Solved

ACL between VLANs

Posted on 2003-10-30
2
2,744 Views
Last Modified: 2012-08-14
Hello,

I've got 4 VLANs.  I got a 3350 Layer 3 switch.

My goal is to block icmp for VLAN 3.  

I want to block all icmp traffic from going to VLAN 3 (nobody on VLAN 1,2 and 4 can ping VLAN 3).  

I want to block all pcs in VLAN 3 from pinging each other).  

I want my PC in VLAN 1, 10.50.20.2 to be able to ping the server 10.10.2.20 on VLAN 3 only.

Can you put the ACL, and how you would apply the ACL to the VLAN, with the in and out :)


How many ACL can I have with a VLAN?  I notice that I can only one.  I created the ACL, access-list 101 deny icmp any any.  I applied this to VLAN 3.  Then I created this ACL, access-list 101 permit icmp host 10.50.20.2 host 10.10.2.20.  I applied to VLAN 3.  I notice that only the last ACL is applied.  Why is this?





Cheers,
Blue Print


 
0
Comment
Question by:blueprint123
2 Comments
 
LVL 7

Accepted Solution

by:
NicBrey earned 50 total points
ID: 9655873
You can have one ACL in each direction (in and out) per interface - same with VLAN. There are however issues with layer 3 switching and inbound access lists.
You can't do anything on the switch that will prevent the PC's inside VLAN3 from pinging each other. Inside the VLAN, the switch operates only at layer 2 and no upper layer ACLs can be configured on a per port basis. You will have to install personal firewalls on each PC and set it up with a password so that your more clued up users can't fiddle with it.

You can have the following access list that will meet all your other criteria:
access-list 101 permit icmp   10.10.2.20    10.50.20.2  
access-list 101 deny icmp   any   any  echo  reply             <----- Will only block pings reply
access-list 101 permit ip any any

And apply that outbound on your VLAN interface
ip access-group 101 out
0
 
LVL 3

Expert Comment

by:MaxQ
ID: 9672491
It's possible you might be able to do what you want inside VLAN3 with the "private VLAN edge" feature:

http://www.cisco.com/en/US/products/hw/switches/ps700/products_tech_note09186a0080094830.shtml
0

Featured Post

PRTG Network Monitor: Intuitive Network Monitoring

Network Monitoring is essential to ensure that computer systems and network devices are running. Use PRTG to monitor LANs, servers, websites, applications and devices, bandwidth, virtual environments, remote systems, IoT, and many more. PRTG is easy to set up & use.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Suggested Solutions

In this tutorial I will show you with short command examples how to obtain a packet footprint of all traffic flowing thru your Juniper device running ScreenOS. I do not know the exact firmware requirement, but I think the fprofile command is availab…
The Cisco RV042 router is a popular small network interfacing device that is often used as an internet gateway. Network administrators need to get at the management interface to make settings, change passwords, etc. This access is generally done usi…
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…

778 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question