets/SVIs. I think acl will work as temp/quick solution.

Thank you all for responces.

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Innovations in Cisco Full Stack Observability - A new webinar from Cisco