Hi Naidu,

Thanks for your reply.

VLAN3 is kept for guest access which I think merely for internet only and no internal network access is to be provided to the guests.

Let me try that stuff suggested by you and then i will return to you soon with my result. God bless.

Hi Prateek,

Please remember to rate all the posts which encourage others in this forum.

So for Vlan3 now you can define rules like below...

interface vlan 3
ip address 192.168.3.1 255.255.255.0
ip access group vlan3 in

ip access-list extended vlan2
deny ip 192.168.3.0 0.0.0.255 192.168.1.0 0.0.0.255
deny ip 192.168.3.0 0.0.0.255 192.168.2.0 0.0.0.255
permit ip 192.168.3.0 any

Please rate the helpfull posts.
Regards,
Naidu.

Naidu

The acl on vlan 3 will block return traffic to vlan 2 so vlan 2 will no longer be able to access vlan 3.

Jon

Naidu

interface vlan 2

ip address 192.168.2.1 255.255.255.0

ip access group vlan2 in

ip access-list extended vlan2
permit ip any 192.168.2.0 0.0.0.255
deny ip any any

you have lost me on that one   If the acl is inbound then the source IPs would 192.168.2.x so i'm not sure how that would work.

To the OP, it's difficult to do because as far as i know the 2960 does not support reflexive acls. The problem you have is that you want vlan 2 to be able to access vlan 3 but not the other way round. Using normal acls won't allow you to do this because if you apply an acl to vlan 3 denying traffic to vlan 2 then the return traffic to vlan 2 will also be denied.

So you need either reflexive acls, a firewall, or you need to rethink the access.

Jon

Hi Jon,

Thanks for your reply.

Actually my main problem is that only. VLAN2 and VLAN3 should not access VLAN1 and VLAN3 should not access VLAN2 as well.

I am also using ASA Adaptive Security Appliance. So can such a policy be created on ASA where VLAN1 can access VLAN2 but VLAN2 cannot access VLAN1 ??

If you simply wanted to stop vlan 2 and vlan 3 from accessing vlan 1 and vlan 3 from accessing vlan 2 then you could use acls. But if you also want to allow vlan 2 and vlan 1 to access vlan 3 then that is where the problems come in.

If you do need this sort of access then yes an ASA would indeed do this for you but you would need to route the vlans off the ASA ie. you would only have the vlans at L2 on the switch and you would remove the L3 SVIs (interface vlan xx) from the 2960 switch.

Then you could connect the ASA to the 2960 switch with a 802.1q trunk and use subinterfaces on the ASA inside interface, one for each vlan. You can then setup access as you need. A stateful firewall will allow return traffic by default so this would solve your problem ie. you can deny access to vlan 1 and vlan 2 on the vlan 3 subinterface but allow traffic to vlan 3 on the vlan 2 subinterface. Return traffic from vlan 2 would then be allowed because the return traffic is not checked against the vlan 3 subinterface acl.

Jon

Hi Jon,

Thnaks for your reply.

The topology is like a core switch 6509 aggregating thirteen 2960 switches and also the ASA is attached to the core switch. So i think inter-VLAN routing is already taken care of as I all the L2 switches are attached directly to the L3 core switch. Am I right ??

Is the 6500 doing all the inter-vlan routing for vlan 1,2 & 3 ?

If so then the 6500s do support reflexive acls so you could use those. Reflexive acls are a sort of halfway house between standard acls and a full stateful firewall. But they would allow you to setup the sort of access you want. See this link on how to configure reflexive acls -

http://www.cisco.com/en/US/customer/docs/ios/12_2/security/configuration/guide/scfreflx.html

Jon

Hi Jon,

Thanks for your reply.

You are closing in on the problem statement I guess. Nice

Since I am not using any router and all the L2 switches are directly connected to the Core switch so i 6500 core switch will be taking care of all the inter VLAN routing.

Now which one do you think will be faster n easier ? Implementing VLAN ACLs on core switch or implementing policy on ASA.

Thanks a ton Jon n Naidu. god bless.