Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

edw
New Member

Security on VLANs

Hi,

I have a intreasting question. I have a Catalyst 6006 with MSFC card. I run, say 4 VLANS.

But I want to block VLAN 3 & 4 from the rest. What is the best way and most secure way of doing it ?

One way I have is on the router using:

ip access-list standard Test

permit 10.1.3.0 0.0.0.255

permit 10.1.4.0 0.0.0.255

deny 10.0.0.0 0.255.255.255

permit any

and then apply these to the two VLAN 3 & 4

ip access-group Test in

ip access-group Test out

The other way would be on the main switch.

#Block-Test

set security acl ip Block-Test deny ip 10.0.3.0 0.0.0.255 any

set security acl ip Block-Test deny ip 10.0.4.0 0.0.0.255 any

set security acl ip Block-Test permit ip any any

then apply with

set security acl map Block-Test 1-2

Which is the best way and why ??

Thanks for any help

Ed

2 REPLIES
Cisco Employee

Re: Security on VLANs

Preference of RACL or VACL depends on what you are trying to achieve. To isolate vlans 3&4 from 1&2 you can use either. The advantage of the supervisor ACL is you can apply it per port if desired - for security this is a plus. Otherwise, they use the same TCAM storage space. If TCAM resources are a concern you can monitor your application of the ACLs and see which (if any) takes less resources.

Here's a great URL on the subject:

http://www.cisco.com/warp/public/cc/pd/si/casi/ca6000/tech/65acl_wp.htm

edw
New Member

Re: Security on VLANs

Okay, Thanks - Ill have a read through this. But appart from resources both ways work the same IE they will both block out traffic from the other VLANs. It sees easier to use it on the router in that case ??

Thanks

Ed

79
Views
0
Helpful
2
Replies
CreatePlease login to create content