Solved

ACL between VLANs

Posted on 2003-10-30
2
2,737 Views
Last Modified: 2012-08-14
Hello,

I've got 4 VLANs.  I got a 3350 Layer 3 switch.

My goal is to block icmp for VLAN 3.  

I want to block all icmp traffic from going to VLAN 3 (nobody on VLAN 1,2 and 4 can ping VLAN 3).  

I want to block all pcs in VLAN 3 from pinging each other).  

I want my PC in VLAN 1, 10.50.20.2 to be able to ping the server 10.10.2.20 on VLAN 3 only.

Can you put the ACL, and how you would apply the ACL to the VLAN, with the in and out :)


How many ACL can I have with a VLAN?  I notice that I can only one.  I created the ACL, access-list 101 deny icmp any any.  I applied this to VLAN 3.  Then I created this ACL, access-list 101 permit icmp host 10.50.20.2 host 10.10.2.20.  I applied to VLAN 3.  I notice that only the last ACL is applied.  Why is this?





Cheers,
Blue Print


 
0
Comment
Question by:blueprint123
2 Comments
 
LVL 7

Accepted Solution

by:
NicBrey earned 50 total points
ID: 9655873
You can have one ACL in each direction (in and out) per interface - same with VLAN. There are however issues with layer 3 switching and inbound access lists.
You can't do anything on the switch that will prevent the PC's inside VLAN3 from pinging each other. Inside the VLAN, the switch operates only at layer 2 and no upper layer ACLs can be configured on a per port basis. You will have to install personal firewalls on each PC and set it up with a password so that your more clued up users can't fiddle with it.

You can have the following access list that will meet all your other criteria:
access-list 101 permit icmp   10.10.2.20    10.50.20.2  
access-list 101 deny icmp   any   any  echo  reply             <----- Will only block pings reply
access-list 101 permit ip any any

And apply that outbound on your VLAN interface
ip access-group 101 out
0
 
LVL 3

Expert Comment

by:MaxQ
ID: 9672491
It's possible you might be able to do what you want inside VLAN3 with the "private VLAN edge" feature:

http://www.cisco.com/en/US/products/hw/switches/ps700/products_tech_note09186a0080094830.shtml
0

Featured Post

Free Trending Threat Insights Every Day

Enhance your security with threat intelligence from the web. Get trending threat insights on hackers, exploits, and suspicious IP addresses delivered to your inbox with our free Cyber Daily.

Join & Write a Comment

There are two basic ways to configure a static route for Cisco IOS devices. I've written this article to highlight a case study comparing the configuration of a static route using the next-hop IP and the configuration of a static route using an outg…
Creating an OSPF network that automatically (dynamically) reroutes network traffic over other connections to prevent network downtime.
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…

705 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

20 Experts available now in Live!

Get 1:1 Help Now