ACLs and Physical VLAN Connections

Answered Question
Jul 22nd, 2010

We have a L3 Cisco 4948 and have IP Routing enabled using EIGRP.  We also have three VLANS, VLAN20, VLAN30 and VLAN 50.  All three VLANS connect to two different systems through different physical connections.  We don't want inter-vlan-routing but we want the physical connections from the two core systems to remain in communication.  My question is, if I configure an ACL like the one below will it stop ALL communications between VLAN20 and VLAN30...even the physically connected systems?  In other words, if system A is connected to VLAN20 and VLAN30 through different physical interfaces, will those two VLAN connections continue to comunicate with this access list in place?  I know this sounds confusing


Access-list 103 deny ip 172.17.10.0 0.0.0.255 192.168.10.0 0.0.0.255
Access-list 103 permit ip any any


interface Vlan20
description DB
ip address 172.17.10.1 255.255.255.0
ip pim sparse-dense-mode
no ip unreachables
no ip proxy-arp

ip access-group 103 in
no shutdown
!
interface Vlan30
description SEC
ip address 192.168.10.1 255.255.255.0
ip pim sparse-dense-mode
no ip unreachables
no ip proxy-arp
no shutdown

!
interface Vlan50
description EGGS
ip address 192.168.50.1 255.255.255.0
no ip unreachables
no ip proxy-arp
no shutdown
!

Thank you,

~c

Correct Answer by Nagaraja Thanthry about 6 years 7 months ago

Hello,


Yes, you are correct. As long as IP routing is enabled and the default

gateways are properly set, the switch will allow communication between

different VLANs without any issues.


Hope this answers your question.


Regards,


NT

Correct Answer by Jon Marshall about 6 years 7 months ago

gdwingnuts wrote:


Let me take another swing at this.  We actually have three total VLANs on the 4948.  One of the VLANs (i.e., VLAN50) is intended to connect to our WAN.  I became concerned when one of our internal workstations was able to open a device browser (i.e., our RAID) page across VLANs.  The workstation was on VLAN20 and the device which was accessed with a browser was on VLAN30.  IP routing is enabled so I understand that the VLANs will communicate with one another.  Correct me if I'm wrong...Since we have EIGRP configured to get out, must we have IP routing enabled?  Each one of our Solaris servers is connected via ethernet to each of the VLANs using different physical NICs.  I guess the VLANs will have to talk to one another with this configuration correct?


~c


Okay, if you use EIGRP yes you will need ip routing.


So lets say you want to stop vlan 20 clients opening device on vlan 30. You should look to use an inbound acl on vlan 20 that denies the traffic. Basically block the traffic nearest to the source you can.


You can use an acl inbound on vlan 30 to block the return traffic but you need to be careful as to what you allow and block. if the devices on vlan 20 are not meant to access devices on vlan 30 block them inbound on vlan 20.


Again if i'm still missing the point let me know.


Jon

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 5 (2 ratings)
Loading.
Jon Marshall Thu, 07/22/2010 - 14:24

Your'e right it does sound confusing


Are you saying you have a machine with a NIC in vlan 20 and another NIC in vlan 30. You don't want NIC 20 to be able to send packets to vlan 30 via the vlan 20 SVI but you are happy for NIC 30 on the same machine to send packets to to devices in vlan 30 ?


If so then yes what you are proposing should work. You should need the acl anyway in normal operation however if the link between NIC 30 and the switch went down then machine would then try and use NIC 20 so that is when the acl would block the traffic.


Hope i'v understood correctly, if not let me know.


Jon

gdwingnuts Thu, 07/22/2010 - 15:30

Let me take another swing at this.  We actually have three total VLANs on the 4948.  One of the VLANs (i.e., VLAN50) is intended to connect to our WAN.  I became concerned when one of our internal workstations was able to open a device browser (i.e., our RAID) page across VLANs.  The workstation was on VLAN20 and the device which was accessed with a browser was on VLAN30.  IP routing is enabled so I understand that the VLANs will communicate with one another.  Correct me if I'm wrong...Since we have EIGRP configured to get out, must we have IP routing enabled?  Each one of our Solaris servers is connected via ethernet to each of the VLANs using different physical NICs.  I guess the VLANs will have to talk to one another with this configuration correct?


~c

Correct Answer
Jon Marshall Thu, 07/22/2010 - 17:42

gdwingnuts wrote:


Let me take another swing at this.  We actually have three total VLANs on the 4948.  One of the VLANs (i.e., VLAN50) is intended to connect to our WAN.  I became concerned when one of our internal workstations was able to open a device browser (i.e., our RAID) page across VLANs.  The workstation was on VLAN20 and the device which was accessed with a browser was on VLAN30.  IP routing is enabled so I understand that the VLANs will communicate with one another.  Correct me if I'm wrong...Since we have EIGRP configured to get out, must we have IP routing enabled?  Each one of our Solaris servers is connected via ethernet to each of the VLANs using different physical NICs.  I guess the VLANs will have to talk to one another with this configuration correct?


~c


Okay, if you use EIGRP yes you will need ip routing.


So lets say you want to stop vlan 20 clients opening device on vlan 30. You should look to use an inbound acl on vlan 20 that denies the traffic. Basically block the traffic nearest to the source you can.


You can use an acl inbound on vlan 30 to block the return traffic but you need to be careful as to what you allow and block. if the devices on vlan 20 are not meant to access devices on vlan 30 block them inbound on vlan 20.


Again if i'm still missing the point let me know.


Jon

gdwingnuts Fri, 07/23/2010 - 09:22

It looks like our design folks will have to live with the inter-vlan communication.  We have far too many system dependancies to start adding ACLs.  It looks like the only benefit to having VLANs under our circumstances is to localize broadcast traffic.  In the end, if one VLAN wants to communcate with another they can...right?  Is it correct to say that the switch provides inter-vlan routing with ip-routing enabled?


Thanks for all of your attention!


~c

Correct Answer
Nagaraja Thanthry Fri, 07/23/2010 - 09:49

Hello,


Yes, you are correct. As long as IP routing is enabled and the default

gateways are properly set, the switch will allow communication between

different VLANs without any issues.


Hope this answers your question.


Regards,


NT

Actions

This Discussion