VLAN ACLs, VLAN maps

imunoze00 · ‎09-30-2011

I'm planning to implement VACLs (VLAN ACLs, VLAN maps, however you want to call them) to limit traffic between VLANs.I believe that only layer 3 switches are capable of doing this (not sure). As you can see there a couple of stacked 3750 which act as the gateway for all VLANs and that stack is in charge of interVLAN routing. The question is whether of not will the VLAN ACLs applied on the stack will work for limitting interVLAN traffic? or would I need to do something else on all the 2960s (please let it not be port-based ACLs). Any help and pointers will be much appreciated.

Don't mind the MPLS link nor the switch on the right.

Reza Sharifi · ‎09-30-2011

If you want to deny traffic between vlans, you can deploy some thing like this on your 3750s since they are L-3 devices. This will not allow vlan 200 and 210 to talk to each other, but they can talk to other vlans.

vlan 200 = 192.168.200.0/24

vlan 210= 192.168.210.0/24

access-list 111 deny ip 192.168.200.0 0.0.0.255 192.168.210.0 0.0.0.255

access-list 111 permit ip 192.168.200.0 0.0.0.255 any

access-list 112 deny ip 192.168.210.0 0.0.0.255 192.168.200.0 0.0.0.255

access-list 112 permit ip 192.168.210.0 0.0.0.255 any

int vlan 200

ip access-group 111 in

int vlan 210

ip access-group 112 in

HTH

imunoze00 · ‎09-30-2011

that is what I'm trying to accomplish, maybe I didn't explain myself propperly or I do not get what you're implying. Anyway, so basically if I configure the VACLs on the stack, it will effectively block the desired interVLAN traffic for any given client machine on any given switch (since it works for the whole VLAN), and because the stack acts as the router for all VLANs I won't need to perfrom any config on any other switch beside the stack. Am I right?

Reza Sharifi · ‎09-30-2011

That is correct. All you would need is to apply the access lists to your stack. You don't need any config on your layer-2 switches since the traffic will be denied at the layer-3 switch.

HTH