3560 Vlan ACL issue

cweiner · ‎06-04-2009

Hello

I have some Catalyst 3560's that has about 10 VLANs setup on them. I want to isolate a few VLAN's from being able to access certain VLAN's but only in one direction. For example:

Vlan 100 is 10.10.100.0/24

Vlan 200 is 192.168.100.0/24

I would like a host in Vlan 100 to be able to initiate a session with a host Vlan 200 but at the same time, I don't want a host in Vlan 200 to be able to initialize a session with a host in Vlan 100. Kinda like a PIX/ASA DMZ ACL. Is this possible? When I try putting an ACL on the Vlan interface like below, it does not work. This is because once a host in vlan 100 (10.10.100.x) initiates a session with a host in vlan 200 (192.168.100.x), the second acl blocks the return traffic. Any suggestions?

access-list 115 permit ip 10.10.100.0 0.0.0.255 192.168.100.0 0.0.0.255

access-list 115 deny ip 192.168.100.0 0.0.0.255 10.10.100.0 0.0.0.255

access-list 115 permit ip 192.168.100.0 0.0.0.255 any

Interface Vlan200

ip address 192.168.100.1 255.255.255.0

ip access-group 115 in

Thanks

Colin

Jon Marshall · ‎06-04-2009

Colin

What you need for this sort of thing is reflexive access-lists which allow connections to be initiated from one side and the return traffic back but not for connections to be initiated the other way.

Unfortunately as far as i know the 3560 does not support reflexive access-lists. So the best you can do is to use the "established" keyword which only works for TCP connections -

http://www.cisco.com/en/US/docs/switches/lan/catalyst3560/software/release/12.2_44_se/configuration/guide/swacl.html#wp1285702

Jon