cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
3169
Views
5
Helpful
19
Replies

stop ping between vlans

Hi

I have an Cisco ASA 5512x and an Cisco 3750x(Layer 3). My question is how do i stop being able to ping between vlans.

Best greetings from Christian Josiassen.

19 Replies 19

paul driver
VIP Expert VIP Expert
VIP Expert

Hello

You apply access-lists on the L3 svi vlan interfaces of the switch to negate icmp.


Please rate and mark as an accepted solution if you have found any of the information provided useful.
This then could assist others on these forums to find a valuable answer and broadens the community’s global network.

Kind Regards
Paul

Hi

What would that command look like?

Hello
Example:
Deny vlan 10  (10.1.10.0 /24) and 20  (10.1.20.0/24) to ping each each other.

access-list 100 deny icmp any 10.1.20.0 0.0.0.255 echo
access-list 100 permit ip any any
int vlan 10
ip access-group 100 IN

access-list 101 deny icmp any 10.1.10.0 0.0.0.255 echo
access-list 100 permit ip any any
int vlan 20
ip access-group 101 IN




Please rate and mark as an accepted solution if you have found any of the information provided useful.
This then could assist others on these forums to find a valuable answer and broadens the community’s global network.

Kind Regards
Paul

Georg Pauwen
VIP Master VIP Master
VIP Master

Hello,

 

are the Vlans configured on the ASA, the 3750, or both ? The syntax for the ASA is different. Post the full running configs of both the ASA and the 3750, and indicate which Vlans you want to not be able to PING each other...

Hi 

VLAN 1, 10, 20, 30, 40, must not be able to ping each other

Hello


@ChristianSchmidtJosiassen wrote:

Hi 

VLAN 1, 10, 20, 30, 40, must not be able to ping each other


You have l3 addressing on the 3750 switch and the ASA , it looks like it the ASA is setup to perfrom the intervlan routing, if so remove the L3 interafaces from the L3 switch and append the following on the ASA that will negate intervlan communication

ASA
conf t
no same-security-traffic permit inter-interface


Please rate and mark as an accepted solution if you have found any of the information provided useful.
This then could assist others on these forums to find a valuable answer and broadens the community’s global network.

Kind Regards
Paul

You shouldn't be revealing your passwords on a public forum, unless this is a lab environment.

Hi 

So my Vlans can't have an ip assigned to them on the l3 switch?

Best greetings from Christian Josiassen

Hi there,

If you have more than one Layer3 interface configured on the switch you will provide the opportunity for adjacent devices to use the switch to route between those connected subnets. In this topology keep all of the Layer3 on the ASA.

 

cheers,

Seb.

Hi

But if i remove the l3 interfaces from my l3 switch, then the DHCP pools on my l3 switch will not work.

Can you not migrate the DHCP pools onto the ASA? If there is some reason not, then I suppose you could retain the DHCP on the switch and keep the SVIs per VLAN, but you should apply inbound ACLs on all of them to prevent inter-vlan routing on the switch.

 

cheers,

Seb.

Hi

If i migrate the DHCP pools to the ASA, then the ASA would not be able to lease ip adresses to my Cisco 3504 WLC. So how would the inbound ACL's look like?

If i want to stop ping between VLAN 1(192.168.1.0), VLAN 10(192.168.10.0), VLAN 20(192.168.20.0), VLAN 30(192.168.30.0), VLAN 40(192.168.40.0)

 

Best greetings from Christian Josiassen

paul driver
VIP Expert VIP Expert
VIP Expert

Hello
You can deny inter-vlan communication on the ASA just like you can on a L3 switch just that its a different way of doing it-

Options include private vlans- access-lists or if the interfaces are of the same security level this single command would be applicable but it will stop ALL communication between those interfaces:

same-security-traffic permit intra-interface

 

However using access-lists would be applicable in this case:

example:  deny vlan 101 communication to/from -vlan 102 
access-list 106 extended deny ip 10.1.102.0 255.255.255.0 any
access-list 106 extended deny ip any 10.1.102.0 255.255.255.0
access-list 106 extended permit ip any any

access-group 106 out interface vl101
access-group 106 in interface vl101


Please rate and mark as an accepted solution if you have found any of the information provided useful.
This then could assist others on these forums to find a valuable answer and broadens the community’s global network.

Kind Regards
Paul

Hi

Thank you for the fast reply:)

Is this on the ASA or the L3 switch?

And if i want to stop traffic between more vlans, then i just add another ACL rule to the VLAN?

 

Best greetings from Christian Josiassen

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: