Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. If you'd prefer to explore, try our test area to get started. And see here for current known issues.

New Member

Filtering traffic between VLANs

I already posted about this a few months ago and I thought I had it resolved...

Right now, I'm setting up a remote office infrastructure with WIFI.

Routed environment, down to the access layer using 3560-x l3 switches.

vlan 10: data

vlan 20: wifi

vlan 30: wifi guests

vlan 40: voip

Remote office is in the 10.50.x.y subnets where x = vlan ID from table above (so 10.50.30.1 is in the WIFI Guests VLAN...)

My objective is to allow all traffic OUTBOUND to certain subnets (10.10.110.0/24 10.10.120.0/24) and block any other 10.0.0.0/8 networks. By doing it this way, after blocking all other internal traffic, I allow everything else to ensure internet traffic can go out.

I used this:

Extended IP access list VLAN10_TRAFFIC_FLOW

10 permit ip any 10.10.110.0 0.0.0.255

20 permit ip any 10.10.120.0 0.0.0.255

30 deny ip any 10.0.0.0 0.255.255.255

40 permit ip any any

!

interface Vlan10

description DATA

ip address 10.50.10.1 255.255.255.0

ip access-group VLAN10_TRAFFIC_FLOW in

Somehow, I can ping and browse web pages in subnet 10.10.100.0 even though the rule block anything in the 10.x.x.x (line 30).

So I nuked all of this and created VLAN maps which seem to work better.

ip access-list extended ACL_VLAN10_ALLOW

permit ip 10.50.10.0 0.0.0.255 any

permit ip 10.0.110.0 0.255.0.255 10.50.10.0 0.0.0.255

permit ip 10.0.120.0 0.255.0.255 10.50.10.0 0.0.0.255

!

ip access-list extended ACL_VLAN10_BLOCK

permit ip 10.0.0.0 0.255.255.255 any

!

vlan access-map MAP_VLAN10 10

match ip address ACL_VLAN10_ALLOW

action forward

vlan access-map MAP_VLAN10 20

match ip address ACL_VLAN10_BLOCK

action drop log

vlan access-map MAP_VLAN10 30

action forward

!

vlan filter MAP_VLAN10 vlan-list 10

However there is no way to do inbound or outbound traffic control, so I end up with rules that allow all traffic to go out (even to destinations I dont want to) but return traffic gets blocked (i.e. I'd be able to send an HTTP request to a server in 10.10.100.0 subnet but the response would get blocked. Kind of a waste of bandwidth to have all those packets travel and get blocked at the destination. Any input or suggestions would be appreciated...

Everyone's tags (5)
290
Views
0
Helpful
0
Replies