restricting access between VLANs

Unanswered Question
Aug 11th, 2010
User Badges:

Hi All,


We have an installation with 20 VLANS distributed via VTP to all the switches we have. We have routing between VLANs enable. So, there is total access between VLANs.


But, we would like to restrict access to the managemente VLAN. Using access-list on VLAN interfaces we managed to do so:


Y.Y.Y.Y --> management VLAN

X.X.X.X --> not a management VLAN


access-list 100 deny ip X.X.X.X X.X.X.X Y.Y.Y.Y Y.Y.Y.Y

access-list 100 permit ip X.X.X.X X.X.X.X any


interface VLAN X

    ip address X.X.X.X X.X.X.X

    ip access-group 100 in


But, we would like to maintain the access from the managemente VLAN to the rest of the VLANs, the same time we avoid accessing from the rest of the VLANs to the management VLANs. With the access-list above, we are not getting this. We have no access from the management VLAN to the rest.


Any idea? Is it possible without firewall?


THANK YOU VERY MUCH

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Loading.
Jon Marshall Wed, 08/11/2010 - 06:40
User Badges:
  • Super Blue, 32500 points or more
  • Hall of Fame,

    Founding Member

  • Cisco Designated VIP,

    2017 LAN, WAN

[email protected]


Hi All,


We have an installation with 20 VLANS distributed via VTP to all the switches we have. We have routing between VLANs enable. So, there is total access between VLANs.


But, we would like to restrict access to the managemente VLAN. Using access-list on VLAN interfaces we managed to do so:


Y.Y.Y.Y --> management VLAN

X.X.X.X --> not a management VLAN


access-list 100 deny ip X.X.X.X X.X.X.X Y.Y.Y.Y Y.Y.Y.Y

access-list 100 permit ip X.X.X.X X.X.X.X any


interface VLAN X

    ip address X.X.X.X X.X.X.X

    ip access-group 100 in


But, we would like to maintain the access from the managemente VLAN to the rest of the VLANs, the same time we avoid accessing from the rest of the VLANs to the management VLANs. With the access-list above, we are not getting this. We have no access from the management VLAN to the rest.


Any idea? Is it possible without firewall?


THANK YOU VERY MUCH


What device is doing the inter-vlan routing ie. what type of switch and which IOS version ?

What type of access is needed from the management vlan ie. is it just TCP or do you need ICMP and UDP as well


As you mention, a stateful firewall would take care of this but there is also -


1) using the "established" keyword in the acl but this only works for TCP connections

2) using reflexive acls but these are not generally supported on L3 switches


Jon

Collin Clark Wed, 08/11/2010 - 07:05
User Badges:
  • Purple, 4500 points or more

As Jon stated, it is possible but there are some caveats. Speaking from experience, get a firewall. It's a lot easier to administrate than ACLs.

Inaki Kortazar Wed, 08/11/2010 - 07:12
User Badges:

Thank you for your answers,


We would like to have total access from management VLAN to the rest of VLANs. The inter-vlan routing is being made by a catalyst 6500 with 12.2(33)SXH7 IOS installed.


As we have understood from your answers, reflexive acls could be our choice. Do you have any interesting link on this point?


We will investigate and be back with the feedback.


THANK YOU VERY MUCH

Jon Marshall Wed, 08/11/2010 - 09:35
User Badges:
  • Super Blue, 32500 points or more
  • Hall of Fame,

    Founding Member

  • Cisco Designated VIP,

    2017 LAN, WAN

6500 switches do support reflexive acls. Here is a link for configuring them -


reflexive acl configuration


however i agree with Collin on this, a firewall would make your life much simpler.


Jon

jeevan.koganti Thu, 08/16/2012 - 02:32
User Badges:

Hi,


According to me this is possible, only thing you have to do is in nonmanagement vlans access-list remove the permit to management vlan and in management vlan access-list give permit to all other vlans..if required u need to permit ICMP also..


Jeevan.

Sandeep Choudhary Thu, 08/16/2012 - 02:40
User Badges:
  • Purple, 4500 points or more
  • Cisco Designated VIP,

    2017 Wireless

Hi Inaki,

Yes we can do with the help of ACL.


just as an example:block traffic between vlan 5 and vlan 8


access-list testacl deny ip 10.58.5.0 0.0.0.255 10.58.8.0 0.0.0.255<br/>access-list testacl permit every<br/>

and to apply the ACL, I used the following:


interface vlan 5
ip access-group testacl


Regards

Please rate if it helps.

Alessio Andreoli Thu, 08/16/2012 - 02:49
User Badges:
  • Silver, 250 points or more

Hi , i htink you alreday wrote down the right ACl except for the second statement.


in my opinion it should be:


access-list 100 deny ip X.X.X.X X.X.X.X Y.Y.Y.Y Y.Y.Y.Y

access-list 100 permit ip Y.Y.Y.Y Y.Y.Y.Y any


and i don't think that buying a firewall would be a justified expense for this requirement only.



Hope this helps

Alessio

Actions

This Discussion