Buy or Renew
Buy or Renew
Cisco + Splunk: It’s a new day for your data. Learn more.
 
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
369
Views
0
Helpful
5
Replies

VLAN security

Go to solution
torroba72
Level 1
Level 1

‎04-11-2014 06:01 AM - edited ‎03-04-2019 10:46 PM

Morning all,

 

I need some help with a configuration I've not had to deal with before.  I'm building out a new network that will have multiple customers on it with multiple VLAN's that will need to be secured from one another.  On my current network I don't have to worry about that so this will be all new to me.  I will need to restrict the traffic so that the VLAN's will not be able to get to one another but that my management network will only be able to do so.  

 

I have setup a test network with Packet Tracer and put ACL's on the VLAN's but when I do it kills the trunk on my layer 2 switch, HSRP and OSPF is blocked as well.  If I put in the ACL to allow OSPF that works but the trunk and HSRP is still affected, I've put in a permit for 224.0.0.2 for HSRP but still not working.

 

MY question is what do you all use to secure your VLAN's from one another? Is it VACL's or something different?

 

Thanks for the help!

Tim

Labels:
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
louis0001
Level 3
Level 3

‎04-12-2014 06:20 AM

We have multiple sites each with 3 vlans. DHCP is leased from the router at those sites.

We simply put an ACL in on each vlan interface on the router to deny access to the other vlan.

eg 
Router has:


int vlan10
description CORP
ip address 192.168.10.1 255.255.255.0
ip access-group 10 in

int vlan20 
description GUEST
ip address 10.0.20.1 255.255.255.0
ip access-group 20 in

 

access-list 10 remark DENY ip traffic FROM CORP TO GUEST network
access-list 10 deny   ip 192.168.10.0 0.0.255.255  10.0.10.0 0.0.255.255
access-list 10 permit ip any any


access-list 20 remark DENY ip traffic FROM GUEST TO CORP network
access-list 20 deny   ip 10.0.20.0 0.0.255.255 192.168.10.0 0.0.255.255
access-list 20 permit ip any any

 

Works for us but there's probably better ways to do it.

 

View solution in original post

0 Helpful
5 Replies 5

Go to solution
Vasilii Mikhailovskii
Level 7
Level 7

‎04-11-2014 06:08 AM

Hello.

A couple of solutions:

  1. ACL on L3 interfaces;
  2. ZBFW if router is your L3 device;
  3. ASA.
0 Helpful

Go to solution
torroba72
Level 1
Level 1
In response to Vasilii Mikhailovskii

‎04-11-2014 06:14 AM

Hi,

 

Thanks for the quick reply.  All my VLAN's and VLAN interfaces will be on my 6500 and trunked to my access layer switches to the desktops.  So I'm supposing a ZBFW might be the best option on my 6500?

0 Helpful

Go to solution
sean_evershed
Level 7
Level 7
In response to torroba72

‎04-12-2014 07:46 AM

As far as I know 6500s don't support ZBFWs.

An alternative solution is to implement separate VRFs for each customer VLANs.

0 Helpful

Go to solution
louis0001
Level 3
Level 3

‎04-12-2014 06:20 AM

We have multiple sites each with 3 vlans. DHCP is leased from the router at those sites.

We simply put an ACL in on each vlan interface on the router to deny access to the other vlan.

eg 
Router has:


int vlan10
description CORP
ip address 192.168.10.1 255.255.255.0
ip access-group 10 in

int vlan20 
description GUEST
ip address 10.0.20.1 255.255.255.0
ip access-group 20 in

 

access-list 10 remark DENY ip traffic FROM CORP TO GUEST network
access-list 10 deny   ip 192.168.10.0 0.0.255.255  10.0.10.0 0.0.255.255
access-list 10 permit ip any any


access-list 20 remark DENY ip traffic FROM GUEST TO CORP network
access-list 20 deny   ip 10.0.20.0 0.0.255.255 192.168.10.0 0.0.255.255
access-list 20 permit ip any any

 

Works for us but there's probably better ways to do it.

 

0 Helpful

Go to solution
torroba72
Level 1
Level 1
In response to louis0001

‎04-14-2014 05:09 AM

Thanks Louis, I was working out that solution currently.  I am doing it a little different where I only allow the subnet for that vlan in while also allowing ospf and hsrp as well. However the hsrp portion will change if I do VSS.  Thanks for all the information guys!

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card