Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. If you'd prefer to explore, try our test area to get started. And see here for current known issues.

New Member

VLAN security

Morning all,

 

I need some help with a configuration I've not had to deal with before.  I'm building out a new network that will have multiple customers on it with multiple VLAN's that will need to be secured from one another.  On my current network I don't have to worry about that so this will be all new to me.  I will need to restrict the traffic so that the VLAN's will not be able to get to one another but that my management network will only be able to do so.  

 

I have setup a test network with Packet Tracer and put ACL's on the VLAN's but when I do it kills the trunk on my layer 2 switch, HSRP and OSPF is blocked as well.  If I put in the ACL to allow OSPF that works but the trunk and HSRP is still affected, I've put in a permit for 224.0.0.2 for HSRP but still not working.

 

MY question is what do you all use to secure your VLAN's from one another? Is it VACL's or something different?

 

Thanks for the help!

Tim

  • WAN Routing and Switching
1 ACCEPTED SOLUTION

Accepted Solutions
New Member

We have multiple sites each

We have multiple sites each with 3 vlans. DHCP is leased from the router at those sites.

We simply put an ACL in on each vlan interface on the router to deny access to the other vlan.

eg 
Router has:


int vlan10
description CORP
ip address 192.168.10.1 255.255.255.0
ip access-group 10 in

int vlan20 
description GUEST
ip address 10.0.20.1 255.255.255.0
ip access-group 20 in

 

access-list 10 remark DENY ip traffic FROM CORP TO GUEST network
access-list 10 deny   ip 192.168.10.0 0.0.255.255  10.0.10.0 0.0.255.255
access-list 10 permit ip any any


access-list 20 remark DENY ip traffic FROM GUEST TO CORP network
access-list 20 deny   ip 10.0.20.0 0.0.255.255 192.168.10.0 0.0.255.255
access-list 20 permit ip any any

 

Works for us but there's probably better ways to do it.

 

5 REPLIES

Hello.A couple of solutions

Hello.

A couple of solutions:

  1. ACL on L3 interfaces;
  2. ZBFW if router is your L3 device;
  3. ASA.
New Member

Hi, Thanks for the quick

Hi,

 

Thanks for the quick reply.  All my VLAN's and VLAN interfaces will be on my 6500 and trunked to my access layer switches to the desktops.  So I'm supposing a ZBFW might be the best option on my 6500?

As far as I know 6500s don't

As far as I know 6500s don't support ZBFWs.

An alternative solution is to implement separate VRFs for each customer VLANs.

New Member

We have multiple sites each

We have multiple sites each with 3 vlans. DHCP is leased from the router at those sites.

We simply put an ACL in on each vlan interface on the router to deny access to the other vlan.

eg 
Router has:


int vlan10
description CORP
ip address 192.168.10.1 255.255.255.0
ip access-group 10 in

int vlan20 
description GUEST
ip address 10.0.20.1 255.255.255.0
ip access-group 20 in

 

access-list 10 remark DENY ip traffic FROM CORP TO GUEST network
access-list 10 deny   ip 192.168.10.0 0.0.255.255  10.0.10.0 0.0.255.255
access-list 10 permit ip any any


access-list 20 remark DENY ip traffic FROM GUEST TO CORP network
access-list 20 deny   ip 10.0.20.0 0.0.255.255 192.168.10.0 0.0.255.255
access-list 20 permit ip any any

 

Works for us but there's probably better ways to do it.

 

New Member

Thanks Louis, I was working

Thanks Louis, I was working out that solution currently.  I am doing it a little different where I only allow the subnet for that vlan in while also allowing ospf and hsrp as well. However the hsrp portion will change if I do VSS.  Thanks for all the information guys!

66
Views
0
Helpful
5
Replies