InterVLAN access control

Intelligroup_2 · ‎12-09-2009

I have a couple of VLANs on my Cisco 4507.

These are the Vlans

10.10.1.X/24 -- management

10.10.2.X/24 -- User vlan

10.10.3.X/24 -- Server vlan

I don’t want 10.10.2.x and 10.10.3.x to access Management network.

But management network (10.10.1.x) should be able to access these two networks.

I have tried access lists but it doesn’t work. If I stop access, it stops both ways. But I want the Management network to be able to access the other networks.

Kindly suggest.

Thanks

Ganesh Hariharan · ‎12-09-2009

Hi,

Check out the following link for Vlan ACl hope this will help you out to resolve your problem

http://www.cisco.com/en/US/docs/switches/lan/catalyst4500/12.2/31sga/configuration/guide/secure.html#wp1069375

Regards

Ganesh.H

Intelligroup_2 · ‎12-09-2009

Can you kindly provide the exact statements to achive this.

Which way i have to implement the access list (in / out) and which Vlan is this to be put on.

Thanks.

Ganesh Hariharan · ‎12-09-2009

A VLAN map works like a route map,to configure VLAN maps to control IP traffic,first configure the VLAN map and tehn assign a sequence number to the map,VLAN maps are excuted from the lowest instance to the highest.use the global configuration command vlan access-map map_name sequence number.

It work genrally in direction when applied into a VLAN

Hope this solved your query and help to restric traffic in your vlan

Regards

Ganesh.H

sourabh1000_2 · ‎12-09-2009

hi,

as per your requirement, you can use pvlan configuration where your can keep your management vlan in primary vlans and sever, user vlans will be in isolated vlans

hope to get some clues from this.

Thanks and Regards,

sourabh

Intelligroup_2 · ‎12-09-2009

I have tried Vlan maps... still doesn’t work.

Extended IP access list test-acl
10 permit ip 10.10.2.0 0.0.0.255 10.10.1.0 0.0.0.255

vlan access-map test-map 10
action drop
match ip address test-acl
vlan access-map test-map 20
action forward

I am not able to ping the server vlan form user vlan. Able to ping other subnets.

But I am also not able to ping user Vlan from the management VLan, which still doesn’t solve my problem.

Regards,

venkat

Ganesh Hariharan · ‎12-10-2009

Try this configuration as per your setup

vlan access-map allow_ip 10

match ip address deny_to_mangement_lan

action drop

vlan access-map allow_ip 20

match ip address mangement_lan_to_all

action forward

exit

ip access-list extended deny_to_mangement_lan

permit ip 10.10.2.0 0.0.0.255 10.10.1.0 0.0.0.255

permit ip 10.10.3.0 0.0.0.255 10.10.1.0 0.0.0.255

exit

ip access-list extended mangement_lan_to_all

permit ip 10.10.1.0 0.0.0.255 any

exit

vlan filter allow_ip vlan-list "management vlan number"

Hope this helps you out

Regards

Ganesh.H

Intelligroup_2 · ‎12-10-2009

Is it to be applied on the Mgmt VLAN?

If so i have to wait till the week end to be able to test this as it will inpact the production.

Thanks

Ganesh Hariharan · ‎12-10-2009

Yes you need to apply on Management vlan only try the configuration and share your feedback by end of the week.

Regards

Ganesh.H