Solved: Block traffic between users computers on one VLAN

JakubMalik1782 · ‎06-30-2019

Dear all,

I have one VLAN for users on Cisco switches 2960 (15 pcs) connected to core switch Nexus 5000.

I need block traffic on VLAN 48 between users computers - all TCP and UDP ports.

I tried command switchport protected it works OK but only locally on one switch and unfortunately feature Private VLAN is not available on our switches.

Is there any way how to solve this ?

Do you have any idea ?

Thank you

paul driver · ‎07-01-2019

Hello

FYI - A routed ACL will not negate access between hosts within the same vlan so a Vlan access list as suggest by @Georg Pauwen would be applicable, but you need to allow access for these hosts to exit it own broadcast domain is need be.

The following example should be applicable:

access-list 100 remark allow vlan48 hosts to default-gateway
access-list 100 permit ip 172.16.48.0 0.0.0.255 host 172.16.48.254
access-list 100 permit ip host 172.16.48.254 172.16.48 0 0.0.0.255

access-list 101 remark deny vlan48 hosts from communicating with each other
access-list 101 permit ip 172.16.48.0 0.0.0.255 172.16.48.0 0.0.0.255

vlan access-map Vl48 10
action forward
match ip address 100

vlan access-map Vl48 20
action drop
match ip address 101

vlan access-map Vl48 99

vlan filter Vl48 vlan-list 48

Please rate and mark as an accepted solution if you have found any of the information provided useful.
This then could assist others on these forums to find a valuable answer and broadens the community’s global network.

Kind Regards
Paul

View solution in original post

Seb Rupik · ‎07-01-2019

Hi there,

Why not apply a Layer3 ACL to every access switchport in VLAN48.

Assuming the VLAN48 SVI was 192.168.48.254 /24 it would look like:

!
ip access-list ext BLOCK_LOCAL_V48
  permit ip 192.168.48.0 0.0.0.255 host 192.168.48.254
  deny ip 192.168.48.0 0.0.0.255 192.168.48.0 0.0.0.255
  permit ip any any
!
int range gi0/1-24
  ip access-group BLOCK_LOCAL_V48 in
!

cheers,

Seb.

Georg Pauwen · ‎07-01-2019

Hello,

I wonder if a VACL would work, you would have to apply it to each switch. In the example below, if your VLAN 10 has subnet 192.168.10.0/24, the VACL would deny all intra-VLAN traffic, and allow everything else:

access-list 100 permit ip 192.168.10.0 0.0.0.255 192.168.10.0 0.0.0.255
!
vlan access-map DENY_INTRA_VLAN 10
match ip address 100
action drop
vlan access-map DENY_INTRA_VLAN 20
action forward
!
vlan filter DENY_INTRA_VLAN vlan-list 10

paul driver · ‎07-01-2019

Hello

FYI - A routed ACL will not negate access between hosts within the same vlan so a Vlan access list as suggest by @Georg Pauwen would be applicable, but you need to allow access for these hosts to exit it own broadcast domain is need be.

The following example should be applicable:

access-list 100 remark allow vlan48 hosts to default-gateway
access-list 100 permit ip 172.16.48.0 0.0.0.255 host 172.16.48.254
access-list 100 permit ip host 172.16.48.254 172.16.48 0 0.0.0.255

access-list 101 remark deny vlan48 hosts from communicating with each other
access-list 101 permit ip 172.16.48.0 0.0.0.255 172.16.48.0 0.0.0.255

vlan access-map Vl48 10
action forward
match ip address 100

vlan access-map Vl48 20
action drop
match ip address 101

vlan access-map Vl48 99

vlan filter Vl48 vlan-list 48

Please rate and mark as an accepted solution if you have found any of the information provided useful.
This then could assist others on these forums to find a valuable answer and broadens the community’s global network.

Kind Regards
Paul

Seb Rupik · ‎07-01-2019

@paul driver , I agree with your router ACL statement but my suggestion is a port ACL implementation which would provide the desired functionality. My current environment doesn't allow me to test it, but it is confirmed by the documentation:

https://www.cisco.com/c/en/us/td/docs/switches/lan/catalyst2960/software/release/12-2_55_se/configuration/guide/scg_2960/swacl.html#44781

cheers,

Seb.

Georg Pauwen · ‎07-01-2019

The idea is that the second statement in the VLAN access map allows everything that does not match intra-Vlan traffic.

I have run a little test in GNS3, with software switches running IOSvL215.2 images, I am not sure though it works on 'real' 2960 switches. Either way, the L2 switches are configured as below (make sure you create the Vlan 10 interface on each switch, it doesn't need an IP address). The ICMP has been added for testing. Anything in Vlan 10 cannot access each other, but access to outside networks is allowed.

access-list 100 permit ip 192.168.10.0 0.0.0.255 192.168.10.0 0.0.0.255
access-list 100 permit icmp 192.168.10.0 0.0.0.255 192.168.10.0 0.0.0.255
!
vlan access-map DENY_INTRA_VLAN 10
match ip address 100
action drop
vlan access-map DENY_INTRA_VLAN 20
action forward
!
vlan filter DENY_INTRA_VLAN vlan-list 10
!
interface Vlan10

JakubMalik1782 · ‎07-01-2019

Thank you very much !!!

Georg Pauwen · ‎07-01-2019

Hello,

out of curiosity, and since access to addresses outside the VLAN worked even without specifying the default gateway in the VACL, I did some more testing.

I found that you do NOT need to explicitly allow the default gateway in the VACL, the reason being that the traffic to the destination IP address in these packets is not the default gateway address, it is that of the end-device.

That explains why the VACL I originally posted works as well.