Hi everyone, I hope you're well.
I've been tasked with segregating a network for the first time and just wanted to make sure I was on the right track. I've attached the current configuration of the network. It's a Cisco 3850 4 switch stack with 4 vlans.
From this, I want to achieve the following?
Create new VLANs below:
At the moment, there is no restriction as to which vlan can access which. So I'm looking to introduce the below:
VLAN Users can only access VLAN Apps
VLAN Apps can only access VLAN Backend
VLAN IT can access all
What I'm looking for clarification on is once I've created the new vlans, would I be right in assuming I'd need to add ACLs on the switch to allow/deny the above. Could someone give me an example of what these access lists would look like?
Thanks in advance. Assistance would be much appreciated.
We are not sure which VLAN is for what?
interface Vlan3 description Hampton-Server-VLAN ip address 10.79.106.243 255.255.255.0 ip helper-address 10.10.2.220 ! interface Vlan4 description Hampton-Client-VLAN ip address 10.79.140.1 255.255.252.0 ip helper-address 10.79.240.2 ! interface Vlan6 description Hampton-Remote-Server-VLAN ip address 10.79.99.1 255.255.255.0
Change VLAN names are per User/IT/APP.
You can implement the VACL for the same as below example: (Block Access from VLAN 3 to VLAN 4)
ip address 10.79.106.243 255.255.255.0
ip helper-address 10.10.2.220
ip address 10.79.140.1 255.255.252.0
ip helper-address 10.79.240.2 ! ! access-list 101 permit ip 10.79.106.0 0.0.0.255 10.79.140.1.0 0.0.0.255 ! access-list 102 permit ip any any ! vlan access-map Block_VLAN3_2_VLAN4 10 match ip address 101 action drop vlan access-map Block_VLAN3_2_VLAN4 20 match ip address 102 action forward vlan filter Block_VLAN3_2_VLAN4 vlan-list 4
No, you don't need to disconnect anything. The stack is a single logical unit and all configuration is applied to the whole unit.
No need to do anything with the stack. Just write the commands and write it.
One last question. What does the 4 represent at the end of this line?
vlan filter Block_VLAN3_to_VLAN4 vlan-list 4
If I create a new vlan access map, do I use 4 or does it increment higher?
Thanks in advance
here 4 is present to VLAN number 4. Means this ACL is applied on VLAN 4.
No issue. It is a community and we are here for learning and support.