Buy or Renew
Buy or Renew
Cisco + Splunk: It’s a new day for your data. Learn more.
 
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
8434
Views
15
Helpful
16
Replies

block access in same vlan

Go to solution
Izac ICT
Level 1
Level 1

‎04-17-2019 12:36 AM

Hello all,

We have 3 vlans
vlan 10 - 192.168.1.0/24
vlan 30 - 192.168.2.0/24
vlan 40 - 192.168.3.0/24

there is one server in vlan 10, server1 (192.168.1.5) and it only needs to access server2(192.168.1.9) on https port but its access to other clients on same vlan should be blocked.
Preferrably other clients(server1, server2,server3, server4) should not communicate to each other but clients on different VLANs should not be blocked (they already have access via firewall now)

How can I achive this? Vlan access-map or access list or any other suggestion? Please send me config example.

Thank you very much in advance.

 

Isac

Labels:
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
paul driver
VIP
VIP

‎04-17-2019 01:32 AM - edited ‎04-17-2019 10:30 PM

Hello
Vlan access map would be applicable here:

Example:
access-list 101 permit tcp host 192.168.0.9 host 192.168.0.5 eq 443
access-list 101 permit tcp host 192.168.0.5 host 192.168.0.9 eq 443

access-list 102 permit ip host 192.168.1.5 host 192.168.1.9 
access-list 102 permit ip host 192.168.1.9 host 192.168.1.5

vlan acess-map srv2srv 10
match ip address 101
action forward

vlan access-map srv2srv 20
match ip address 102
action drop

vlan access-map srv2srv 99
vlan filter srv2srv vlan-list 10


Please rate and mark as an accepted solution if you have found any of the information provided useful.
This then could assist others on these forums to find a valuable answer and broadens the community’s global network.

Kind Regards
Paul

View solution in original post

16 Replies 16

Go to solution
marce1000
VIP
VIP

‎04-17-2019 12:57 AM

 

 - The only option in this case is to have local firewalling on the intended server

 M.



-- ' 'Good body every evening' ' this sentence was once spotted on a logo at the entrance of a Weight Watchers Club !
0 Helpful

Go to solution
shaps
Level 3
Level 3
In response to marce1000

‎04-17-2019 01:25 AM

You can use a vlan access map, fiest you create an access list that classifies the traffic you want to block, and then the vlan access map references this to determine if the traffic is allowed, remember to use permit.

vlan access-map NAME
SW1(config-access-map)#match ip address CREATED-ACL name of acl you used to classify the traffic
SW1(config-access-map)#action drop
SW1(config-access-map)#vlan access-map NAME this allows all other communication to take place
SW1(config-access-map)#action forward

You then use vlan-filter NAME vlan-list VLAN
0 Helpful

Go to solution
joseph.h.nguyen
Level 1
Level 1

‎04-17-2019 01:29 AM - edited ‎04-17-2019 01:31 AM

You can't make layer 2 switch emulate like a firewall or layer 3 packet filtering.  I agree with marce1000 that your only option is to create a firewall at the server side.

Another option is segmentation through private vlan, see link https://www.cisco.com/c/en/us/td/docs/switches/lan/catalyst3750x_3560x/software/release/12-2_53_se/configuration/guide/3750xscg/swpvlan.html.  

0 Helpful

Go to solution
Georg Pauwen
VIP
VIP

‎04-17-2019 01:30 AM

Hello,

 

a VACL should work. You need to draw out in detail who needs access to what, as your brief post does not contain enough information. So, best post a schematic drawing with IP addresses, and indicate which IP address needs access to which other IP addresses.

0 Helpful

Go to solution
paul driver
VIP
VIP

‎04-17-2019 01:32 AM - edited ‎04-17-2019 10:30 PM

Hello
Vlan access map would be applicable here:

Example:
access-list 101 permit tcp host 192.168.0.9 host 192.168.0.5 eq 443
access-list 101 permit tcp host 192.168.0.5 host 192.168.0.9 eq 443

access-list 102 permit ip host 192.168.1.5 host 192.168.1.9 
access-list 102 permit ip host 192.168.1.9 host 192.168.1.5

vlan acess-map srv2srv 10
match ip address 101
action forward

vlan access-map srv2srv 20
match ip address 102
action drop

vlan access-map srv2srv 99
vlan filter srv2srv vlan-list 10


Please rate and mark as an accepted solution if you have found any of the information provided useful.
This then could assist others on these forums to find a valuable answer and broadens the community’s global network.

