Restrict access between VLAN?

Unanswered Question
Apr 17th, 2010
User Badges:

Hello!


Is there any possibility to restrict access between several VLANs? I have five to ten VLANs in use and no way to restrict traffic between them with sa520 firewall rules.. If I uncheck "InterVLAN routing enable" this particular VLAN will be unreachable from all others or vice versa, so available choice is to see all or nothing. Nice firewall.


My firmware is 1.1.42.

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 5 (2 ratings)
Loading.
biraja Sat, 04/17/2010 - 14:35
User Badges:

Hi,


As mentioned in the admin guide, SA500 supports firewall rules from LAN to WAN, LAN to DMZ and DMZ to WAN.

I need to check for possiblity of firewall rules between VLAN's in future releases.

Can you give me more insigth on how inter VLAN firewall affects the business?


Thanks and Regards,

Biraja

Kuminauha Sun, 04/18/2010 - 01:34
User Badges:

Hi,


Thanks for your fast reply. In my own business I need to configure VLANs

with IP subnets, because I usually simulate and test my customers networks

before implementing them with real VLANs in use. Also visitors, servers,

wlans, intranet, www servers and switch/routers needs to have different

VLAN, but there is needed some access between them from each other. Just

no access at all or full IP access is not an option. And also the basic

reasons why VLANs are good thing, security, limiting broadcasts, IP/VLAN

subnetting etc. And why to use VLANs if there is no need to restrict

access between them in private network?


In my case, if sa520 will not be capable of restricting access between

VLANs I have to buy yet an another device for doing that. Not very

costeffective way and it will increase one more single point of failure

device to my network. If sa520 could do that, it would be just right

device to have two of them, one in use and one standby for high usability.


I was in belief that of course device with support for 16 VLANs brings IP

subnetting per VLAN with firewall full possibilities to use, allow/deny

access between them and route them freely. In my opinion, 802.1q switchs

and firewall/router is the most effective way to build network for small

and medium sized business with great possibilities to scale and change it.


Let me know if there is going to be future release with this feature.

Otherwise I have to find other device. Thanks!


Regards, Matti


Kuminauha,

>

A new message was posted in the thread "Restrict access between VLAN?":

>

https://www.myciscocommunity.com/message/44168#44168

>

Author : biraja

Profile : https://www.myciscocommunity.com/people/biraja

>

Message:


biraja Mon, 04/19/2010 - 17:01
User Badges:

Hi Matti,


This is definitely an important feature to have on SA500.

WIll follow up on this and get back to you more about the possibility and the timeline of the availability.


Thanks,

Biraja

Kuminauha Tue, 04/20/2010 - 02:33
User Badges:

Hi,


Actually, the whole idea of firewall is to control L3/L4 traffic between

IP subnets with or without VLAN. And if SA520 is called firewall, then

there should be this feature, am I right?


Regards, Matti


Kuminauha,

>

A new message was posted in the thread "Restrict access between VLAN?":

>

https://www.myciscocommunity.com/message/44355#44355

>

Author : biraja

Profile : https://www.myciscocommunity.com/people/biraja

>

Message:


biraja Tue, 04/20/2010 - 09:56
User Badges:

Hi Matti,


Common use-cases are WAN<->DMZ, WAN<->LAN, LAN<->DMZ, so SA500 supports only  those so far.

I've proposed the Marketing and Eengineering team to support firewall between VLANs on SA500.

Will get back to you with more info shortly.


Thanks,

Biraja

Kuminauha Thu, 04/22/2010 - 09:27
User Badges:

Hi,


I just got Sonicwall offer and this is what they say:


The VLANs will be seen as “ordinary” interfaces by the SNWL so routing and firewall rules between them will work. Eg. model NSA 240 is for 10 VLAN.



Regards, Matti

rshao Fri, 04/23/2010 - 00:10
User Badges:

If ACL is needed for controlling inter-vlan traffic, the other options you may consider are Cisco 800 series routers or ASA5505.

Both support ACL on vlan interfaces.  SA500 today doesn’t support ACL on vlans.  We’ll consider the suggestions in our future development plan. Please work with your sales representative for product updates.


