cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
Announcements
459
Views
15
Helpful
12
Replies
Beginner

block access in same vlan

Hello all,

We have 3 vlans
vlan 10 - 192.168.1.0/24
vlan 30 - 192.168.2.0/24
vlan 40 - 192.168.3.0/24

there is one server in vlan 10, server1 (192.168.1.5) and it only needs to access server2(192.168.1.9) on https port but its access to other clients on same vlan should be blocked.
Preferrably other clients(server1, server2,server3, server4) should not communicate to each other but clients on different VLANs should not be blocked (they already have access via firewall now)

How can I achive this? Vlan access-map or access list or any other suggestion? Please send me config example.

Thank you very much in advance.

 

Isac

Everyone's tags (1)
1 ACCEPTED SOLUTION

Accepted Solutions
VIP Advisor

Re: block access in same vlan

Hello
Vlan access map would be applicable here:

Example:
access-list 101 permit tcp host 192.168.0.9 host 192.168.0.5 eq 443
access-list 101 permit tcp host 192.168.0.5 host 192.168.0.9 eq 443

access-list 102 permit ip host 192.168.1.5 host 192.168.1.9 
access-list 102 permit ip host 192.168.1.9 host 192.168.1.5

vlan acess-map srv2srv 10
match ip address 101
action forward

vlan access-map srv2srv 20
match ip address 102
action drop

vlan access-map srv2srv 99
vlan filter srv2srv vlan-list 10



kind regards
Paul

Please rate and mark posts accordingly if you have found any of the information provided useful.
It will hopefully assist others with similar issues in the future
12 REPLIES 12
Rising star

Re: block access in same vlan

 

 - The only option in this case is to have local firewalling on the intended server

 M.

Participant

Re: block access in same vlan

You can use a vlan access map, fiest you create an access list that classifies the traffic you want to block, and then the vlan access map references this to determine if the traffic is allowed, remember to use permit.

vlan access-map NAME
SW1(config-access-map)#match ip address CREATED-ACL name of acl you used to classify the traffic
SW1(config-access-map)#action drop
SW1(config-access-map)#vlan access-map NAME this allows all other communication to take place
SW1(config-access-map)#action forward

You then use vlan-filter NAME vlan-list VLAN
Highlighted

Re: block access in same vlan

You can't make layer 2 switch emulate like a firewall or layer 3 packet filtering.  I agree with marce1000 that your only option is to create a firewall at the server side.

Another option is segmentation through private vlan, see link https://www.cisco.com/c/en/us/td/docs/switches/lan/catalyst3750x_3560x/software/release/12-2_53_se/configuration/guide/3750xscg/swpvlan.html.  

VIP Mentor

Re: block access in same vlan

Hello,

 

a VACL should work. You need to draw out in detail who needs access to what, as your brief post does not contain enough information. So, best post a schematic drawing with IP addresses, and indicate which IP address needs access to which other IP addresses.

VIP Advisor

Re: block access in same vlan

Hello
Vlan access map would be applicable here:

Example:
access-list 101 permit tcp host 192.168.0.9 host 192.168.0.5 eq 443
access-list 101 permit tcp host 192.168.0.5 host 192.168.0.9 eq 443

access-list 102 permit ip host 192.168.1.5 host 192.168.1.9 
access-list 102 permit ip host 192.168.1.9 host 192.168.1.5

vlan acess-map srv2srv 10
match ip address 101
action forward

vlan access-map srv2srv 20
match ip address 102
action drop

vlan access-map srv2srv 99
vlan filter srv2srv vlan-list 10



kind regards
Paul

Please rate and mark posts accordingly if you have found any of the information provided useful.
It will hopefully assist others with similar issues in the future
Beginner

Re: block access in same vlan

Thank you for your answers.

More info:

inside vlan 10 permit  server1 (192.168.1.5) https TO server2(192.168.1.9) only https(443)

inside vlan 10 deny any other communication among clients

Clients on other VLANs coming via firewall should not be affected since they have already access. 

 

Thank you.

 

 

 

 

VIP Mentor

Re: block access in same vlan

Hello,

 

not sure if you have already resolved this, but below is what I have come up with:

 

vlan access-map FILTER_10 10
match ip address 101
action forward
vlan access-map FILTER_10 20
match ip address 102
action drop
vlan access-map FILTER_10 30
action forward
!
vlan filter FILTER_10 vlan-list 10
!
access-list 101 permit ip host 192.168.1.5 host 192.168.1.9 eq 443
access-list 101 permit ip host 192.168.1.9 host 192.168.1.5 eq 443
access-list 102 permit ip 192.168.1.0 0.0.0.255 192.168.1.0 0.0.0.255

VIP Advisor

Re: block access in same vlan

Hello

@Georg Pauwen 

Looks your acl 102 relating to map 20 will deny all traffic on that vlan it needs to be more specific( host-host)

 

lastly no need specifying action forward in the catch all map 30 as the default action is to forward anyway 



kind regards
Paul

Please rate and mark posts accordingly if you have found any of the information provided useful.
It will hopefully assist others with similar issues in the future
Rising star

Re: block access in same vlan

- Acknowledged but be aware : it may become difficult to keep up in high redundancy environments ; suppose the server is connected to a dual-homed fex behind a nexus vpc pair with hsrp etc... Not applying the access list on all needed components may need to cheese holes permitting access anyway. Better is to separate app/servers and clients with Intranet firewalling solutions.

 M.

VIP Advisor

Re: block access in same vlan

Hello

@marce1000  not so sure i understand why would you require FW rules - this will only be L2 traffic not L3 , its only negating access between hosts WITHIN the same broadcast domain



kind regards
Paul

Please rate and mark posts accordingly if you have found any of the information provided useful.
It will hopefully assist others with similar issues in the future
Beginner

Re: block access in same vlan

Hello Paul,

 

Thank you for the solution but we also want server1 to access to server2 on https and block any other traffic among clients inside VLAN10.  Please see the diagram.

vlanmap.PNG

VIP Advisor

Re: block access in same vlan

Hello

i have edited previous example please review it



kind regards
Paul

Please rate and mark posts accordingly if you have found any of the information provided useful.
It will hopefully assist others with similar issues in the future
CreatePlease to create content
Content for Community-Ad
July's Community Spotlight Awards