Kind Regards
Paul

Go to solution
Izac ICT
Level 1
Level 1
In response to paul driver

‎04-17-2019 02:22 AM

Thank you for your answers.

More info:

inside vlan 10 permit  server1 (192.168.1.5) https TO server2(192.168.1.9) only https(443)

inside vlan 10 deny any other communication among clients

Clients on other VLANs coming via firewall should not be affected since they have already access. 

 

Thank you.

 

 

 

 

0 Helpful

Go to solution
Georg Pauwen
VIP
VIP
In response to Izac ICT

‎04-17-2019 05:15 AM

Hello,

 

not sure if you have already resolved this, but below is what I have come up with:

 

vlan access-map FILTER_10 10
match ip address 101
action forward
vlan access-map FILTER_10 20
match ip address 102
action drop
vlan access-map FILTER_10 30
action forward
!
vlan filter FILTER_10 vlan-list 10
!
access-list 101 permit ip host 192.168.1.5 host 192.168.1.9 eq 443
access-list 101 permit ip host 192.168.1.9 host 192.168.1.5 eq 443
access-list 102 permit ip 192.168.1.0 0.0.0.255 192.168.1.0 0.0.0.255

Go to solution
paul driver
VIP
VIP
In response to Georg Pauwen

‎04-17-2019 06:05 AM

Hello

@Georg Pauwen 

Looks your acl 102 relating to map 20 will deny all traffic on that vlan it needs to be more specific( host-host)

 

lastly no need specifying action forward in the catch all map 30 as the default action is to forward anyway 


Please rate and mark as an accepted solution if you have found any of the information provided useful.
This then could assist others on these forums to find a valuable answer and broadens the community’s global network.

Kind Regards
Paul

Go to solution
marce1000
VIP
VIP
In response to paul driver

‎04-17-2019 02:57 AM

- Acknowledged but be aware : it may become difficult to keep up in high redundancy environments ; suppose the server is connected to a dual-homed fex behind a nexus vpc pair with hsrp etc... Not applying the access list on all needed components may need to cheese holes permitting access anyway. Better is to separate app/servers and clients with Intranet firewalling solutions.

 M.



-- ' 'Good body every evening' ' this sentence was once spotted on a logo at the entrance of a Weight Watchers Club !
0 Helpful

Go to solution
paul driver
VIP
VIP
In response to marce1000

‎04-17-2019 03:06 AM

Hello

@marce1000  not so sure i understand why would you require FW rules - this will only be L2 traffic not L3 , its only negating access between hosts WITHIN the same broadcast domain


Please rate and mark as an accepted solution if you have found any of the information provided useful.
This then could assist others on these forums to find a valuable answer and broadens the community’s global network.

Kind Regards
Paul
0 Helpful

Go to solution
Izac ICT
Level 1
Level 1
In response to paul driver

‎04-17-2019 04:52 AM

Hello Paul,

 

Thank you for the solution but we also want server1 to access to server2 on https and block any other traffic among clients inside VLAN10.  Please see the diagram.

vlanmap.PNG

0 Helpful

Go to solution
paul driver
VIP
VIP
In response to Izac ICT

‎04-17-2019 06:16 AM

Hello

i have edited previous example please review it


Please rate and mark as an accepted solution if you have found any of the information provided useful.
This then could assist others on these forums to find a valuable answer and broadens the community’s global network.

Kind Regards
Paul
0 Helpful

Go to solution
parag_waghmare
Level 1
Level 1
In response to paul driver

‎06-02-2020 10:47 PM

Hi Paul,

 

I had one question in the same context.

If I want to block all communication between all hosts in the VLAN.

e.g. block east west.

but only allow north south from the hosts to internet or anywhere in the network.

How will I be able to achieve that.

Can you provide any config for that ?

Thanks.

 

0 Helpful

Go to solution
paul driver
VIP
VIP
In response to parag_waghmare

‎06-03-2020 01:12 AM

Hello

@parag_waghmare wrote:

Hi Paul,

 

I had one question in the same context.

If I want to block all communication between all hosts in the VLAN.

e.g. block east west.

but only allow north south from the hosts to internet or anywhere in the network.

How will I be able to achieve that.

Can you provide any config for that ?

Thanks.

 

Ammend access-list 102 to encompass the whole of vlan 10
no access-list 102
access-list 102 permit ip 192.168.1.0 0.0.0.255 192.168.1.0 0.0.0.255

 


Please rate and mark as an accepted solution if you have found any of the information provided useful.
This then could assist others on these forums to find a valuable answer and broadens the community’s global network.

Kind Regards
Paul
0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card