12-28-2021 12:19 PM
Hi
I have an Cisco ASA 5512x and an Cisco 3750x(Layer 3). My question is how do i stop being able to ping between vlans.
Best greetings from Christian Josiassen.
12-28-2021 12:25 PM
Hello
You apply access-lists on the L3 svi vlan interfaces of the switch to negate icmp.
12-28-2021 01:10 PM
Hi
What would that command look like?
12-28-2021 02:54 PM - edited 12-28-2021 02:54 PM
Hello
Example:
Deny vlan 10 (10.1.10.0 /24) and 20 (10.1.20.0/24) to ping each each other.
access-list 100 deny icmp any 10.1.20.0 0.0.0.255 echo
access-list 100 permit ip any any
int vlan 10
ip access-group 100 IN
access-list 101 deny icmp any 10.1.10.0 0.0.0.255 echo
access-list 100 permit ip any any
int vlan 20
ip access-group 101 IN
12-28-2021 03:06 PM
Hello,
are the Vlans configured on the ASA, the 3750, or both ? The syntax for the ASA is different. Post the full running configs of both the ASA and the 3750, and indicate which Vlans you want to not be able to PING each other...
12-29-2021 02:13 PM - edited 01-08-2022 01:36 AM
01-06-2022 06:10 AM - edited 01-06-2022 06:11 AM
Hello
@ChristianSchmidtJosiassen wrote:
Hi
VLAN 1, 10, 20, 30, 40, must not be able to ping each other
You have l3 addressing on the 3750 switch and the ASA , it looks like it the ASA is setup to perfrom the intervlan routing, if so remove the L3 interafaces from the L3 switch and append the following on the ASA that will negate intervlan communication
ASA
conf t
no same-security-traffic permit inter-interface
01-07-2022 06:00 AM
You shouldn't be revealing your passwords on a public forum, unless this is a lab environment.
01-08-2022 01:33 AM
Hi
So my Vlans can't have an ip assigned to them on the l3 switch?
Best greetings from Christian Josiassen
01-09-2022 12:26 PM
Hi there,
If you have more than one Layer3 interface configured on the switch you will provide the opportunity for adjacent devices to use the switch to route between those connected subnets. In this topology keep all of the Layer3 on the ASA.
cheers,
Seb.
01-12-2022 12:54 AM
Hi
But if i remove the l3 interfaces from my l3 switch, then the DHCP pools on my l3 switch will not work.
01-12-2022 01:28 AM
Can you not migrate the DHCP pools onto the ASA? If there is some reason not, then I suppose you could retain the DHCP on the switch and keep the SVIs per VLAN, but you should apply inbound ACLs on all of them to prevent inter-vlan routing on the switch.
cheers,
Seb.
01-15-2022 11:53 AM - edited 01-15-2022 12:01 PM
Hi
If i migrate the DHCP pools to the ASA, then the ASA would not be able to lease ip adresses to my Cisco 3504 WLC. So how would the inbound ACL's look like?
If i want to stop ping between VLAN 1(192.168.1.0), VLAN 10(192.168.10.0), VLAN 20(192.168.20.0), VLAN 30(192.168.30.0), VLAN 40(192.168.40.0)
Best greetings from Christian Josiassen
01-15-2022 12:37 PM - edited 01-15-2022 12:37 PM
Hello
You can deny inter-vlan communication on the ASA just like you can on a L3 switch just that its a different way of doing it-
Options include private vlans- access-lists or if the interfaces are of the same security level this single command would be applicable but it will stop ALL communication between those interfaces:
same-security-traffic permit intra-interface
However using access-lists would be applicable in this case:
example: deny vlan 101 communication to/from -vlan 102
access-list 106 extended deny ip 10.1.102.0 255.255.255.0 any
access-list 106 extended deny ip any 10.1.102.0 255.255.255.0
access-list 106 extended permit ip any any
access-group 106 out interface vl101
access-group 106 in interface vl101
01-15-2022 12:48 PM - edited 01-15-2022 01:03 PM
Hi
Thank you for the fast reply:)
Is this on the ASA or the L3 switch?
And if i want to stop traffic between more vlans, then i just add another ACL rule to the VLAN?
Best greetings from Christian Josiassen
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide