Help with VLAN ACL

oneirishpollack · ‎10-28-2011

I need to secure a VLAN (33) from the rest of my network. Devices in VLAN 33 only needs to communicate with a particular server/site on the Internet.

Currently I have the following 4 VLANs setup.

Interface Vlan32
description inside firewall
ip address 10.4.32.1

interface Vlan33
description lockdown VLAN
ip address 10.4.33.1 255.255.255.0

interface Vlan34
description open staff
ip address 10.4.34.1 255.255.255.0

interface Vlan35
description open VLAN
ip address 10.4.35.1 255.255.255.0

I want to block every VLAN from being able to access VLAN 33
VLAN 33 needs to be able to route traffic to the inside FW interface (10.4.32.1). It has a natted address out to the Internet.
The only traffic that needs to come into VLAN 33 is return traffic from the outside.

Can you help me setup the correct ACL?

Jon Marshall · ‎10-28-2011

There is the lazy and the more specific way !

access-list 101 permit ip 10.4.33.0 0.0.0.255 host x.x.x.x <-- where x.x.x.x is the host on the internet

int vlan 33

ip access-group 101 in

if you just do the above then vlan 33 clients can only talk to that one host so they cannot talk to any other vlans. However this doesn't stop packets being sent from the other vlans to vlan 33. What it does do is stop the return packets so a TCP connection cannot be setup but a UDP message could be sent into vlan 33.

If you also want to tie it down more you still need the above but then you need to use an acl to block access to vlan 33 from each of the other subnets ie.

access-list 102 deny ip 10.4.32.0 0.0.0.255 10.4.33.0 0.0.0.255

int vlan 32

ip access-group 102 in

etc. for each vlan. If you want to use just one acl instead of one per vlan then you can simply use acl 102 and include lines for each vlan and then apply the same acl to each vlan interface.

Jon