Buy or Renew
Buy or Renew
Cisco + Splunk: It’s a new day for your data. Learn more.
 
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
4825
Views
20
Helpful
5
Replies

Restricting certain vlans from communicating with others

howithink
Level 1
Level 1

‎04-28-2017 08:00 AM - edited ‎03-08-2019 10:22 AM

Hello all,

I am sure this is simple, but i have not found the correct answer to this. 

I have a cisco 3850 L3 switch with multiple vlans. 

see Config:

interface GigabitEthernet0/0
vrf forwarding Mgmt-vrf
no ip address
negotiation auto
!
interface GigabitEthernet1/0/1
switchport access vlan 2
switchport trunk allowed vlan 2
switchport mode access
!
interface GigabitEthernet1/0/2
!
interface GigabitEthernet1/0/3
!
interface GigabitEthernet1/0/4
!
interface GigabitEthernet1/0/5
!
interface GigabitEthernet1/0/6
!
interface GigabitEthernet1/0/7
!
interface GigabitEthernet1/0/8
!
interface GigabitEthernet1/0/9
!
interface GigabitEthernet1/0/10
!
interface GigabitEthernet1/0/11
!
interface GigabitEthernet1/0/12
!
interface GigabitEthernet1/0/13
switchport access vlan 220
switchport mode access
!
interface GigabitEthernet1/0/14
switchport access vlan 10
!
interface GigabitEthernet1/0/15
switchport access vlan 226
!
interface GigabitEthernet1/0/16
switchport access vlan 15
!
interface GigabitEthernet1/0/17
switchport access vlan 227
!
interface GigabitEthernet1/0/18
switchport access vlan 20
switchport mode access
!
interface GigabitEthernet1/0/19
switchport access vlan 228
!
interface GigabitEthernet1/0/20
switchport access vlan 25
!
interface GigabitEthernet1/0/21
switchport access vlan 224
!
interface GigabitEthernet1/0/22
!
interface GigabitEthernet1/0/23
!
interface GigabitEthernet1/0/24
!
interface GigabitEthernet1/1/1
!
interface GigabitEthernet1/1/2
!
interface GigabitEthernet1/1/3
!
interface GigabitEthernet1/1/4
!
interface TenGigabitEthernet1/1/1
!
interface TenGigabitEthernet1/1/2
!
interface TenGigabitEthernet1/1/3
!
interface TenGigabitEthernet1/1/4
!
interface Vlan1
no ip address
!
interface Vlan2
ip address 10.0.0.1 255.255.255.0
!
interface Vlan10
ip address 10.10.10.1 255.255.255.0
!
interface Vlan15
ip address 10.15.15.1 255.255.255.0
!
interface Vlan20
ip address 10.20.20.1 255.255.255.0
!
interface Vlan25
ip address 10.25.25.1 255.255.255.0
!
interface Vlan220
ip address 10.220.220.1 255.255.255.0
!
interface Vlan224
ip address 10.224.224.1 255.255.255.0
!
interface Vlan226
ip address 10.226.226.1 255.255.255.0
!
interface Vlan227
ip address 10.227.227.1 255.255.255.0
!
interface Vlan228
ip address 10.228.228.1 255.255.255.0
!
ip route 0.0.0.0 0.0.0.0 10.0.0.1 1
!

I want vlans: 10, 15, 20 and 25 to all talk to each other and to all other vlans.

BUT I dont want vlans 220, 226, 227, 228 to talk to each other nor should they be able to see anything in vlans 10, 15, 20 and 25.

What would be the best approach to this?

2 people had this problem
Labels:
0 Helpful
5 Replies 5

Julio E. Moisa
VIP
VIP

‎04-28-2017 08:44 AM

Hi

You can use VACL (Vlan ACL) to avoid the communication between vlans but you need to be sure the switch support that. 

http://www.cisco.com/c/en/us/td/docs/switches/lan/catalyst6500/ios/12-2SXF/native/configuration/guide/swcg/vacl.pdf

Other way could be ACLs applied under the interface vlans. 




