Cisco Support Community
Showing results for 
Search instead for 
Did you mean: 
Community Member

Whitelisting Hosts for VLAN Access

Here is what I am trying to acomplish (simplified):

  • Three VLANs:  VLAN 1, VLAN 100, and VLAN 101
  • VLAN 100 and 101 have sensitive material on them, VLAN 1 is not sensitive
  • VLAN 100 and VLAN 101 communications are trusted
  • VLAN 1 to VLAN 100 and VLAN 1 to VLAN 101 communications are largely blocked via ACLs.  We are looking to allow select hosts to communicate with any devices on VLAN 100 and 101.
  • We have a Cisco 4900M that is serving as a L3 switch, serving as the exclusive router between these VLANs.

Before installing the 4900M between these VLANs (for performance reasons), this was done using a SonicWall router, which would allow selective forwarding of packets to the protected VLANs based upon source MAC addresses.

The traffic we care about is IP traffic, so using a VLAN map with MAC access-lists with won't work (because that is not supported by the platform, at least as far as I can tell) as the MAC ACLs only are relevant for non-IP ethertypes.  Through some pain, I have found this to infact be the case.

For the time being, we have changed to using source IP addresses as the means to identify authorized clients, but this is obviously not very secure.

Given the capabilities of the 4900M (or lack therefore in this case), what are some of our options to achieve this?

A couple of ideas:

  1. Create a PACL that permits all inbound traffic from the whitelisted MAC addresses, and merge with a router ACL that blocks all access from VLAN 1 to the private nets.  I would imagine this would have the net effect of allowing whitelisted MACs anywhere on the network (which is OK), but would prevent other hosts on VLAN 1 from getting in.  This assumes that the PACL is able to make the switch ignore the whitelisted host's IP address; is that possible?
  2. Create a dedicated private VLAN that authorized hosts would be able to join.  In this case, the MAC address auth would have to happen at the edge switches.
  3. Similar to 2, but deploy 802.1x, which is not a simple task.

Any other suggestions or workarounds? Thanks!

- Matt

Everyone's tags (4)
CreatePlease to create content