cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
Announcements

2109
Views
0
Helpful
10
Replies
Beginner

Intervlan traffic filter

Hi

We have 2 VLANs as follows configured on Cisco 3750 Switch

Vlan1 --> 192.168.1.x

Vlan2 --> 192.168.2.x

Now, we would like to block traffic from 192.168.2.x subnet to 192.168.1.x. But, we want to allow 192.168.1.x subnet to access 192.168.2.x.

Can any one help how to acheive above with the ACLs please?

Thanks

Sandip

10 REPLIES 10
VIP Expert

Intervlan traffic filter

Hi,

Try this:

access-list 111 deny ip 192.168.2.0 0.0.0.255 192.168.1.0 0.0.0.255

access-list 111 permit ip any any

inter vlan 1

ip access-group 111 in

HTH

Reza

Beginner

Intervlan traffic filter

Hi,

Thanks.

Just wondering if I have to apply it to vlan1 (192.168.1.x) or vlan2(192.168.2.x) interface.?

==============================

so should it be 

inter vlan 1 

ip access-group 111 in

or

inter vlan 2

ip access-group 111 in

===============================

Sandip

Engager

Re: Intervlan traffic filter

hi sandip,

i tried lab'ng this in one of our 3750 and VACL is supported. can try the below:

Switch(config)#access-list 10 permit 192.168.1.0 0.0.0.255

Switch(config)#access-list 20 permit 192.168.2.0 0.0.0.255

Switch(config)#vlan access-map FILTER1

Switch(config-access-map)#match ip address 20

Switch(config-access-map)#action drop

Switch(config)#vlan filter FILTER1 vlan-list 1

Switch(config)#vlan access-map FILTER2 10

Switch(config-access-map)#match ip address 10

Switch(config-access-map)#action forward

Switch(config)#vlan access-map FILTER2 20

Switch(config-access-map)#action drop

Switch(config)#vlan filter FILTER2 vlan-list 2

Hall of Fame Guru

Re: Intervlan traffic filter

John

How does this work. Filter1 is configured to drop any packets from 192.168.2.x so how does return traffic to vlan 1 get back to the vlan 1 client ?

Note, i'm not saying it doesn't work, i just can't understand the logic.

Jon

Engager

Re: Intervlan traffic filter

hi jon,

it's just the 192.168.2.x traffic i've blocked towards VLAN 1 and the rest should be normal.

please feel free to correct my assumptions since i've  just explored the possibility of using VACL in this case.

Hall of Fame Guru

Re: Intervlan traffic filter

John

I'm not saying you are wrong but have you tested this. The OP wants to ensure that vlan 2 cannot access vlan 1 which your VACL will do.

But he also wants vlan 1 to be able to access vlan 2. Now the problem is that traffic from vlan 1 to vlan 2 will be allowed but when vlan 2 responds won't your VACL in vlan 1 block the return traffic ?

So basically can you try connecting from a vlan 1 client to a vlan 2 client 2 and see if it works because my belief is it won't because the return traffic will be dropped due to your VACL applied in vlan 1.

I could well be wrong and as i don't have a switch to test with it would be good if you could test it.

Jon

Beginner

Intervlan traffic filter

Hi,

From the reply you got from Reza Sharifi, you have to apply the rules to vlan 1.

By the way, if you think you have to manage traffic from vlan 1 more than from vlan 2,

then it's better to apply the Vlan ACL to the vlan 1. Otherwise, you have to change the ACL rules and apply it to vlan 2.

Thanks^^

Intervlan traffic filter

Hi,

Please see the below config for your scenario.

ip access-list extended vlan1_access
permit ip 192.168.1.0 0.0.0.255 any


ip access-list extended vlan2_access
deny ip 192.168.2.0 0.0.0.255 192.168.1.0 0.0.0.255
permit ip any any


int Vlan1
ip address 192.168.1.x
ip access-group vlan1_access


int Vlan2
ip address 192.168.2.x
ip access-group vlan2_access

Please rate the helpfull posts.
Regards,
Naidu.

Hall of Fame Guru

Re: Intervlan traffic filter

Sandip

Unfortunately you can't do this with standard acls. The problem you have is that you want to deny traffic from vlan 2 to vlan 1 but allow traffic from vlan 1 to vlan 2. So using Naidu's example -

int vlan 2

ip address 192.168.1.x

ip access-group vlan2_access

ip acces-list extended vlan2_access

deny 192.168.2.0 0.0.0.255 192.168.1.0 0.0.0.255

permit ip 192.168.2.0 0.0.0.255 any

the above will indeed stop vlan 2 from accessing vlan 1 ie. no client on vlan 2 will be to initiate a connection to a client on vlan 1. But the problem is that if vlan 1 sends a packet to a client on vlan 2 it will be allowed but the return packet from vlan 2 to vlan 1 will also be blocked by the above acl.

What you need to use is either -

1) a stateful firewall

or

2) reflexive acls

unfortuately, the 3750 doesn't support either. If the connections were only TCP then you may be able to use the "established" keyword in your acls but i'm not even sure that is supported on the 3750.

So it's not possible to do what you want with the equipment you have i'm afraid.

Jon

Highlighted

Hi,

Hi,

I wrote about how to do this in the past. You should find your answer in my post:

Unidirectional communication filter between two VLANs: http://howdoesinternetwork.com/2012/allow-vlan-access-but-no-back

Valter Popeskic
CreatePlease to create content
Content for Community-Ad
July's Community Spotlight Awards