Buy or Renew
Buy or Renew
Cisco + Splunk: It’s a new day for your data. Learn more.
 
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
2067
Views
0
Helpful
4
Replies

Inter-vlan ACL

Nick wfd
Level 1
Level 1

‎08-18-2013 04:26 PM - edited ‎03-07-2019 03:00 PM

                   Hi,

I am in the process of configuring a 4500x switch and need to restrict inter-vlan traffic. Please suggest an optimal way of accomplishing this task.

vlan 3 - 10.101.3.x - Infrastructure

vlan7 - 10.101.7.x - Production

vlan4 - 10.101.4.x - DMZ

vlan6 - 10.101.6.x - Dev

vlan7 communicates to infrastructure and few servers in the DMZ and nothing else

vlan6 communicates to infrastructure and nothing else

Also i will be running single area OSFP and need to allow this as well

Labels:
0 Helpful
4 Replies 4

John Blakley
VIP Alumni
VIP Alumni

‎08-18-2013 05:46 PM

Generally for inter-vlan traffic, you'll use acls and apply them to the vlan interface. For example, for your first task vlan 7 communicating to vlan 3 and a few servers in the DMZ:

access-list 101 permit ospf any any

access-list 101 permit ip 10.101.7.0 0.0.0.255 10.101.3.0 0.0.0.255

access-list 101 permit tcp 10.101.7.0 0.0.0.255 host 10.101.4.50 eq 80

access-list 101 permit tcp 10.101.7.0 0.0.0.255 host 10.101.4.75 eq 21

int vlan 7

ip access-group 101 in

The acl above allows all ospf in/out, all hosts in the vlan7 subnet to communicate to all of vlan 3 on all ports, and the last 2 lines specifically state that the vlan 7 subnet can talk to two hosts on two specific ports in the dmz.

HTH,
John

*** Please rate all useful posts ***

HTH, John *** Please rate all useful posts ***
0 Helpful

Nick wfd
Level 1
Level 1
In response to John Blakley

‎08-18-2013 08:34 PM

Thanks John, for the response.

In my case the DMZ servers are initiating the traffic to the production servers.

for example 10.101.4.75 --->10.101.7.15 on port 80.

Since the DMZ is on a firewall ,the access-list is stateful. But the production vlan is on the 4500x.

I have a acl on the asa that specifically allows traffic from DMZ to the inside (production). But how can i achieve the same on the production svi.

Thanks

0 Helpful

John Blakley
VIP Alumni
VIP Alumni
In response to Nick wfd

‎08-19-2013 04:14 AM

You still have to allow the traffic out of the svi, so the acl above will still work. You could also split this into two acls and remove the dmz configuration from it.

access-list 101 permit ospf any any

access-list 101 permit ip 10.101.7.0 0.0.0.255 10.101.3.0 0.0.0.255

int vlan7

ip access-group 101 in

access-list 103 permit tcp 10.101.4.50 eq 80 10.101.7.0 0.0.0.255

access-list 103 permit tcp 10.101.4.75 eq 21 10.101.7.0 0.0.0.255

int vlan 3

ip access-group 103 in

You might be able to use CBAC or ZBFW if you want stateful on the switch as well if it supports it:

http://www.cisco.com/en/US/products/sw/secursw/ps1018/products_tech_note09186a0080094e8b.shtml

http://www.cisco.com/en/US/docs/ios-xml/ios/sec_data_zbf/configuration/12-4t/sec-zone-pol-fw.html

HTH,
John

*** Please rate all useful posts ***

HTH, John *** Please rate all useful posts ***
0 Helpful

Reza Sharifi
Hall of Fame
Hall of Fame

‎08-18-2013 05:47 PM

Hi,

Have a look at this link for examples:

https://supportforums.cisco.com/message/3733651#3733651

Also, if you are configuring all these vlans on only one switch, you don't need OSPF.  All you need is to enable "ip routing" on the switch.

HTH

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card