Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
4873
Views
0
Helpful
7
Replies

restricting access between VLANs

Inaki Kortazar
Level 1
Level 1

‎08-11-2010 06:30 AM - edited ‎03-06-2019 12:25 PM

Hi All,

We have an installation with 20 VLANS distributed via VTP to all the switches we have. We have routing between VLANs enable. So, there is total access between VLANs.

But, we would like to restrict access to the managemente VLAN. Using access-list on VLAN interfaces we managed to do so:

Y.Y.Y.Y --> management VLAN

X.X.X.X --> not a management VLAN

access-list 100 deny ip X.X.X.X X.X.X.X Y.Y.Y.Y Y.Y.Y.Y

access-list 100 permit ip X.X.X.X X.X.X.X any

interface VLAN X

    ip address X.X.X.X X.X.X.X

    ip access-group 100 in

But, we would like to maintain the access from the managemente VLAN to the rest of the VLANs, the same time we avoid accessing from the rest of the VLANs to the management VLANs. With the access-list above, we are not getting this. We have no access from the management VLAN to the rest.

Any idea? Is it possible without firewall?

THANK YOU VERY MUCH

Labels:
0 Helpful
7 Replies 7

Jon Marshall
Hall of Fame
Hall of Fame

‎08-11-2010 06:40 AM 

ikortazar@lksintelcom.es
Hi All,
We have an installation with 20 VLANS distributed via VTP to all the switches we have. We have routing between VLANs enable. So, there is total access between VLANs.
But, we would like to restrict access to the managemente VLAN. Using access-list on VLAN interfaces we managed to do so:
 Y.Y.Y.Y --> management VLAN
 X.X.X.X --> not a management VLAN
 access-list 100 deny ip X.X.X.X X.X.X.X Y.Y.Y.Y Y.Y.Y.Y
 access-list 100 permit ip X.X.X.X X.X.X.X any
 interface VLAN X
    ip address X.X.X.X X.X.X.X
    ip access-group 100 in
 But, we would like to maintain the access from the managemente VLAN to the rest of the VLANs, the same time we avoid accessing from the rest of the VLANs to the management VLANs. With the access-list above, we are not getting this. We have no access from the management VLAN to the rest.
Any idea? Is it possible without firewall?
THANK YOU VERY MUCH

What device is doing the inter-vlan routing ie. what type of switch and which IOS version ?

What type of access is needed from the management vlan ie. is it just TCP or do you need ICMP and UDP as well

As you mention, a stateful firewall would take care of this but there is also -

1) using the "established" keyword in the acl but this only works for TCP connections

2) using reflexive acls but these are not generally supported on L3 switches

Jon

0 Helpful

Collin Clark
VIP Alumni
VIP Alumni
In response to Jon Marshall

‎08-11-2010 07:05 AM

As Jon stated, it is possible but there are some caveats. Speaking from experience, get a firewall. It's a lot easier to administrate than ACLs.

0 Helpful

Inaki Kortazar
Level 1
Level 1
In response to Jon Marshall

‎08-11-2010 07:12 AM

Thank you for your answers,


We would like to have total access from management VLAN to the rest of VLANs. The inter-vlan routing is being made by a catalyst 6500 with 12.2(33)SXH7 IOS installed.

As we have understood from your answers, reflexive acls could be our choice. Do you have any interesting link on this point?

We will investigate and be back with the feedback.

THANK YOU VERY MUCH

0 Helpful

Jon Marshall
Hall of Fame
Hall of Fame
In response to Inaki Kortazar

‎08-11-2010 09:35 AM

6500 switches do support reflexive acls. Here is a link for configuring them -

reflexive acl configuration

however i agree with Collin on this, a firewall would make your life much simpler.

Jon

0 Helpful

jeevan.koganti
Level 1
Level 1

‎08-16-2012 02:32 AM

Hi,

According to me this is possible, only thing you have to do is in nonmanagement vlans access-list remove the permit to management vlan and in management vlan access-list give permit to all other vlans..if required u need to permit ICMP also..

Jeevan.

0 Helpful

Sandeep Choudhary
VIP Alumni
VIP Alumni

‎08-16-2012 02:40 AM

Hi Inaki,

Yes we can do with the help of ACL.

just as an example:block traffic between vlan 5 and vlan 8

access-list testacl deny ip 10.58.5.0 0.0.0.255 10.58.8.0 0.0.0.255
access-list testacl permit every

and to apply the ACL, I used the following:

interface vlan 5
ip access-group testacl

Regards

Please rate if it helps.

0 Helpful

Alessio Andreoli
Level 5
Level 5

‎08-16-2012 02:49 AM

Hi , i htink you alreday wrote down the right ACl except for the second statement.

in my opinion it should be:

access-list 100 deny ip X.X.X.X X.X.X.X Y.Y.Y.Y Y.Y.Y.Y

access-list 100 permit ip Y.Y.Y.Y Y.Y.Y.Y any

and i don't think that buying a firewall would be a justified expense for this requirement only.

Hope this helps

Alessio

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking for a $25 gift card