It sounds you are doing quiet design with switching networks.  Here are some perspectives about SA 500 LAN switching ports in case you find it useful.

The LAN ports of SA500 today is more optimized for speed and interconnecting to switching networks. 

Traffic flowing between those ports can be at GE speed.  So if it’s possible to design new networks to avoid inter-vlan traffic, the box can provide quiet good performance for intranetworking, such as client-server app. and data backup usage.

Also, the LAN ports are all capable for trunking.  So if you have 5 VLANs defined in your switch networks, you don’t need use 5 dedicate ports – one for each of the 5 vlans, to connect to a switch. This can save you some ports for redundancy design or let you scale to support more vlans as your customer's business grows.


Hopefully this helps.


Cheers,

Richard

ambleside Mon, 05/10/2010 - 06:43
User Badges:

I'm having a similar problem.  Does anyone following this thread have any approaches, possibly using CCA, to implement MAC level ACL's quickly to take advantage of the speed while segregating traffic...NAT on LAN side? Design pattern for putting everything through DMZ?  The speed is attractive vs. alternatives but I have to segrate the traffic for security in any regard...

biraja Mon, 05/17/2010 - 08:27
User Badges:

Hi ambleside,


Which platform you need to know about the capabilities you have mentioned? Is it UC500 or ASA55XX platforms?

This forum is for SA500 series security devices.


Thanks,

Biraja

Kuminauha Mon, 05/17/2010 - 08:41
User Badges:

Hello,


I got some more info from local Cisco representative, that this SA520 product shouldn´t be sold to business users at all. It is not a firewall, it is not a VPN capable device, it is not even Cisco´s own product.. We are now specifying right device for my purposes.


Regards, Kn



Kuminauha,


A new message was posted in the thread "Restrict access between VLAN?":


https://www.myciscocommunity.com/message/47736#47736


Author : biraja

Profile : https://www.myciscocommunity.com/people/biraja


Message:

steburke Mon, 05/17/2010 - 09:17
User Badges:
  • Cisco Employee,

Kuminauha,


The Cisco SA500 Series are security appliances that do include firewall and VPN functionality (both IPsec and SSL VPN).  They are Cisco products.  If you require a firewall that includes the ability to apply firewall policy between VLANs, then the SA 500 Series does not currently provide that level of functionality.  It does allow you to block traffic from going from one VLAN to another, but does not provide a means to apply a detailed firewall policy.  As mentioned in an earlier post, the ASA 5500 Series and the ISR 800 Series devices do provide that functionality today.


Cheers,

Stephen

Kuminauha Mon, 05/17/2010 - 11:35
User Badges:

I can´t believe this bullshit!


"It does allow you to block traffic from going from one VLAN to another,

but does not provide a means to apply a detailed firewall policy." This

means that my scissors can do the same, just cut the Ethernet cable in

half. Or my dog, pulling the wire out from the same switch, no IP traffic

or IP traffic.



My Cisco representative, working at Cisco, says me that SA520 is not Cisco

own product, it is not a real firewall (stateful, freely filtering traffic

between subnets), it cannot filter traffic between VLAN subnets and even

VPN tunneling doesn´t work properly.


You say as so many others, that I need ASA5000 or ISR 800, how come you

sold me this peace of a shit in a box in the first place? If marketing

leaflet says "firewall", "VLAN subnetting" and so forth, this SA520 should

be capable doing that, without any explanations. How this is so difficult?

Firewall, subnets, filtering traffic. If you understand firewall

differently, please tell it to the customers also, clearly, and before

they buy it.


Please close this worthless conversation, no any answers are needed any

more with this.



Kn




Kuminauha,

>

A new message was posted in the thread "Restrict access between VLAN?":

>

https://www.myciscocommunity.com/message/47761#47761

>

Author : Stephen Burke

Profile : https://www.myciscocommunity.com/people/steburke

>

Message:


chris parkinson Tue, 01/24/2012 - 14:28
User Badges:

So, looks like I just dropped $600+ on a so-called "security appliance" that can't perfrom simple "security functions" as found in $100 off the shelf routers?


Nice