>> Marcar como útil o contestado, si la respuesta resolvió la duda, esto ayuda a futuras consultas de otros miembros de la comunidad. <<
0 Helpful

Deepak Kumar
VIP Alumni
VIP Alumni

‎04-29-2017 07:06 AM

Hi,

When you are planning to configure VLAN ACL then please read about the following topic:

1. Access List

2. (VLAN) access MAP

3. VLAN Filter

Configuration as:

You want to allow access to only one DNS server (10.2.2.20) from VLAN 1 and 2. DNS server in the VLAN 10: 

1. Configure ACL with denying or allowed statement with VLAN Subnets. I think extended is a good option.

as:

Switch1(config)#access-list 120 block IP any host 10.2.2.20

2. Configure VLAN Access MAP and match this access list in the access map

as:

Switch1(config)#vlan access-map BlockVLAN 10
Switch1(config-access-map)#match ip address 120
Switch1(config-access-map)#action forward
Switch1(config-access-map)#exit

3. Configure VLAN Filter as:

Switch1(config)#vlan filter BlockVLAN vlan-list 1-2

VACL is applied globally to one or more VLANs listed. It is not applied to a VLAN interface – SVI. The VLAN interfaces are the point where packets exits of enters a VLAN. It does not make sense to apply a VACL to those interfaces. VACLs needs to function within the VLAN itself, where there is no inbound or outbound direction

Regards,

Deepak Kumar

Regards,
Deepak Kumar,
Don't forget to vote and accept the solution if this comment will help you!

Julio E. Moisa
VIP
VIP

‎04-29-2017 01:49 PM

Hi

just to mention, if you are going to use VLAN ACL, you need to allow the communication in 2 ways, because it does not work as stateful like firewalls, otherwise it will not work properly, once you have allowed the communication in both ways with different ACLs you could create a deny at the last access-map, a simple example:

Step 1- Create the ACLs for inbound, outbound and deny traffic:

ip access-list extended OUTBOUND-TRAFFIC
permit tcp 192.168.1.0 0.0.0.255 any

ip access-list extended INBOUND-TRAFFIC
permit tcp any 192.168.1.0 0.0.0.255

ip access-list extended DENY-ELSE-TRAFFIC
permit ip any any

Step 2: Associate the ACL with the access-map in sequence. It wil be read from the top to the bottom. 

vlan access-map VLAN_TRAFFIC 5
match ip address OUTBOUND-TRAFFIC
action forward

vlan access-map VLAN_TRAFFIC 10
match ip address INBOUND-TRAFFIC
action forward

vlan access-map VLAN_TRAFFIC 100
match ip address DENY-ELSE-TRAFFIC
action drop

Step 3: And the final step is apply the access-map to a VLAN or several VLANS

vlan filter VLAN_TRAFFIC vlan-list <vlan X>

I have highlighted in different colors to take in consideration. Also take in consideration if you are going to use object-groups (not all the switches support that) check the CPU utilization during the implementation. 

Other way additional to VACL and ACL is install a firewall to block or allow traffic.

Hope it is useful

:-)




>> Marcar como útil o contestado, si la respuesta resolvió la duda, esto ayuda a futuras consultas de otros miembros de la comunidad. <<

howithink
Level 1
Level 1
In response to Julio E. Moisa

‎05-04-2017 07:55 AM

thank you Julio.

While i had asked you all this question, my colleague had opened ticket with cisco and they were able to help create an extended acl as such:

access-list 2000 deny ip any 10.224.0.0 0.1.255.255
access-list 2000 deny ip any 10.226.0.0 0.0.255.255
access-list 2000 deny ip any 10.227.0.0 0.0.255.255
access-list 2000 deny ip any 10.228.0.0 0.1.255.255
access-list 2000 permit ip any any

and added this with slight variation of the subnet to each vlan as such:

ip access-group 2000 in 

This blocked traffic from these vlans from talking to each other, yet allowing me to talk to all other.

thanks for your guidance.

Julio E. Moisa
VIP
VIP
In response to howithink

‎05-04-2017 08:10 AM

Hi

It was a pleasure   :-)

Have a good day. 




>> Marcar como útil o contestado, si la respuesta resolvió la duda, esto ayuda a futuras consultas de otros miembros de la comunidad. <<
0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card