Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

New Member

3560 Vlan ACL issue

Hello

I have some Catalyst 3560's that has about 10 VLANs setup on them. I want to isolate a few VLAN's from being able to access certain VLAN's but only in one direction. For example:

Vlan 100 is 10.10.100.0/24

Vlan 200 is 192.168.100.0/24

I would like a host in Vlan 100 to be able to initiate a session with a host Vlan 200 but at the same time, I don't want a host in Vlan 200 to be able to initialize a session with a host in Vlan 100. Kinda like a PIX/ASA DMZ ACL. Is this possible? When I try putting an ACL on the Vlan interface like below, it does not work. This is because once a host in vlan 100 (10.10.100.x) initiates a session with a host in vlan 200 (192.168.100.x), the second acl blocks the return traffic. Any suggestions?

access-list 115 permit ip 10.10.100.0 0.0.0.255 192.168.100.0 0.0.0.255

access-list 115 deny ip 192.168.100.0 0.0.0.255 10.10.100.0 0.0.0.255

access-list 115 permit ip 192.168.100.0 0.0.0.255 any

Interface Vlan200

ip address 192.168.100.1 255.255.255.0

ip access-group 115 in

Thanks

Colin

1 REPLY
Hall of Fame Super Blue

Re: 3560 Vlan ACL issue

Colin

What you need for this sort of thing is reflexive access-lists which allow connections to be initiated from one side and the return traffic back but not for connections to be initiated the other way.

Unfortunately as far as i know the 3560 does not support reflexive access-lists. So the best you can do is to use the "established" keyword which only works for TCP connections -

http://www.cisco.com/en/US/docs/switches/lan/catalyst3560/software/release/12.2_44_se/configuration/guide/swacl.html#wp1285702

Jon

706
Views
0
Helpful
1
Replies