Buy or Renew
Buy or Renew
ATTENTION: We are currently working an issue with posting. Thank you for your patience while we work on a resolution.
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
758
Views
0
Helpful
3
Replies

ACL (?) VLAN with isolated hosts

it.infrastructure
Level 1
Level 1

‎04-08-2018 01:56 PM - last edited on ‎03-25-2019 04:47 PM by Community Manager

Hello,

 

i have the following scenario:

 

i have multiple CISCO Catalyst switches (2960-X).

Switches are connected with trunks, we have multiple VLANs configured.

 

Additional switch (core) Layer3 is configured for routing between VLANs and security between VLANs (filtering etc.).

 

Now i want to add some kind of ACLs for a VLAN to control communication inside (host to host) the VLAN.

 

Small example:

 

VLAN 1020 with 3 Hosts:

Host A : 192.168.10.1/24

Host B: 192.168.10.2/24

Host C: 192.168.10.3/24

 

Host A should communicate with Host B and Host C.

But communication between Host B and Host C should not be possible (or only for specific IP ports).

 

The host are located at different switch ports on different switches, but all ports are member of same VLAN.

 

I do not want to (can not) change IP for the hosts.

So i can not create additional VLANs and use some kind of filtering at layer 3 switch.

 

Which possibilities do i have to configure this on CISCO catalyst?

Is there a way to configure this without using specific switch ports?

So the policy/ACL will be used on every switch port in the VLAN on every switch in the network?

Is there a way to configure the ACL on a central device and "synchronize" the ACL on every switch which has the VLAN configured?

 

Maybe somebody can give me some tips?

 

Or is this only possible with CISCO ISE or something similar?

 

Thank you

 

Regards

Labels:
0 Helpful
3 Replies 3

Francesco Molino
VIP Alumni
VIP Alumni

‎04-08-2018 05:03 PM

Hi

 

Except those 3 hosts, all others should communicate together, right? Anyway, let's take that as assumption.

 

With Cisco ISE, you will authenticate the host and can push a dACL on the port to filter the communication. Then, yes you'll be able to do that.

 

Without Cisco ISE, you can also use vacl on your default-gateway swicth (L3 switch).

 

ip access-list extended 100
10 permit ip host 192.168.10.1 host 192.168.10.2
20 permit ip host 192.168.10.1 host 192.168.10.3
30 deny ip host 192.168.10.2 host 192.168.10.3
40 deny ip host 192.168.10.3 host 192.168.10.2
50 permit ip any any

 

Then configure the vacl:

 

vlan access-map BLOCK 10
action drop
match ip address 100

vlan access-map BLOCK 20

 

And apply it:

vlan filter BLOCK vlan-list 10

 

 

 


Thanks
Francesco
PS: Please don't forget to rate and select as validated answer if this answered your question
0 Helpful

it.infrastructure
Level 1
Level 1
In response to Francesco Molino

‎04-08-2018 10:48 PM

Hello,

thank you for your reply.

 

If we use the vacl, will this be used by the underlaying switches, which are connected (trunks) to the core switch?

Or only, if traffic flows through the core switch. 

 

So, for my example, if Host 2 and Host 3 are connected to underlaying switches, not the core switch:

Will the VACL block traffic between the hosts?

 

Or do we have to add the VACL to every switch in the network?

 

Regards

 

Marc

0 Helpful

Francesco Molino
VIP Alumni
VIP Alumni
In response to it.infrastructure

‎04-09-2018 05:24 AM

Based on your first input I thought that hosts were splitted over switches. If they're on same switch, then you'll need to define it on the switch itself and not only on the core.

 

However, if you've ISE, then based on authentication, it will be simpler to push dynamically an acl to each host.

 


Thanks
Francesco
PS: Please don't forget to rate and select as validated answer if this answered your question
0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking for a $25 gift card