Buy or Renew
Buy or Renew
Cisco + Splunk: It’s a new day for your data. Learn more.
 
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1739
Views
0
Helpful
3
Replies

Which is the correct way to filter/block traffic between vlans?

Go to solution
martin.germano
Level 1
Level 1

‎12-24-2013 03:54 AM - edited ‎03-07-2019 05:13 PM

  Hi all. My question is: Which is the correct way to filter/block traffic between vlans?

i have a more than 15 vlans. I want to block traffic between them except 2 vlans.

source vlan 3 deny destination vlan 4

#access-list 100 deny ip 192.168.3.0 0.0.0.255 192.168.4.0 0.0.0.255

and the oposite:

#access-list 101 deny ip 192.168.4.0 0.0.0.255 192.168.3.0 0.0.0.255

I have to do this for all VLANs, ono by one. Is that right?

Thanks.

Labels:
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
Karsten Iwen
VIP
VIP

‎12-24-2013 04:58 AM

There are a couple of ways to achieve that. I assume that you have a Layer3-Switch. There I would configure one ACL per vlan-interface and allow/deny the traffic as you want. Sadly, the Switches don't support object-groups yet, so you have to use the IP-networks here. Only allow/deny traffic based on networks or hosts. Don't even try to be very granular with permit/denys based on ports. Because the switch-ACLs are not statefull you'll run into problems for the return-traffic if you woulf do that. And the return-traffic of course has to be allowed also.

Another way: with the help of 802.1x you can deploy port-based ACLs for every user. That takes some time for planning, but is one of the most powerful solutions.

For more control you could remove the L3-interface from your L3-switch and move that to your router or firewall. These devices support stateful filtering and you can control your traffic much tighter tehn with ACLs on the switch.

-- 
Don't stop after you've improved your network! Improve the world by lending money to the working poor:
http://www.kiva.org/invitedby/karsteni

View solution in original post

0 Helpful
3 Replies 3

Go to solution
johnlloyd_13
Level 9
Level 9

‎12-24-2013 04:14 AM

Hi,

Layer 2 VLANs are isolated from each other by default. You'll need a router to perform inter-VLAN routing for the said 2 VLANs.


Sent from Cisco Technical Support iPhone App

0 Helpful

Go to solution
Karsten Iwen
VIP
VIP

‎12-24-2013 04:58 AM

There are a couple of ways to achieve that. I assume that you have a Layer3-Switch. There I would configure one ACL per vlan-interface and allow/deny the traffic as you want. Sadly, the Switches don't support object-groups yet, so you have to use the IP-networks here. Only allow/deny traffic based on networks or hosts. Don't even try to be very granular with permit/denys based on ports. Because the switch-ACLs are not statefull you'll run into problems for the return-traffic if you woulf do that. And the return-traffic of course has to be allowed also.

Another way: with the help of 802.1x you can deploy port-based ACLs for every user. That takes some time for planning, but is one of the most powerful solutions.

For more control you could remove the L3-interface from your L3-switch and move that to your router or firewall. These devices support stateful filtering and you can control your traffic much tighter tehn with ACLs on the switch.

-- 
Don't stop after you've improved your network! Improve the world by lending money to the working poor:
http://www.kiva.org/invitedby/karsteni

0 Helpful

Go to solution
martin.germano
Level 1
Level 1
In response to Karsten Iwen

‎12-26-2013 04:42 AM

  Hi karsten, yes I only have a layer 3 switch (no firewall, and no router avaiable). So, i think ACL-per-vlan is the best choice for me.

  Thanks for reply.

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card