Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

New Member

I need to create ACL to control access to 17 vlans

Hi,

we have created vlans based on departments, each department has its own vlan. as a result we have close to 17 vlans and this is in one site. we have 5 sites where all these vlans exist but with different subnets. my question has two parts:

1> I need ideas on what to block and what to permit? for example block all vlans from accessing all vlans except the server vlan, block all vlans from accessing storage vlan, allow internet traffic. permit the management vlan to access all vlans in one direction.

2>now i have to write access lists for each vlan, is there a way to ease the burden of creating 17*5  ACLs? for example create a generic acl and another one specific, but can I apply two access lists to one vlan at the same time.

4 REPLIES
Super Bronze

I need to create ACL to control access to 17 vlans

Hi,

Are you using a Router or a Firewall?

I would have to say that with a Router, managing ACLs is a pain. On firewall its a lot easier. Mainly because you dont have to take into account the return traffic which the firewall usually allows through automatically wihtout ACL statement because the device is statefull.

I guess there are routers that can be configured with firewall features that might make this easier. Though I have not really configured routers that often as for firewalling we use only actual firewall appliances.

- Jouni

I need to create ACL to control access to 17 vlans

Firs of all, 17 vlans is too much.. I don't think ther's real need so such a segregation. Are those all 17 departments should have their traffic separated from each other? Yeah, there's is might be couple departments with some highly secure traffic, but others probably can go in one VLAN. If no, then having 17 vlans with ACL on each, it's gonna be a real pain managing them.. But if it's already done, i may suggest to use some ACLs to protect really valuable resources from those, who shouldn't have access to them. For example you defenitely should have ACL on your server's VLAN and Storage VLAN. You can apply ACLs on this VLANs in outbound direction and be really granular in what you permit there and what is prohibited. Second, you can apply the same for your management VLAN, cause it's the other one with great value. But do you really have to restrict access from department A to department B if they kinda "have no secrets from each other"?. So my point is that your decision should be based on what you're really going to protect but not based on the fact that you're trying separate everything from everything just for fun). Cause again, if you separate everything with highly granular rules (i.e. host 1 from dep A should be allowed to host 1 from dep B but not host 2 from dep B, etc for other departments)  this all ruleset will be unmanagable. Things should be kept as simple as possible.

New Member

I need to create ACL to control access to 17 vlans


Hi,

first of all, sorry for the late reply, but I posted the question at the last day on the weeked. during the weekend I had no access to internet.

I know 17 vlans is too much, but this is how i found it. so I can't change it now. I honestly don't find any requirment to block traffic from department A to dep. B expet what my manager told me. that if one of the pc's gets infected with a virus, or worm in one department it wont spread to other deparments.

thank you for your reply.

Cisco Employee

I need to create ACL to control access to 17 vlans

Hello Fayez,

First of all you need to know, what you want to achive based on your requrments. 17 Vlans is not so much, of course you can decrease this number, and this decision should be your own and should be based on network design and requrments. In your situaiton, you can use regular ACL, VACL, reflective ACL, private Vlans. even ZBF on routers ( if any)...

But you need to have clear understanding what you want to achieve.

Thank you.

660
Views
0
Helpful
4
Replies
CreatePlease login to create content