Solved

ACL between VLANs

Posted on 2003-10-30
2
2,762 Views
Last Modified: 2012-08-14
Hello,

I've got 4 VLANs.  I got a 3350 Layer 3 switch.

My goal is to block icmp for VLAN 3.  

I want to block all icmp traffic from going to VLAN 3 (nobody on VLAN 1,2 and 4 can ping VLAN 3).  

I want to block all pcs in VLAN 3 from pinging each other).  

I want my PC in VLAN 1, 10.50.20.2 to be able to ping the server 10.10.2.20 on VLAN 3 only.

Can you put the ACL, and how you would apply the ACL to the VLAN, with the in and out :)


How many ACL can I have with a VLAN?  I notice that I can only one.  I created the ACL, access-list 101 deny icmp any any.  I applied this to VLAN 3.  Then I created this ACL, access-list 101 permit icmp host 10.50.20.2 host 10.10.2.20.  I applied to VLAN 3.  I notice that only the last ACL is applied.  Why is this?





Cheers,
Blue Print


 
0
Comment
Question by:blueprint123
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
2 Comments
 
LVL 7

Accepted Solution

by:
NicBrey earned 50 total points
ID: 9655873
You can have one ACL in each direction (in and out) per interface - same with VLAN. There are however issues with layer 3 switching and inbound access lists.
You can't do anything on the switch that will prevent the PC's inside VLAN3 from pinging each other. Inside the VLAN, the switch operates only at layer 2 and no upper layer ACLs can be configured on a per port basis. You will have to install personal firewalls on each PC and set it up with a password so that your more clued up users can't fiddle with it.

You can have the following access list that will meet all your other criteria:
access-list 101 permit icmp   10.10.2.20    10.50.20.2  
access-list 101 deny icmp   any   any  echo  reply             <----- Will only block pings reply
access-list 101 permit ip any any

And apply that outbound on your VLAN interface
ip access-group 101 out
0
 
LVL 3

Expert Comment

by:MaxQ
ID: 9672491
It's possible you might be able to do what you want inside VLAN3 with the "private VLAN edge" feature:

http://www.cisco.com/en/US/products/hw/switches/ps700/products_tech_note09186a0080094830.shtml
0

Featured Post

Get HTML5 Certified

Want to be a web developer? You'll need to know HTML. Prepare for HTML5 certification by enrolling in July's Course of the Month! It's free for Premium Members, Team Accounts, and Qualified Experts.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Quality of Service (QoS) options are nearly endless when it comes to networks today. This article is merely one example of how it can be handled in a hub-n-spoke design using a 3-tier configuration.
Shadow IT is coming out of the shadows as more businesses are choosing cloud-based applications. It is now a multi-cloud world for most organizations. Simultaneously, most businesses have yet to consolidate with one cloud provider or define an offic…
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…
Suggested Courses
Course of the Month10 days, 15 hours left to enroll

628 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question