cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
2422
Views
12
Helpful
9
Replies

ACL on VLAN, gateway still reachable

perpaal
Level 1
Level 1

Hi

I`m implementing ACLs on some of my VLANs witch is routed on a 3650.

But have a small problem.

ACL:

10 permit 192.168.32.0, wildcard bits 0.0.0.255

20 deny   any

I put this on VLAN16, in and out.

As this VLAN shuld be isolated.

This works for all the hosts on the VLAN, they can no loger reach other VLANs, so that works.

But the gateway address 192.168.32.1, with is defined on the 3650 VLAN16 is still reachable from other VLANs.

I want it also to be unreachable.

How can I achieve this?

1 Accepted Solution

Accepted Solutions

If these vlans are completely isolated ie. they can only talk to each other then you can use vrf-lite on your 3560 although you do need the IP Services image.

As the others have said to stop the gateway responding to pings you would need to have acls on all vlan interfaces. However with vrf-lite you wouldn't need to. What you would do is create a vrf just for your isolated vlans. Place the vlan interfaces for these vlans into that vrf and then -

1) these vlans will only be able to talk to each other

and

2) no other vlans will be able to ping clients in those vlans and they won't be able to ping the L3 vlan interfaces either which is what you are looking for.

It is a much more scalable solution than using acls on all the vlan interfaces. Attached is the 4500 vrf-lite config. I know you have a 3560 but the config is the same and the 4500 example is the only one i can ever find on CCO

http://www.cisco.com/en/US/customer/docs/switches/lan/catalyst4500/12.2/44sg/configuration/guide/vrf.html

as i say though you do need the IP Services feature set to run vrf-lite.

Jon

View solution in original post

9 Replies 9

lgijssel
Level 9
Level 9

Using access lists does not scale well because you would need an acl on every other vlan denying acces to vlan 16.

So using access lists is probably not the best approach here.

When you want to create a totally isolated vlan, make it a layer 2 vlan only.

This means:

conf t

int vlan 16

no ip address

shutdown

or:

conf t

no int vlan 16

Please be careful not to delete the vlan itself because this would render the vlan unusable.

regards,

Leo

Hi,

If you are trying to ping the gateway ip from other vlans it will ping as it is a one of the interface IP on the L3 device.

Consider vlan IP as one of the interface IP and you can login to the L3 router/switch device with any one of the vlan IP on it.

Of course you have denied everything for the vlan 16 but still the vlan ip will be able to ping from other vlans but not the hosts on the vlan 16.

Please rate the helpfull posts.
Regards,
Naidu.

Ok, thanks.

The thing is that somm VLAN16 vill have another isolated VLAN17 witch it shuld be able to reach.

But these two shuld not be able to reach anything alse, and visa versa.

And I want the gateway IP not to reply from other VLANs.

Is this not possible without adding ACL to all other VLANs?

Hi,

This is not so clear to help you in a way.

Give us the vlan 16 & 17 config and tell us what do you want exactly. which networks that vlan 16 and 17 needs to be allow and which not.

Please rate the helpfull posts.

Regards,

Naidu.

There are loads of VLANs.

And I vant some of them to be isolated.

And in some cases beeing able to reach other isolated VLANs, in this case VLAN16 and VLAN17. Therefore I need the routed still.

I achive this through a simple ACL, the only thing now is the gateway still replys from other VLANs.

And I want the gateway IP not to reply from other VLANs.

Is this not possible without adding ACL to all other VLANs?

Hi,

As I mentioned in my previous post....

If you are trying to ping the vlan 16 IP (example: 10.10.16.1 - gateway) from other vlans it will ping however as it is a one of the interface IP on the L3 device.

Consider a vlan IP as one of the interface IP and you can login to the L3 router/switch device with any one of the vlan IP on it.

Of course you have denied everything for the vlan 16 but still the vlan ip will be able to ping from other vlans but not the hosts on the vlan 16.

I you want restrict the Gateway IP ping from other vlans, you can add access-list like below...

Vlan16 - 10.10.16.1/24
Vlan17 - 10.10.17.1/24

ip access-list extended vlan16
deny ip any 10.10.17.1 0.0.0.255


ip access-list extended vlan17
deny ip any 10.10.16.1 0.0.0.255

And Yes, it is not possible without adding ACL to respective vlans.


Please rate the helpfull posts.
Regards,
Naidu.

If these vlans are completely isolated ie. they can only talk to each other then you can use vrf-lite on your 3560 although you do need the IP Services image.

As the others have said to stop the gateway responding to pings you would need to have acls on all vlan interfaces. However with vrf-lite you wouldn't need to. What you would do is create a vrf just for your isolated vlans. Place the vlan interfaces for these vlans into that vrf and then -

1) these vlans will only be able to talk to each other

and

2) no other vlans will be able to ping clients in those vlans and they won't be able to ping the L3 vlan interfaces either which is what you are looking for.

It is a much more scalable solution than using acls on all the vlan interfaces. Attached is the 4500 vrf-lite config. I know you have a 3560 but the config is the same and the 4500 example is the only one i can ever find on CCO

http://www.cisco.com/en/US/customer/docs/switches/lan/catalyst4500/12.2/44sg/configuration/guide/vrf.html

as i say though you do need the IP Services feature set to run vrf-lite.

Jon

Thank you.

Just to add what Jon said,

For VRF lite, this has been a supported feature for some time, starting with 12.2(25)SEC,

Few supported IOS list shown below,

ADVANCED IP SERVICES c3560-advipservicesk9-mz.122-25.SEC2.bin

IP SERVICES c3560-ipservicesk9-mz.122-25.SEC2.bin

IP SERVICES W/O CRYPTO c3560-ipservices-mz.122-25.SEC2.bin

ADVANCED IP SERVICES c3560-advipservicesk9-mz.122-25.SEC1.bin

ADVANCED IP SERVICES c3560-advipservicesk9-mz.122-25.SEC.bin

IP SERVICES c3560-ipservicesk9-mz.122-25.SEC.bin

IP SERVICES W/O CRYPTO c3560-ipservices-mz.122-25.SEC.bin

and the 3560 configuration guide link,

http://www.cisco.com/en/US/docs/switches/lan/catalyst3560/software/release/12.2_25_sec/configuration/guide/swiprout.html#wp1320198

Hope this helps.

Thanks,

Ricky Micky

Please rate this answer if you found this to be useful

http://www.cisco.com/en/US/docs/switches/lan/catalyst3560/software/release/12.2_25_sec/configuration/guide/swiprout.html#wp1320198