cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
4225
Views
0
Helpful
7
Replies

restricting access between VLANs

Inaki Kortazar
Level 1
Level 1

Hi All,

We have an installation with 20 VLANS distributed via VTP to all the switches we have. We have routing between VLANs enable. So, there is total access between VLANs.

But, we would like to restrict access to the managemente VLAN. Using access-list on VLAN interfaces we managed to do so:

Y.Y.Y.Y --> management VLAN

X.X.X.X --> not a management VLAN

access-list 100 deny ip X.X.X.X X.X.X.X Y.Y.Y.Y Y.Y.Y.Y

access-list 100 permit ip X.X.X.X X.X.X.X any

interface VLAN X

    ip address X.X.X.X X.X.X.X

    ip access-group 100 in

But, we would like to maintain the access from the managemente VLAN to the rest of the VLANs, the same time we avoid accessing from the rest of the VLANs to the management VLANs. With the access-list above, we are not getting this. We have no access from the management VLAN to the rest.

Any idea? Is it possible without firewall?

THANK YOU VERY MUCH

7 Replies 7

Jon Marshall
Hall of Fame
Hall of Fame

ikortazar@lksintelcom.es

Hi All,

We have an installation with 20 VLANS distributed via VTP to all the switches we have. We have routing between VLANs enable. So, there is total access between VLANs.

But, we would like to restrict access to the managemente VLAN. Using access-list on VLAN interfaces we managed to do so:

Y.Y.Y.Y --> management VLAN

X.X.X.X --> not a management VLAN

access-list 100 deny ip X.X.X.X X.X.X.X Y.Y.Y.Y Y.Y.Y.Y

access-list 100 permit ip X.X.X.X X.X.X.X any

interface VLAN X

    ip address X.X.X.X X.X.X.X

    ip access-group 100 in

But, we would like to maintain the access from the managemente VLAN to the rest of the VLANs, the same time we avoid accessing from the rest of the VLANs to the management VLANs. With the access-list above, we are not getting this. We have no access from the management VLAN to the rest.

Any idea? Is it possible without firewall?

THANK YOU VERY MUCH

What device is doing the inter-vlan routing ie. what type of switch and which IOS version ?

What type of access is needed from the management vlan ie. is it just TCP or do you need ICMP and UDP as well

As you mention, a stateful firewall would take care of this but there is also -

1) using the "established" keyword in the acl but this only works for TCP connections

2) using reflexive acls but these are not generally supported on L3 switches

Jon

As Jon stated, it is possible but there are some caveats. Speaking from experience, get a firewall. It's a lot easier to administrate than ACLs.

Thank you for your answers,


We would like to have total access from management VLAN to the rest of VLANs. The inter-vlan routing is being made by a catalyst 6500 with 12.2(33)SXH7 IOS installed.

As we have understood from your answers, reflexive acls could be our choice. Do you have any interesting link on this point?

We will investigate and be back with the feedback.

THANK YOU VERY MUCH

6500 switches do support reflexive acls. Here is a link for configuring them -

reflexive acl configuration

however i agree with Collin on this, a firewall would make your life much simpler.

Jon

jeevan.koganti
Level 1
Level 1

Hi,

According to me this is possible, only thing you have to do is in nonmanagement vlans access-list remove the permit to management vlan and in management vlan access-list give permit to all other vlans..if required u need to permit ICMP also..

Jeevan.

Sandeep Choudhary
VIP Alumni
VIP Alumni

Hi Inaki,

Yes we can do with the help of ACL.

just as an example:block traffic between vlan 5 and vlan 8

access-list testacl deny ip 10.58.5.0 0.0.0.255 10.58.8.0 0.0.0.255
access-list testacl permit every

and to apply the ACL, I used the following:

interface vlan 5
ip access-group testacl

Regards

Please rate if it helps.

Hi , i htink you alreday wrote down the right ACl except for the second statement.

in my opinion it should be:

access-list 100 deny ip X.X.X.X X.X.X.X Y.Y.Y.Y Y.Y.Y.Y

access-list 100 permit ip Y.Y.Y.Y Y.Y.Y.Y any

and i don't think that buying a firewall would be a justified expense for this requirement only.

Hope this helps

Alessio

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Innovations in Cisco Full Stack Observability - A new webinar from Cisco