Cisco VLAN Security

C3750 - 12.2(35)SE

Switch has VLANS

What are several ways I can stop the VLANs from being able to communicate with each other? I do have EIGRP enabled on the switch

Thanks
Portal-Potty#show run
Building configuration...
 
Current configuration : 12936 bytes
!
! Last configuration change at 16:28:56 CDT Mon Nov 17 2008 by kturner
! NVRAM config last updated at 16:29:27 CDT Mon Nov 17 2008 by kturner
!
version 12.2
no service pad
service timestamps debug datetime localtime
service timestamps log datetime localtime
service password-encryption
!
hostname Buggs
!
clock timezone CDT -6
clock summer-time CDT recurring
switch 1 provision ws-c3750g-24t
switch 2 provision ws-c3750g-24t
system mtu routing 1500
ip subnet-zero
ip routing
ip domain-name buggs.com
!
ip ssh version 2
!
!
no file verify auto
!
spanning-tree mode pvst
no spanning-tree optimize bpdu transmission
spanning-tree extend system-id
spanning-tree vlan 3 priority 24576
!
vlan internal allocation policy ascending
!
!
interface GigabitEthernet1/0/1
 switchport access vlan 4
 no mdix auto
 spanning-tree portfast
!
interface GigabitEthernet1/0/2
 switchport access vlan 4
 no mdix auto
 spanning-tree portfast
!         
interface GigabitEthernet1/0/3
 description Connection to 6509
 switchport access vlan 3
 no mdix auto
!
interface GigabitEthernet1/0/4
 switchport access vlan 4
 speed 1000
 no mdix auto
 spanning-tree portfast
!
interface GigabitEthernet1/0/5
 switchport access vlan 2
 no mdix auto
 spanning-tree portfast
!
interface GigabitEthernet1/0/6
 switchport access vlan 2
 no mdix auto
 spanning-tree portfast
!
 
!         
interface Vlan1
 description To Pix
 ip address 10.88.0.2 255.255.255.240
 no ip route-cache cef
 no ip route-cache
 no ip mroute-cache
!
interface Vlan2
 ip address 10.88.0.17 255.255.255.240
!
interface Vlan3
 ip address 10.88.0.33 255.255.255.240
!
router eigrp 88
 network 10.0.0.0
 no auto-summary
 no eigrp log-neighbor-changes
!
ip classless
ip route 0.0.0.0 0.0.0.0 10.88.0.1
ip route 10.80.2.0 255.255.255.0 10.88.0.1
ip route 10.80.224.0 255.255.255.0 10.88.0.1
ip route 10.80.226.0 255.255.255.0 10.88.0.1
ip route 10.89.1.0 255.255.255.0 10.88.0.40
no ip http server

Open in new window

gevansmdesAsked:
Who is Participating?
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

bkepfordCommented:
You can either do it on the VLAN with a VLAN filter or at gateway with a regular IP ACL.
=======
IP
=======
interface Vlan2
ip access-group 102 in
!
interface Vlan3
ip access-group 101 in
!
access-list 101 deny ip 10.88.0.16 0.0.0.15 any
access-list 102 deny ip 10.88.0.32 0.0.0.15 any
=======
VLAN
=======
vlan access-map VLAN3 10
 action drop
 match ip address 102
!
vlan filter VLAN3 vlan-list 2
!
vlan access-map VLAN2 10
 action drop
 match ip address 101
!
vlan filter VLAN2 vlan-list 3
!
access-list 101 deny ip 10.88.0.16 0.0.0.15 any
access-list 102 deny ip 10.88.0.32 0.0.0.15 any
 
0

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
bkepfordCommented:
Oops forgot to add in the permit statements on the IP ACLs, I also forgot that on the VLAN filter it is a match statementet so look below for the correct ACL
=======
IP
=======
access-list 101 deny ip 10.88.0.16 0.0.0.15 any
access-list 101 permit ip any any

access-list 102 deny ip 10.88.0.32 0.0.0.15 any
access-list 102 permit ip any any

=======
VLAN
=======

access-list 101 permit ip 10.88.0.16 0.0.0.15 any
access-list 102 permit ip 10.88.0.32 0.0.0.15 any
0
gevansmdesAuthor Commented:
So is this the only two ways to go it? If the VLANs were not in the eigrp would the vlans be able to communicate with each other?
0
Become a Leader in Data Analytics

Gain the power to turn raw data into better business decisions and outcomes in your industry. Transform your career future by earning your MS in Data Analytics. WGU’s MSDA program curriculum features IT certifications from Oracle and SAS.  

bkepfordCommented:
Ip routing needs to be turned on(the command is "ip routing" which it is)  for them to communicate. EIGRP is not required because the switch has IP addresses on both LAN segments. If you do a "show ip route" Both the VLAN IP will be in your routing table and show as connected. EIGRP would be used to advertise the networks to an outside device such as a router.
VLANs will not communicate at all unless they are routed. That after all is the purpose of a VLAN is to seperate to LAN segments.
So it just makes since that you have to filter by IP address
0
gevansmdesAuthor Commented:
So If I remove eigrp (it's not needed) and also remove the "ip routing" then the vlans will become separate lans correct? Would I have to do anything with this

ip route 0.0.0.0 0.0.0.0 10.88.0.1
ip route 10.80.2.0 255.255.255.0 10.88.0.1
ip route 10.80.224.0 255.255.255.0 10.88.0.1
ip route 10.80.226.0 255.255.255.0 10.88.0.1
ip route 10.89.1.0 255.255.255.0 10.88.0.40
0
bkepfordCommented:
They are seperate LANs from a layer 2 perspective but they are not resticted from talking. You need the "ip routing" since you are using the Switch to route between VLANs to get out to the Internet.
The only IP routes you need are these two
ip route 0.0.0.0 0.0.0.0 10.88.0.1
ip route 10.89.1.0 255.255.255.0 10.88.0.40
The only way to restrict IP access between the two interfaces is to put in the ACLs that I told you about. Just copy and paste the IP version in (with the update ACLs).

0
gevansmdesAuthor Commented:
if I was to remove the "ip route statement"

and only use

ip route 0.0.0.0 0.0.0.0 10.88.0.1
ip route 10.89.1.0 255.255.255.0 10.88.0.40

then the VLANs would not communicate with each other via Layer 3 correct?

also.. what is the purpose of the commands below?

ip route 0.0.0.0 0.0.0.0 10.88.0.1
ip route 10.89.1.0 255.255.255.0 10.88.0.40

Answer this and I should be good to go.. many thanks for your help
0
gevansmdesAuthor Commented:
FYI - I plan to make each vlan connect to my firewall  by making sub interfaces on the firewall for each vlan - this way I can use the firewall to control communication instead of acl's on the switch -
0
bkepfordCommented:
Yes that will work and I almost suggested it except then I realized that even on the firewall you will have to create a access control list to block from one IP group to the other and I figure it would be just as easy for you to keep what you had and do the blocking on the switch. Plus, I figured you bought a Cisco 3750 for a reason and didn't want you to have you turn off the Layer 3 portion of the switch if you didn't have to.
 
All said and done either way will work  
0
bkepfordCommented:
This was a comment I meant to use to reply to yout previous post.
The ip route statements won't work without "ip routing".  What ever your gateway is will allow the two subnets to communicate via layer 3 unless you restrict them with an ACL.
0
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Switches / Hubs

From novice to tech pro — start learning today.

Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.