Help with VLAN ACL
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
10-28-2011 09:51 AM - edited 03-07-2019 03:06 AM
I need to secure a VLAN (33) from the rest of my network. Devices in VLAN 33 only needs to communicate with a particular server/site on the Internet.
Currently I have the following 4 VLANs setup.
Interface Vlan32
description inside firewall
ip address 10.4.32.1
interface Vlan33
description lockdown VLAN
ip address 10.4.33.1 255.255.255.0
interface Vlan34
description open staff
ip address 10.4.34.1 255.255.255.0
interface Vlan35
description open VLAN
ip address 10.4.35.1 255.255.255.0
I want to block every VLAN from being able to access VLAN 33
VLAN 33 needs to be able to route traffic to the inside FW interface (10.4.32.1). It has a natted address out to the Internet.
The only traffic that needs to come into VLAN 33 is return traffic from the outside.
Can you help me setup the correct ACL?
- Labels:
-
LAN Switching
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
10-28-2011 11:04 AM
There is the lazy and the more specific way !
access-list 101 permit ip 10.4.33.0 0.0.0.255 host x.x.x.x <-- where x.x.x.x is the host on the internet
int vlan 33
ip access-group 101 in
if you just do the above then vlan 33 clients can only talk to that one host so they cannot talk to any other vlans. However this doesn't stop packets being sent from the other vlans to vlan 33. What it does do is stop the return packets so a TCP connection cannot be setup but a UDP message could be sent into vlan 33.
If you also want to tie it down more you still need the above but then you need to use an acl to block access to vlan 33 from each of the other subnets ie.
access-list 102 deny ip 10.4.32.0 0.0.0.255 10.4.33.0 0.0.0.255
int vlan 32
ip access-group 102 in
etc. for each vlan. If you want to use just one acl instead of one per vlan then you can simply use acl 102 and include lines for each vlan and then apply the same acl to each vlan interface.
Jon
