Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
604
Views
0
Helpful
2
Replies

Firewall for restricting access between VLAN

Go to solution
Tommy Svensson
Level 1
Level 1

‎02-25-2011 12:07 AM - edited ‎03-11-2019 12:56 PM

Hi.

I am about to set up a network with about 20+ different VLANs and they are suppose to just access the Internet and not eachother, is this possible with a zone-based firewall? To put all the interfaces belonging to VLANs in one zone allowing them to just access the Internet and not eachother.

My questions are:

Is it possible and what do i need to configure for this to work?

Regards Tommy Svensson

Labels:
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
Jennifer Halim
Cisco Employee
Cisco Employee

‎02-25-2011 12:30 AM

Yes, you can use Zone Based FW to restrict access, however, you do not want to put them into the same zone because same zone means they will be able to access each other.

If you don't want to have access between each zone, you will place them in different zones, and just create policy and zone pair for each of the zone towards the outside.

Here is configuration guide on ZBFW:

http://www.cisco.com/en/US/products/ps6441/products_feature_guide09186a008060f6dd.html

But in general, here is what you have to configure:

1) Configure the access-list to match what you want to allow

2) Create class-map, to match on the access-list created on step1

3) Create policy-map, with the action of inspect for the class created on step2

4) Create zone member

5) Create zone-pair, with source zone being internal vlan, and destination zone being the outside/internet, and apply the policy-map to the zone-pair

6) Lastly place the zone under the vlan interface

Hope that helps.

View solution in original post

0 Helpful
2 Replies 2

Go to solution
Jennifer Halim
Cisco Employee
Cisco Employee

‎02-25-2011 12:30 AM

Yes, you can use Zone Based FW to restrict access, however, you do not want to put them into the same zone because same zone means they will be able to access each other.

If you don't want to have access between each zone, you will place them in different zones, and just create policy and zone pair for each of the zone towards the outside.

Here is configuration guide on ZBFW:

http://www.cisco.com/en/US/products/ps6441/products_feature_guide09186a008060f6dd.html

But in general, here is what you have to configure:

1) Configure the access-list to match what you want to allow

2) Create class-map, to match on the access-list created on step1

3) Create policy-map, with the action of inspect for the class created on step2

4) Create zone member

5) Create zone-pair, with source zone being internal vlan, and destination zone being the outside/internet, and apply the policy-map to the zone-pair

6) Lastly place the zone under the vlan interface

Hope that helps.

0 Helpful

Go to solution
Tommy Svensson
Level 1
Level 1
In response to Jennifer Halim

‎03-03-2011 03:58 AM

Im using a Cisco 2911 router and want to restrict access between VLANs, is zone based firewall the way to go or am i missing something?

Regards Tommy Svensson

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking for a $25 gift card