Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
607
Views
0
Helpful
6
Replies

Preventing access to VLANs

Dragan Milojevic
Level 1
Level 1

‎06-02-2009 02:59 PM - edited ‎03-06-2019 06:03 AM

Hi, here is a task i have to accomplish for one of my clients:

VLAN 704 10.23.4.0/24,

VLAN 705 10.23.5.0/24,

VLAN 706 10.23.6.0/24,

I need to seperate these 3 environment so they are not accessible from each other.

VLAN704 has no access to VLAN705 and VLAN706

VLAN705 has no access to VLAN704 and VLAN706

VLAN706 has no access to VLAN704 and VLAN705.

The VLANS are on 4500 L3 switch.

There is existing ACL that could be used:

ip access-list extended ACL-Block

permit ip 192.168.11.0 0.0.0.255 host 10.16.23.51

deny ip host 192.168.11.104 10.16.0.0 0.3.255.255

deny ip 10.16.0.0 0.3.255.255 host 192.168.11.104

Is is good enough to accomodate existing ACL with lines:

deny ip 10.23.4.0 0.0.0.255 10.23.5.0 0.0.0.255

permit ip any any

or something else should be done?

Thanks

Labels:
0 Helpful
6 Replies 6

Jon Marshall
Hall of Fame
Hall of Fame

‎06-02-2009 03:07 PM

Dragan

You could do the following

access-list 101 deny ip 10.23.4.0 0.0.0.255 10.23.5.0 0.0.0.255

access-list 101 deny ip 10.23.4.0 0.0.0.255 10.23.6.0 0.0.0.255

access-list 101 permit ip 10.23.4.0 0.0.0.255 any

int vlan 704

ip access-group 101 in

access-list 102 deny ip 10.23.5.0 0.0.0.255 10.23.4.0 0.0.0.255

access-list 102 deny ip 10.23.5.0 0.0.0.255 10.23.6.0 0.0.0.255

access-list 102 permit ip 10.23.5.0 0.0.0.255 any

int vlan 705

ip access-group 102 in

access-list 103 deny ip 10.23.6.0 0.0.0.255 10.23.4.0 0.0.0.255

access-list 103 deny ip 10.23.6.0 0.0.0.255 10.23.5.0 0.0.0.255

access-list 103 permit ip 10.23.6.0 0.0.0.255 any

int vlan 706

ip access-group 103 in

Alternatively you could look at vrf-lite which provides complete separation on the control plane but this may be more complex than you need.

Jon

0 Helpful

Dragan Milojevic
Level 1
Level 1
In response to Jon Marshall

‎06-02-2009 03:12 PM

Thank you kindly, i will check it and let you know.

Regards

0 Helpful

andrels
Level 1
Level 1

‎06-02-2009 03:12 PM

How about if we use private-VLANS?

I did that setup long time ago and worked out pretty fine.

You just need to setup correctly what are the isolate ports from the communities etc.

http://www.cisco.com/en/US/docs/switches/lan/catalyst3560/software/release/12.2_44_se/configuration/guide/swpvlan.html

I know that this deployment would be much more difficult comparing with ACL. but in my opinion it would work pretty fine.

0 Helpful

Jon Marshall
Hall of Fame
Hall of Fame
In response to andrels

‎06-02-2009 03:17 PM

Andre

Private vlans are typically used when you have the same subnet but you want to limit connectivity between devices within that subnet.

But Dragan's example has 3 separate vlans using 3 separate IP subnets so i'm not sure how private vlans would be applicable here.

Jon

0 Helpful

mahmoodmkl
Level 7
Level 7

‎06-02-2009 09:32 PM

Hi

In addition to the above posts one simple thing i can suggest is not to create SVI's on the L3 switch which will disable the routing among them.

Thanks

Mahmood

0 Helpful

Dragan Milojevic
Level 1
Level 1
In response to mahmoodmkl

‎06-04-2009 07:14 AM

Thank you gents.

This ACl will be live for two months only, after that subnets will be removed. SVIs are must thins on this switch since the switch is used for other subnets/SVIs. I think acl will work as temp/quick solution.

Thank you all for responces.

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking for a $25 gift card