11-11-2010 07:12 AM - edited 03-06-2019 01:59 PM
We have a hospital network consisting of a class C ip addresses per
floor. We are running layer 3 to the access switches 3750's and 6500's.
I recently cut up a separate class C network to /27 addresses and am using five
of the /27 networks on different floors of the hospital. Problem now is I found that
these networks for security reasons should not be able to see any other networks.
They only need to see each other.
I am just looking for suggestions on the best and easiest way to do this...
PVLANS or Access list or anything else????
Solved! Go to Solution.
11-11-2010 07:34 AM
ppellettiere wrote:
All the devices on all 5 /27 networks need to be able to see each other. They cannot
see any other networks.
Okay then using acls on the vL3 vlan interfaces would be the way to go eg.
vlan 10 = 192.168.5.0 255.255.255.224 ie. /27
vthe other 4 vlans go up from where vlan 10 left off eg. vlan 11 = 192.168.5.32/27, vlan 12 = 192.168.5.64/27
access-list 101 permit ip 192.168.5.0 0.0.0.31 192.168.5.32 0.0.0.31
access-list 101 permit ip 192.168.5.0 0.0.0.31 192.168.5.64 0.0.0.31
access-list 101 permit ip 192.168.5.0 0.0.0.31 192.168.5.96 0.0.0.31
access-list 101 permit ip 192.168.5.0 0.0.0.31 192.168.5.128 0.0.0.31
int vlan 10
ip access-group 101 in
and then repeat for each subnet eg.
access-list 102 permit ip 192.168.5.32 0.0.0.31 192.168.5.0 0.0.0.31
access-list 102 permit ip 192.168.5.32 0.0.0.31 192.168.5.64 0.0.0.31
etc..
int vlan 11
ip access-group 102 in
Also there is an implict deny at the end of each access-list so you don't need to add the line "access-list 101 deny ip 192.168.5.0 0.0.0.31 any". However you can if you want to see how many hits are being denied.
Jon
11-11-2010 07:18 AM
ppellettiere wrote:
We have a hospital network consisting of a class C ip addresses per
floor. We are running layer 3 to the access switches 3750's and 6500's.
I recently cut up a separate class C network to /27 addresses and am using five
of the /27 networks on different floors of the hospital. Problem now is I found that
these networks for security reasons should not be able to see any other networks.
They only need to see each other.
I am just looking for suggestions on the best and easiest way to do this...
PVLANS or Access list or anything else????
No sure exactly what you mean.
If you mean the new /27 networks should only see themselves ie. a device in a /27 network should only be able to see other devices in the same /27 network then simply don't create a L3 SVI for this vlan on your switch. That way they cannot route to any other vlan.
If you mean you want to restrict access between vlans then L3 acl's applied to the vlan interfaces is the way to go.
If you mean you want to restrict traffic within a vlan then VACLs (vlan access-lists) are what you should use.
Could you clarify exactly what you want ?
Jon
11-11-2010 07:23 AM
All the devices on all 5 /27 networks need to be able to see each other. They cannot
see any other networks.
11-11-2010 07:34 AM
ppellettiere wrote:
All the devices on all 5 /27 networks need to be able to see each other. They cannot
see any other networks.
Okay then using acls on the vL3 vlan interfaces would be the way to go eg.
vlan 10 = 192.168.5.0 255.255.255.224 ie. /27
vthe other 4 vlans go up from where vlan 10 left off eg. vlan 11 = 192.168.5.32/27, vlan 12 = 192.168.5.64/27
access-list 101 permit ip 192.168.5.0 0.0.0.31 192.168.5.32 0.0.0.31
access-list 101 permit ip 192.168.5.0 0.0.0.31 192.168.5.64 0.0.0.31
access-list 101 permit ip 192.168.5.0 0.0.0.31 192.168.5.96 0.0.0.31
access-list 101 permit ip 192.168.5.0 0.0.0.31 192.168.5.128 0.0.0.31
int vlan 10
ip access-group 101 in
and then repeat for each subnet eg.
access-list 102 permit ip 192.168.5.32 0.0.0.31 192.168.5.0 0.0.0.31
access-list 102 permit ip 192.168.5.32 0.0.0.31 192.168.5.64 0.0.0.31
etc..
int vlan 11
ip access-group 102 in
Also there is an implict deny at the end of each access-list so you don't need to add the line "access-list 101 deny ip 192.168.5.0 0.0.0.31 any". However you can if you want to see how many hits are being denied.
Jon
11-11-2010 07:42 AM
WOW you went above and beyond ...Thank You.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide