How to isolate vlan traffic

WamoIT185 · ‎01-29-2014

I want to create two vlan's, VLAN 1 and VLAN 2. The setup is that VLAN 1 can communicate with VLAN 2, but VLAN 2 don't may have any permission to communicatie with VLAN 1. My switch is a Cisco 3750x. How can I configure this?

cadet alain · ‎01-29-2014

Hi,

Don't forget that IP communication is bidirectional and that ACLs are stateless so unless you use a stateful feature like reflexive ACL or firewall feature you can't permit all communication from vlan 1 to vlan 2 and at the same time block from vlan 2 to vlan 1 because then you'll block the reply traffic in response to permitted traffic from vlan 1 to vlan 2.

On access/distribution switches like 29xx/35xx there is no such feature so your only solution is to do the intervlan routing on a router or firewall and apply filtering policy on this device.

Regards

Alain

Don't forget to rate helpful posts.

Jan Rolny · ‎01-29-2014

Hi,

i think there would be one option to configure this with established keyword in the access list.

Regards,

Jan

cadet alain · ‎01-29-2014

Hi,

this feature only works for TCP communication not for UDP/ICMP ...

Regards

Alain

Don't forget to rate helpful posts.

Jan Rolny · ‎01-29-2014

Hi Cadet,

thanks for notice. Sure it is aplicable just for TCP. From my opinion it's much better to use this than nothing if there is no other way or device which could block traffic.

Thanks.

Jan

cadet alain · ‎01-29-2014

Hi,

This feature is easily bypassed as it only looks at TCP flags in traffic and if one wants to isolate VLANs completely with ACLs it is best to use a dedicated device that supports stateful filtering or use private vlans and/or VRFs.

Regards

Alain

Don't forget to rate helpful posts.