cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
1649
Views
10
Helpful
11
Replies

Cisco 3850 Stack - VLAN segregation

BHconsultants88
Level 1
Level 1

Hi everyone, I hope you're well.

 

I've been tasked with segregating a network for the first time and just wanted to make sure I was on the right track. I've attached the current configuration of the network. It's a Cisco 3850 4 switch stack with 4 vlans.

 

From this, I want to achieve the following?

 

Create new VLANs below:

Users

Apps
Backend

IT

 

At the moment, there is no restriction as to which vlan can access which. So I'm looking to introduce the below:

 

VLAN Users can only access VLAN Apps
VLAN Apps can only access VLAN Backend
VLAN IT can access all

 

What I'm looking for clarification on is once I've created the new vlans, would I be right in assuming I'd need to add ACLs on the switch to allow/deny the above. Could someone give me an example of what these access lists would look like?

 

Thanks in advance. Assistance would be much appreciated.

 

Regards

B

11 Replies 11

Mark Malone
VIP Alumni
VIP Alumni
Hi
Yes the vlan interface will require an ACL in then inbound and outbound direction blocking or allowing subnets and protocols depending on what you require between the vlan subnets
this has come up a few times and if you search interface vlan access-lists on the forum or google you will see a few different posts showing examples that may assist you like belwo

https://community.cisco.com/t5/switching/access-lists-on-vlan-interfaces/td-p/1896027

https://community.cisco.com/t5/switching/creating-access-lists-in-multiple-vlan-interfaces/td-p/2776276

Thanks very much those two links were really useful. Much appreciated.

Deepak Kumar
VIP Alumni
VIP Alumni

Hi,

We are not sure which VLAN is for what?

 

interface Vlan3
 description Hampton-Server-VLAN
 ip address 10.79.106.243 255.255.255.0
 ip helper-address 10.10.2.220
!
interface Vlan4
 description Hampton-Client-VLAN
 ip address 10.79.140.1 255.255.252.0
 ip helper-address 10.79.240.2
!
interface Vlan6
 description Hampton-Remote-Server-VLAN
 ip address 10.79.99.1 255.255.255.0

Change VLAN names are per User/IT/APP. 

 

You can implement the VACL for the same as below example: (Block Access from VLAN 3 to VLAN 4)

interface Vlan3
description Hampton-Server-VLAN
ip address 10.79.106.243 255.255.255.0
ip helper-address 10.10.2.220
!
interface Vlan4
description Hampton-Client-VLAN
ip address 10.79.140.1 255.255.252.0
ip helper-address 10.79.240.2 ! ! access-list 101 permit ip 10.79.106.0 0.0.0.255 10.79.140.1.0 0.0.0.255 ! access-list 102 permit ip any any ! vlan access-map Block_VLAN3_2_VLAN4 10 match ip address 101 action drop vlan access-map Block_VLAN3_2_VLAN4 20 match ip address 102 action forward vlan filter Block_VLAN3_2_VLAN4 vlan-list 4

 

 

Regards,
Deepak Kumar,
Don't forget to vote and accept the solution if this comment will help you!

Brilliant, many thanks for this. One final question, would I need to disconnect the stack while I do this or is it ok just to work on the master and save when finished?

Thank you

you can configure in when its in the stack formed , no need to disconnect

BHconsultants88,

 

No, you don't need to disconnect anything. The stack is a single logical unit and all configuration is applied to the whole unit. 

Hi,

No need to do anything with the stack. Just write the commands and write it.

 

Regards,
Deepak Kumar,
Don't forget to vote and accept the solution if this comment will help you!

Hi Deepak

 

One last question. What does the 4 represent at the end of this line?

 

vlan filter Block_VLAN3_to_VLAN4 vlan-list 4

 

If I create a new vlan access map, do I use 4 or does it increment higher?

 

Thanks in advance

B

Hi,

here 4 is present to VLAN number 4. Means this ACL is applied on VLAN 4. 

 

Regards,

Deepak Kumar

Regards,
Deepak Kumar,
Don't forget to vote and accept the solution if this comment will help you!

Ah of course. Sorry for the silly question! Thank you

Hi,

No issue. It is a community and we are here for learning and support. 

 

 

Regards,
Deepak Kumar,
Don't forget to vote and accept the solution if this comment will help you!
Review Cisco Networking for a $25 gift card