04-08-2018 01:56 PM - last edited on 03-25-2019 04:47 PM by ciscomoderator
Hello,
i have the following scenario:
i have multiple CISCO Catalyst switches (2960-X).
Switches are connected with trunks, we have multiple VLANs configured.
Additional switch (core) Layer3 is configured for routing between VLANs and security between VLANs (filtering etc.).
Now i want to add some kind of ACLs for a VLAN to control communication inside (host to host) the VLAN.
Small example:
VLAN 1020 with 3 Hosts:
Host A : 192.168.10.1/24
Host B: 192.168.10.2/24
Host C: 192.168.10.3/24
Host A should communicate with Host B and Host C.
But communication between Host B and Host C should not be possible (or only for specific IP ports).
The host are located at different switch ports on different switches, but all ports are member of same VLAN.
I do not want to (can not) change IP for the hosts.
So i can not create additional VLANs and use some kind of filtering at layer 3 switch.
Which possibilities do i have to configure this on CISCO catalyst?
Is there a way to configure this without using specific switch ports?
So the policy/ACL will be used on every switch port in the VLAN on every switch in the network?
Is there a way to configure the ACL on a central device and "synchronize" the ACL on every switch which has the VLAN configured?
Maybe somebody can give me some tips?
Or is this only possible with CISCO ISE or something similar?
Thank you
Regards
04-08-2018 05:03 PM
Hi
Except those 3 hosts, all others should communicate together, right? Anyway, let's take that as assumption.
With Cisco ISE, you will authenticate the host and can push a dACL on the port to filter the communication. Then, yes you'll be able to do that.
Without Cisco ISE, you can also use vacl on your default-gateway swicth (L3 switch).
ip access-list extended 100
10 permit ip host 192.168.10.1 host 192.168.10.2
20 permit ip host 192.168.10.1 host 192.168.10.3
30 deny ip host 192.168.10.2 host 192.168.10.3
40 deny ip host 192.168.10.3 host 192.168.10.2
50 permit ip any any
Then configure the vacl:
vlan access-map BLOCK 10
action drop
match ip address 100
vlan access-map BLOCK 20
And apply it:
vlan filter BLOCK vlan-list 10
04-08-2018 10:48 PM
Hello,
thank you for your reply.
If we use the vacl, will this be used by the underlaying switches, which are connected (trunks) to the core switch?
Or only, if traffic flows through the core switch.
So, for my example, if Host 2 and Host 3 are connected to underlaying switches, not the core switch:
Will the VACL block traffic between the hosts?
Or do we have to add the VACL to every switch in the network?
Regards
Marc
04-09-2018 05:24 AM
Based on your first input I thought that hosts were splitted over switches. If they're on same switch, then you'll need to define it on the switch itself and not only on the core.
However, if you've ISE, then based on authentication, it will be simpler to push dynamically an acl to each host.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide