Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
Community Member

InterVLAN access control

I have a couple of VLANs on my Cisco 4507.

These are the Vlans

10.10.1.X/24 -- management

10.10.2.X/24 -- User vlan

10.10.3.X/24 -- Server vlan

I don’t want 10.10.2.x and 10.10.3.x to access Management network.

But management network (10.10.1.x) should be able to access these two networks.

I have tried access lists but it doesn’t work. If I stop access, it stops both ways. But I want the Management network to be able to access the other networks.

Kindly suggest.

Thanks

Everyone's tags (1)
8 REPLIES

Re: InterVLAN access control

Hi,

Check out the following link for Vlan ACl hope this will help you out to resolve your problem

http://www.cisco.com/en/US/docs/switches/lan/catalyst4500/12.2/31sga/configuration/guide/secure.html#wp1069375

Regards

Ganesh.H

Community Member

Re: InterVLAN access control

Can you kindly provide the exact statements to achive this.

Which way i have to implement the access list (in / out) and which Vlan is this to be put on.

Thanks.

Re: InterVLAN access control

A VLAN map works like a route map,to configure VLAN maps to control IP traffic,first configure the VLAN map and tehn assign a sequence number to the map,VLAN maps are excuted from the lowest instance to the highest.use the global configuration command vlan access-map map_name sequence number.

It work genrally  in direction when applied into a VLAN

Hope this solved your query and help to restric traffic in your vlan

Regards

Ganesh.H

Community Member

Re: InterVLAN access control

hi,

as per your requirement, you can use pvlan configuration where your can keep your management vlan in primary vlans and sever, user vlans will be in isolated vlans

hope to get some clues from this.

Thanks and Regards,

sourabh

Community Member

Re: InterVLAN access control

I have tried Vlan maps... still doesn’t work.


Extended IP access list test-acl
     10 permit ip 10.10.2.0 0.0.0.255 10.10.1.0 0.0.0.255

vlan access-map test-map 10
  action drop
  match ip address test-acl
vlan access-map test-map 20
  action forward

I am not able to ping the server vlan form user vlan. Able to ping other subnets.

But  I am also not able to ping user Vlan from the management VLan, which still doesn’t solve my problem.

Regards,

venkat

Re: InterVLAN access control

Try this configuration as per your setup

vlan access-map allow_ip 10

match ip address deny_to_mangement_lan

action drop

vlan access-map allow_ip 20

match ip address mangement_lan_to_all

action forward

exit

ip access-list extended deny_to_mangement_lan

permit ip 10.10.2.0 0.0.0.255 10.10.1.0 0.0.0.255

permit ip 10.10.3.0 0.0.0.255 10.10.1.0 0.0.0.255

exit

ip access-list extended mangement_lan_to_all

permit ip 10.10.1.0 0.0.0.255 any

exit

vlan filter allow_ip vlan-list "management vlan number"

Hope this helps you out

Regards

Ganesh.H

Community Member

Re: InterVLAN access control

Is it to be applied on the Mgmt VLAN?

If so i have to wait till the week end to be able to test this as it will inpact the production.

Thanks

Re: InterVLAN access control

Yes you need to apply on Management vlan only try the configuration and share your feedback by end of the week.

Regards

Ganesh.H

1857
Views
0
Helpful
8
Replies
CreatePlease to create content