Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1493
Views
5
Helpful
8
Replies

Acl between VLANs

junaid haroon
Level 1
Level 1

‎08-09-2014 08:16 AM - edited ‎03-07-2019 08:20 PM

Hi, I am using switch 3560 for inter vlan routing i have following vlans 192.168.10.0/24 (voice) 192.168.20.0/24 (admin) 192.168.30.0/24 (data center) 192.168.40.0/24 (HR) I want to implement the ACL that no valn can access HR valn and HR vlan can access every VLAN . please help me out
Labels:
0 Helpful
8 Replies 8

maninthemirrow
Level 1
Level 1

‎08-10-2014 03:23 AM

Use Vlan access list and your switch support it. The vacl works almost like route-map so with on statement all be solve
0 Helpful

junaid haroon
Level 1
Level 1
In response to maninthemirrow

‎08-10-2014 10:03 AM

HI,

Can you be please send me the acl for this

0 Helpful

cadet alain
VIP Alumni
VIP Alumni
In response to junaid haroon

‎08-10-2014 01:03 PM

Hi,

VACL is mostly used for intra-VLAN filtering and for inter-VLAN filtering what is mostly used is a L3 ACL on the SVI.

Now the problem is that there is no stateful filtering on the 3750 switches so if you block access from any to HR it means you are also blocking replies to traffic initiated from HR.

It should then be helpful to know the traffic flows from HR to any so we can permit the replies in the ACLs we will apply on the other SVIs.

 

Regards

 

Alain

Don't forget to rate helpful posts.

junaid haroon
Level 1
Level 1
In response to cadet alain

‎08-10-2014 09:09 PM

 

Hi,

Yes Hr Valn can access every vlan but no other valn access HR resources.I need correct sybtax how i applied the ACL of vlans virtual interface.

0 Helpful

junaid haroon
Level 1
Level 1
In response to junaid haroon

‎08-11-2014 05:02 AM

Hi,

HR vlan are 192.168.40.0/24..Let make it more clear for you i want no one can access HR PCs from windows share folder like d$ etc and remote desktop.

Pleas make it clear what kind of traffic?Normally HR access the datacenter resources nothing else.My objective no other VLan access HR PC/printer

0 Helpful

maninthemirrow
Level 1
Level 1
In response to junaid haroon

‎08-11-2014 06:37 AM

hello

l agree with Alain even if the access list is configure becuase it is apply using the filter command on the global config mode it willl be difficult to filter just the one ACL to perform this requirement. if you are using Active directory you can do this using gpo. 

0 Helpful

junaid haroon
Level 1
Level 1
In response to maninthemirrow

‎08-11-2014 10:20 PM

HI,

I have AD how i can do this with GPO???

0 Helpful

cadet alain
VIP Alumni
VIP Alumni

‎08-11-2014 04:46 AM

Hi,

if you don't tell us the traffic flows from HR to any we can't tell you which ACE entries to configure to permit return traffic.

as I explained in previous post there is no statefulness with ACLs on Cisco 3750 switches(no reflexive ACL) nor any stateful firewall feature.

Regards

 

Alain

Don't forget to rate helpful posts.
0 Helpful
Customers Also Viewed These Support Documents