Still celebrating National IT Professionals Day with 3 months of free Premium Membership. Use Code ITDAY17

x
?
Solved

ACL between VLANs

Posted on 2003-10-30
2
Medium Priority
?
2,766 Views
Last Modified: 2012-08-14
Hello,

I've got 4 VLANs.  I got a 3350 Layer 3 switch.

My goal is to block icmp for VLAN 3.  

I want to block all icmp traffic from going to VLAN 3 (nobody on VLAN 1,2 and 4 can ping VLAN 3).  

I want to block all pcs in VLAN 3 from pinging each other).  

I want my PC in VLAN 1, 10.50.20.2 to be able to ping the server 10.10.2.20 on VLAN 3 only.

Can you put the ACL, and how you would apply the ACL to the VLAN, with the in and out :)


How many ACL can I have with a VLAN?  I notice that I can only one.  I created the ACL, access-list 101 deny icmp any any.  I applied this to VLAN 3.  Then I created this ACL, access-list 101 permit icmp host 10.50.20.2 host 10.10.2.20.  I applied to VLAN 3.  I notice that only the last ACL is applied.  Why is this?





Cheers,
Blue Print


 
0
Comment
Question by:blueprint123
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
2 Comments
 
LVL 7

Accepted Solution

by:
NicBrey earned 150 total points
ID: 9655873
You can have one ACL in each direction (in and out) per interface - same with VLAN. There are however issues with layer 3 switching and inbound access lists.
You can't do anything on the switch that will prevent the PC's inside VLAN3 from pinging each other. Inside the VLAN, the switch operates only at layer 2 and no upper layer ACLs can be configured on a per port basis. You will have to install personal firewalls on each PC and set it up with a password so that your more clued up users can't fiddle with it.

You can have the following access list that will meet all your other criteria:
access-list 101 permit icmp   10.10.2.20    10.50.20.2  
access-list 101 deny icmp   any   any  echo  reply             <----- Will only block pings reply
access-list 101 permit ip any any

And apply that outbound on your VLAN interface
ip access-group 101 out
0
 
LVL 3

Expert Comment

by:MaxQ
ID: 9672491
It's possible you might be able to do what you want inside VLAN3 with the "private VLAN edge" feature:

http://www.cisco.com/en/US/products/hw/switches/ps700/products_tech_note09186a0080094830.shtml
0

Featured Post

Plug and play, no additional software required!

The ATEN UE3310 USB3.1 Gen1 Extender Cable allows users to extend the distance between the computer and USB devices up to 10 m (33 ft). The UE3310 is a high-quality, cost-effective solution for professional environments such as hospitals, factories and business facilities.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Problem Description:   Couple of months ago we upgraded the ADSL line at our branch office from Home to Business line. The purpose of transforming the service to have static public IP’s. We were in need for public IP’s to publish our web resour…
I recently attended Cisco Live! in Las Vegas, a conference that boasted over 28,000 techies in attendance, and a week of hands-on learning hosted by a solid partner with which Concerto goes to market.  Every year, Cisco displays cutting-edge technol…
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…

688 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question