Solved

ACL between VLANs

Posted on 2003-10-30
2
2,740 Views
Last Modified: 2012-08-14
Hello,

I've got 4 VLANs.  I got a 3350 Layer 3 switch.

My goal is to block icmp for VLAN 3.  

I want to block all icmp traffic from going to VLAN 3 (nobody on VLAN 1,2 and 4 can ping VLAN 3).  

I want to block all pcs in VLAN 3 from pinging each other).  

I want my PC in VLAN 1, 10.50.20.2 to be able to ping the server 10.10.2.20 on VLAN 3 only.

Can you put the ACL, and how you would apply the ACL to the VLAN, with the in and out :)


How many ACL can I have with a VLAN?  I notice that I can only one.  I created the ACL, access-list 101 deny icmp any any.  I applied this to VLAN 3.  Then I created this ACL, access-list 101 permit icmp host 10.50.20.2 host 10.10.2.20.  I applied to VLAN 3.  I notice that only the last ACL is applied.  Why is this?





Cheers,
Blue Print


 
0
Comment
Question by:blueprint123
2 Comments
 
LVL 7

Accepted Solution

by:
NicBrey earned 50 total points
ID: 9655873
You can have one ACL in each direction (in and out) per interface - same with VLAN. There are however issues with layer 3 switching and inbound access lists.
You can't do anything on the switch that will prevent the PC's inside VLAN3 from pinging each other. Inside the VLAN, the switch operates only at layer 2 and no upper layer ACLs can be configured on a per port basis. You will have to install personal firewalls on each PC and set it up with a password so that your more clued up users can't fiddle with it.

You can have the following access list that will meet all your other criteria:
access-list 101 permit icmp   10.10.2.20    10.50.20.2  
access-list 101 deny icmp   any   any  echo  reply             <----- Will only block pings reply
access-list 101 permit ip any any

And apply that outbound on your VLAN interface
ip access-group 101 out
0
 
LVL 3

Expert Comment

by:MaxQ
ID: 9672491
It's possible you might be able to do what you want inside VLAN3 with the "private VLAN edge" feature:

http://www.cisco.com/en/US/products/hw/switches/ps700/products_tech_note09186a0080094830.shtml
0

Featured Post

PRTG Network Monitor: Intuitive Network Monitoring

Network Monitoring is essential to ensure that computer systems and network devices are running. Use PRTG to monitor LANs, servers, websites, applications and devices, bandwidth, virtual environments, remote systems, IoT, and many more. PRTG is easy to set up & use.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Suggested Solutions

Title # Comments Views Activity
High Receive Utilization on my Cisco 3560 V2 10 60
Understanding split up wire 10 30
BGP Code 12 42
BGP Network restrictions 6 21
It happens many times that access list (ACL) have to be applied to outgoing router interface in order to limit some traffic.This article is about how to test ACL from the router which is not very intuitive for everyone. Below scenario shows simple s…
Quality of Service (QoS) options are nearly endless when it comes to networks today. This article is merely one example of how it can be handled in a hub-n-spoke design using a 3-tier configuration.
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…

895 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

14 Experts available now in Live!

Get 1:1 Help Now