12-24-2013 03:54 AM - edited 03-07-2019 05:13 PM
Hi all. My question is: Which is the correct way to filter/block traffic between vlans?
i have a more than 15 vlans. I want to block traffic between them except 2 vlans.
source vlan 3 deny destination vlan 4
#access-list 100 deny ip 192.168.3.0 0.0.0.255 192.168.4.0 0.0.0.255
and the oposite:
#access-list 101 deny ip 192.168.4.0 0.0.0.255 192.168.3.0 0.0.0.255
I have to do this for all VLANs, ono by one. Is that right?
Thanks.
Solved! Go to Solution.
12-24-2013 04:58 AM
There are a couple of ways to achieve that. I assume that you have a Layer3-Switch. There I would configure one ACL per vlan-interface and allow/deny the traffic as you want. Sadly, the Switches don't support object-groups yet, so you have to use the IP-networks here. Only allow/deny traffic based on networks or hosts. Don't even try to be very granular with permit/denys based on ports. Because the switch-ACLs are not statefull you'll run into problems for the return-traffic if you woulf do that. And the return-traffic of course has to be allowed also.
Another way: with the help of 802.1x you can deploy port-based ACLs for every user. That takes some time for planning, but is one of the most powerful solutions.
For more control you could remove the L3-interface from your L3-switch and move that to your router or firewall. These devices support stateful filtering and you can control your traffic much tighter tehn with ACLs on the switch.
--
Don't stop after you've improved your network! Improve the world by lending money to the working poor:
http://www.kiva.org/invitedby/karsteni
12-24-2013 04:14 AM
Hi,
Layer 2 VLANs are isolated from each other by default. You'll need a router to perform inter-VLAN routing for the said 2 VLANs.
Sent from Cisco Technical Support iPhone App
12-24-2013 04:58 AM
There are a couple of ways to achieve that. I assume that you have a Layer3-Switch. There I would configure one ACL per vlan-interface and allow/deny the traffic as you want. Sadly, the Switches don't support object-groups yet, so you have to use the IP-networks here. Only allow/deny traffic based on networks or hosts. Don't even try to be very granular with permit/denys based on ports. Because the switch-ACLs are not statefull you'll run into problems for the return-traffic if you woulf do that. And the return-traffic of course has to be allowed also.
Another way: with the help of 802.1x you can deploy port-based ACLs for every user. That takes some time for planning, but is one of the most powerful solutions.
For more control you could remove the L3-interface from your L3-switch and move that to your router or firewall. These devices support stateful filtering and you can control your traffic much tighter tehn with ACLs on the switch.
--
Don't stop after you've improved your network! Improve the world by lending money to the working poor:
http://www.kiva.org/invitedby/karsteni
12-26-2013 04:42 AM
Hi karsten, yes I only have a layer 3 switch (no firewall, and no router avaiable). So, i think ACL-per-vlan is the best choice for me.
Thanks for reply.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide