Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1648
Views
10
Helpful
11
Replies

Cisco 3850 Stack - VLAN segregation

BHconsultants88
Level 1
Level 1

‎04-02-2019 04:05 AM

Hi everyone, I hope you're well.

 

I've been tasked with segregating a network for the first time and just wanted to make sure I was on the right track. I've attached the current configuration of the network. It's a Cisco 3850 4 switch stack with 4 vlans.

 

From this, I want to achieve the following?

 

Create new VLANs below:

Users

Apps
Backend

IT

 

At the moment, there is no restriction as to which vlan can access which. So I'm looking to introduce the below:

 

VLAN Users can only access VLAN Apps
VLAN Apps can only access VLAN Backend
VLAN IT can access all

 

What I'm looking for clarification on is once I've created the new vlans, would I be right in assuming I'd need to add ACLs on the switch to allow/deny the above. Could someone give me an example of what these access lists would look like?

 

Thanks in advance. Assistance would be much appreciated.

 

Regards

B

Labels:
Preview file
20 KB
0 Helpful
11 Replies 11

Mark Malone
VIP Alumni
VIP Alumni

‎04-02-2019 04:09 AM

Hi
Yes the vlan interface will require an ACL in then inbound and outbound direction blocking or allowing subnets and protocols depending on what you require between the vlan subnets
this has come up a few times and if you search interface vlan access-lists on the forum or google you will see a few different posts showing examples that may assist you like belwo

https://community.cisco.com/t5/switching/access-lists-on-vlan-interfaces/td-p/1896027

https://community.cisco.com/t5/switching/creating-access-lists-in-multiple-vlan-interfaces/td-p/2776276

BHconsultants88
Level 1
Level 1
In response to Mark Malone

‎04-02-2019 05:22 AM

Thanks very much those two links were really useful. Much appreciated.
0 Helpful

Deepak Kumar
VIP Alumni
VIP Alumni

‎04-02-2019 04:33 AM - edited ‎04-02-2019 04:37 AM

Hi,

We are not sure which VLAN is for what?

 

interface Vlan3
 description Hampton-Server-VLAN
 ip address 10.79.106.243 255.255.255.0
 ip helper-address 10.10.2.220
!
interface Vlan4
 description Hampton-Client-VLAN
 ip address 10.79.140.1 255.255.252.0
 ip helper-address 10.79.240.2
!
interface Vlan6
 description Hampton-Remote-Server-VLAN
 ip address 10.79.99.1 255.255.255.0

Change VLAN names are per User/IT/APP. 

 

You can implement the VACL for the same as below example: (Block Access from VLAN 3 to VLAN 4)

interface Vlan3
description Hampton-Server-VLAN
ip address 10.79.106.243 255.255.255.0
ip helper-address 10.10.2.220
!
interface Vlan4
description Hampton-Client-VLAN
ip address 10.79.140.1 255.255.252.0
ip helper-address 10.79.240.2
!
!
access-list 101 permit ip 10.79.106.0 0.0.0.255 10.79.140.1.0 0.0.0.255 
!
access-list 102 permit ip any any 
!
vlan access-map Block_VLAN3_2_VLAN4 10
 match ip address 101
 action drop
vlan access-map Block_VLAN3_2_VLAN4 20
 match ip address 102
 action forward

vlan filter Block_VLAN3_2_VLAN4 vlan-list 4

 

 

Regards,
Deepak Kumar,
Don't forget to vote and accept the solution if this comment will help you!

BHconsultants88
Level 1
Level 1
In response to Deepak Kumar

‎04-02-2019 05:24 AM

Brilliant, many thanks for this. One final question, would I need to disconnect the stack while I do this or is it ok just to work on the master and save when finished?

Thank you
0 Helpful

Mark Malone
VIP Alumni
VIP Alumni
In response to BHconsultants88

‎04-02-2019 05:55 AM

you can configure in when its in the stack formed , no need to disconnect
0 Helpful

Sergey Lisitsin
VIP Alumni
VIP Alumni
In response to BHconsultants88

‎04-02-2019 05:57 AM

BHconsultants88,

 

No, you don't need to disconnect anything. The stack is a single logical unit and all configuration is applied to the whole unit. 

0 Helpful

Deepak Kumar
VIP Alumni
VIP Alumni
In response to BHconsultants88

‎04-02-2019 06:13 AM

Hi,

No need to do anything with the stack. Just write the commands and write it.

 

Regards,
Deepak Kumar,
Don't forget to vote and accept the solution if this comment will help you!
0 Helpful

BHconsultants88
Level 1
Level 1
In response to Deepak Kumar

‎04-02-2019 08:28 AM

Hi Deepak

 

One last question. What does the 4 represent at the end of this line?

 

vlan filter Block_VLAN3_to_VLAN4 vlan-list 4

 

If I create a new vlan access map, do I use 4 or does it increment higher?

 

Thanks in advance

B

0 Helpful

Deepak Kumar
VIP Alumni
VIP Alumni
In response to BHconsultants88

‎04-02-2019 09:02 AM

Hi,

here 4 is present to VLAN number 4. Means this ACL is applied on VLAN 4. 

 

Regards,

Deepak Kumar

Regards,
Deepak Kumar,
Don't forget to vote and accept the solution if this comment will help you!
0 Helpful

BHconsultants88
Level 1
Level 1
In response to Deepak Kumar

‎04-02-2019 09:03 AM

Ah of course. Sorry for the silly question! Thank you

0 Helpful

Deepak Kumar
VIP Alumni
VIP Alumni
In response to BHconsultants88

‎04-02-2019 09:08 AM

Hi,

No issue. It is a community and we are here for learning and support. 

 

 

Regards,
Deepak Kumar,
Don't forget to vote and accept the solution if this comment will help you!
0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking for a $25 gift card