Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

Green

CSS - Restricting traffic between Vlans ???

I have 2 vlans configured on a CSS11501. I do not want these vlans to be able to communicate with each other. Right now each vlan has a connection to an ASA.

It appears that the CSS is routing between the vlans. I want the traffic to have to traverse the firewall.

Is this possible? Thanks.

4 REPLIES

Re: CSS - Restricting traffic between Vlans ???

I think that the only way to avoid routing

between Vlans on a CSS is to use ACLs.

Syed

Green

Re: CSS - Restricting traffic between Vlans ???

I tried to write an acl and ended up blocking all traffic through the CSS. I'm not sure why it did that...

circuit VLAN200

ip address 192.168.200.2 255.255.255.0

circuit VLAN201

ip address 192.168.201.2 255.255.255.0

acl 1

clause 10 deny any 192.168.200.0 255.255.255.0 destination 192.168.201.0 255.255.255.0

apply circuit-(VLAN201)

The above config blocked all communication to vlan 200 and vlan 201 from anywhere. Why would it block traffic to vlan 200, the acl isn't even applied there?? Would I have to add...

clause 20 permit any any destination any

Is there any good documentation on writing acl's on the CSS? I havent found any.

Green

Re: CSS - Restricting traffic between Vlans ???

Here's what I was looking for...

http://www.cisco.com/en/US/products/hw/contnetw/ps792/products_tech_note09186a0080093dec.shtml

"When the CSS has ACLs enabled, the box defaults to denying all traffic on all VLANs. In order to allow traffic through the CSS, you must configure an ACL for each VLAN to permit the traffic through the box that you desire. An explicit deny all clause exists at the end of every ACL. VLANs that do not have an ACL applied do not allow any traffic through until you configure an ACL that allows traffic."

New Member

Re: CSS - Restricting traffic between Vlans ???

from my expirence with ACL on the CSS, it's weired.

once you enabled the ACL on the CSS box through the command "acl enable", by default and if there is no acl defined it will implicitly deny all the traffic for all the vlans.

so i belive in your case you will need to define 2 acl and apply them on each circuit vlan and yes you have to add this clause at the end of each VLAN:

clause 20 permit any any destination any

and it will take some time after you change the ACL to notice the change effective.

Hasan

155
Views
4
Helpful
4
Replies
CreatePlease login to create content