08-04-2011 11:50 PM - edited 03-07-2019 01:33 AM
Hi
I`m implementing ACLs on some of my VLANs witch is routed on a 3650.
But have a small problem.
ACL:
10 permit 192.168.32.0, wildcard bits 0.0.0.255
20 deny any
I put this on VLAN16, in and out.
As this VLAN shuld be isolated.
This works for all the hosts on the VLAN, they can no loger reach other VLANs, so that works.
But the gateway address 192.168.32.1, with is defined on the 3650 VLAN16 is still reachable from other VLANs.
I want it also to be unreachable.
How can I achieve this?
Solved! Go to Solution.
08-05-2011 03:37 AM
If these vlans are completely isolated ie. they can only talk to each other then you can use vrf-lite on your 3560 although you do need the IP Services image.
As the others have said to stop the gateway responding to pings you would need to have acls on all vlan interfaces. However with vrf-lite you wouldn't need to. What you would do is create a vrf just for your isolated vlans. Place the vlan interfaces for these vlans into that vrf and then -
1) these vlans will only be able to talk to each other
and
2) no other vlans will be able to ping clients in those vlans and they won't be able to ping the L3 vlan interfaces either which is what you are looking for.
It is a much more scalable solution than using acls on all the vlan interfaces. Attached is the 4500 vrf-lite config. I know you have a 3560 but the config is the same and the 4500 example is the only one i can ever find on CCO
as i say though you do need the IP Services feature set to run vrf-lite.
Jon
08-05-2011 12:48 AM
Using access lists does not scale well because you would need an acl on every other vlan denying acces to vlan 16.
So using access lists is probably not the best approach here.
When you want to create a totally isolated vlan, make it a layer 2 vlan only.
This means:
conf t
int vlan 16
no ip address
shutdown
or:
conf t
no int vlan 16
Please be careful not to delete the vlan itself because this would render the vlan unusable.
regards,
Leo
08-05-2011 12:52 AM
Hi,
If you are trying to ping the gateway ip from other vlans it will ping as it is a one of the interface IP on the L3 device.
Consider vlan IP as one of the interface IP and you can login to the L3 router/switch device with any one of the vlan IP on it.
Of course you have denied everything for the vlan 16 but still the vlan ip will be able to ping from other vlans but not the hosts on the vlan 16.
Please rate the helpfull posts.
Regards,
Naidu.
08-05-2011 12:54 AM
Ok, thanks.
The thing is that somm VLAN16 vill have another isolated VLAN17 witch it shuld be able to reach.
But these two shuld not be able to reach anything alse, and visa versa.
And I want the gateway IP not to reply from other VLANs.
Is this not possible without adding ACL to all other VLANs?
08-05-2011 12:58 AM
Hi,
This is not so clear to help you in a way.
Give us the vlan 16 & 17 config and tell us what do you want exactly. which networks that vlan 16 and 17 needs to be allow and which not.
Please rate the helpfull posts.
Regards,
Naidu.
08-05-2011 01:09 AM
There are loads of VLANs.
And I vant some of them to be isolated.
And in some cases beeing able to reach other isolated VLANs, in this case VLAN16 and VLAN17. Therefore I need the routed still.
I achive this through a simple ACL, the only thing now is the gateway still replys from other VLANs.
And I want the gateway IP not to reply from other VLANs.
Is this not possible without adding ACL to all other VLANs?
08-05-2011 02:18 AM
Hi,
As I mentioned in my previous post....
If you are trying to ping the vlan 16 IP (example: 10.10.16.1 - gateway) from other vlans it will ping however as it is a one of the interface IP on the L3 device.
Consider a vlan IP as one of the interface IP and you can login to the L3 router/switch device with any one of the vlan IP on it.
Of course you have denied everything for the vlan 16 but still the vlan ip will be able to ping from other vlans but not the hosts on the vlan 16.
I you want restrict the Gateway IP ping from other vlans, you can add access-list like below...
Vlan16 - 10.10.16.1/24
Vlan17 - 10.10.17.1/24
ip access-list extended vlan16
deny ip any 10.10.17.1 0.0.0.255
ip access-list extended vlan17
deny ip any 10.10.16.1 0.0.0.255
And Yes, it is not possible without adding ACL to respective vlans.
Please rate the helpfull posts.
Regards,
Naidu.
08-05-2011 03:37 AM
If these vlans are completely isolated ie. they can only talk to each other then you can use vrf-lite on your 3560 although you do need the IP Services image.
As the others have said to stop the gateway responding to pings you would need to have acls on all vlan interfaces. However with vrf-lite you wouldn't need to. What you would do is create a vrf just for your isolated vlans. Place the vlan interfaces for these vlans into that vrf and then -
1) these vlans will only be able to talk to each other
and
2) no other vlans will be able to ping clients in those vlans and they won't be able to ping the L3 vlan interfaces either which is what you are looking for.
It is a much more scalable solution than using acls on all the vlan interfaces. Attached is the 4500 vrf-lite config. I know you have a 3560 but the config is the same and the 4500 example is the only one i can ever find on CCO
as i say though you do need the IP Services feature set to run vrf-lite.
Jon
08-05-2011 03:43 AM
Thank you.
08-06-2011 02:07 AM
Just to add what Jon said,
For VRF lite, this has been a supported feature for some time, starting with 12.2(25)SEC,
Few supported IOS list shown below,
ADVANCED IP SERVICES c3560-advipservicesk9-mz.122-25.SEC2.bin
IP SERVICES c3560-ipservicesk9-mz.122-25.SEC2.bin
IP SERVICES W/O CRYPTO c3560-ipservices-mz.122-25.SEC2.bin
ADVANCED IP SERVICES c3560-advipservicesk9-mz.122-25.SEC1.bin
ADVANCED IP SERVICES c3560-advipservicesk9-mz.122-25.SEC.bin
IP SERVICES c3560-ipservicesk9-mz.122-25.SEC.bin
IP SERVICES W/O CRYPTO c3560-ipservices-mz.122-25.SEC.bin
and the 3560 configuration guide link,
Hope this helps.
Thanks,
Ricky Micky
Please rate this answer if you found this to be useful
http://www.cisco.com/en/US/docs/switches/lan/catalyst3560/software/release/12.2_25_sec/configuration/guide/swiprout.html#wp1320198
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide