ustda
asked on
I need help building ACLs to control traffic between VLANs ...
Hello all,
I'm completely new to building ACLs on a Catalyst switch. That said, I have experience doing so on the PIX platform so I have some understanding of concepts, etc.
Here is what I'm trying to do:
There are two VLANs in questions -
the first can be considered the "main" vlan (id = 2, subnet 192.168.50.x) where all the clients and some servers live.
the second can be considered the "web" vlan (id = 3, subnet 192.168.51.x) where all our web servers live.
Right now, since IP Routing is enabled on the switch, these two VLANs can talk to each other. I need to be able to limit this like so:
No one from the Main vlan should be able to talk to anyone in the Web vlan unless it's FTP or RDP.
No one from the Web vlan should be able to talk to anyone in Main vlan except our DB server on port 1433 only.
Does that make sense? Many thanks for any help you folks can provide ...
I'm completely new to building ACLs on a Catalyst switch. That said, I have experience doing so on the PIX platform so I have some understanding of concepts, etc.
Here is what I'm trying to do:
There are two VLANs in questions -
the first can be considered the "main" vlan (id = 2, subnet 192.168.50.x) where all the clients and some servers live.
the second can be considered the "web" vlan (id = 3, subnet 192.168.51.x) where all our web servers live.
Right now, since IP Routing is enabled on the switch, these two VLANs can talk to each other. I need to be able to limit this like so:
No one from the Main vlan should be able to talk to anyone in the Web vlan unless it's FTP or RDP.
No one from the Web vlan should be able to talk to anyone in Main vlan except our DB server on port 1433 only.
Does that make sense? Many thanks for any help you folks can provide ...
ASKER
This is great, thanks mabutterfield! One question though - how come you end each list with the permit ip any any statment?
Given that it's below the deny statement, nothing would ever get that far, right?
Given that it's below the deny statement, nothing would ever get that far, right?
ASKER CERTIFIED SOLUTION
membership
Create a free account to see this answer
Signing up is free and takes 30 seconds. No credit card required.
ASKER
This is perfect - thank's a million mabutterfield, it all makes sense.
access list 100 permit tcp 192.168.50.0 0.0.0.255 192.168.51.0 0.0.0.255 eq 20
access list 100 permit tcp 192.168.50.0 0.0.0.255 192.168.51.0 0.0.0.255 eq 21
access list 100 permit tcp 192.168.50.0 0.0.0.255 192.168.51.0 0.0.0.255 eq 3389
access list 100 deny ip 192.168.50.0 0.0.0.255 192.168.51.0 0.0.0.255
access list 100 permit ip any any
access list 101 permit tcp 192.168.51.0 0.0.0.255 192.168.50.0 0.0.0.255 eq 1433
access list 101 deny ip 192.168.51.0 0.0.0.255 192.168.50.0 0.0.0.255
access list 101 permit ip any any
int vlan1
access-group 100 in
int vlan 2
access-group 101 in