• Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 1282
  • Last Modified:

Cisco VLAN Security

C3750 - 12.2(35)SE

Switch has VLANS

What are several ways I can stop the VLANs from being able to communicate with each other? I do have EIGRP enabled on the switch

Thanks
Portal-Potty#show run
Building configuration...
 
Current configuration : 12936 bytes
!
! Last configuration change at 16:28:56 CDT Mon Nov 17 2008 by kturner
! NVRAM config last updated at 16:29:27 CDT Mon Nov 17 2008 by kturner
!
version 12.2
no service pad
service timestamps debug datetime localtime
service timestamps log datetime localtime
service password-encryption
!
hostname Buggs
!
clock timezone CDT -6
clock summer-time CDT recurring
switch 1 provision ws-c3750g-24t
switch 2 provision ws-c3750g-24t
system mtu routing 1500
ip subnet-zero
ip routing
ip domain-name buggs.com
!
ip ssh version 2
!
!
no file verify auto
!
spanning-tree mode pvst
no spanning-tree optimize bpdu transmission
spanning-tree extend system-id
spanning-tree vlan 3 priority 24576
!
vlan internal allocation policy ascending
!
!
interface GigabitEthernet1/0/1
 switchport access vlan 4
 no mdix auto
 spanning-tree portfast
!
interface GigabitEthernet1/0/2
 switchport access vlan 4
 no mdix auto
 spanning-tree portfast
!         
interface GigabitEthernet1/0/3
 description Connection to 6509
 switchport access vlan 3
 no mdix auto
!
interface GigabitEthernet1/0/4
 switchport access vlan 4
 speed 1000
 no mdix auto
 spanning-tree portfast
!
interface GigabitEthernet1/0/5
 switchport access vlan 2
 no mdix auto
 spanning-tree portfast
!
interface GigabitEthernet1/0/6
 switchport access vlan 2
 no mdix auto
 spanning-tree portfast
!
 
!         
interface Vlan1
 description To Pix
 ip address 10.88.0.2 255.255.255.240
 no ip route-cache cef
 no ip route-cache
 no ip mroute-cache
!
interface Vlan2
 ip address 10.88.0.17 255.255.255.240
!
interface Vlan3
 ip address 10.88.0.33 255.255.255.240
!
router eigrp 88
 network 10.0.0.0
 no auto-summary
 no eigrp log-neighbor-changes
!
ip classless
ip route 0.0.0.0 0.0.0.0 10.88.0.1
ip route 10.80.2.0 255.255.255.0 10.88.0.1
ip route 10.80.224.0 255.255.255.0 10.88.0.1
ip route 10.80.226.0 255.255.255.0 10.88.0.1
ip route 10.89.1.0 255.255.255.0 10.88.0.40
no ip http server

Open in new window

0
gevansmdes
Asked:
gevansmdes
  • 6
  • 4
5 Solutions
 
bkepfordCommented:
You can either do it on the VLAN with a VLAN filter or at gateway with a regular IP ACL.
=======
IP
=======
interface Vlan2
ip access-group 102 in
!
interface Vlan3
ip access-group 101 in
!
access-list 101 deny ip 10.88.0.16 0.0.0.15 any
access-list 102 deny ip 10.88.0.32 0.0.0.15 any
=======
VLAN
=======
vlan access-map VLAN3 10
 action drop
 match ip address 102
!
vlan filter VLAN3 vlan-list 2
!
vlan access-map VLAN2 10
 action drop
 match ip address 101
!
vlan filter VLAN2 vlan-list 3
!
access-list 101 deny ip 10.88.0.16 0.0.0.15 any
access-list 102 deny ip 10.88.0.32 0.0.0.15 any
 
0
 
bkepfordCommented:
Oops forgot to add in the permit statements on the IP ACLs, I also forgot that on the VLAN filter it is a match statementet so look below for the correct ACL
=======
IP
=======
access-list 101 deny ip 10.88.0.16 0.0.0.15 any
access-list 101 permit ip any any

access-list 102 deny ip 10.88.0.32 0.0.0.15 any
access-list 102 permit ip any any

=======
VLAN
=======

access-list 101 permit ip 10.88.0.16 0.0.0.15 any
access-list 102 permit ip 10.88.0.32 0.0.0.15 any
0
 
gevansmdesAuthor Commented:
So is this the only two ways to go it? If the VLANs were not in the eigrp would the vlans be able to communicate with each other?
0
Become an IT Security Management Expert

In today’s fast-paced, digitally transformed world of business, the need to protect network data and ensure cloud privacy has never been greater. With a B.S. in Network Operations and Security, you can get the credentials it takes to become an IT security management expert.

 
bkepfordCommented:
Ip routing needs to be turned on(the command is "ip routing" which it is)  for them to communicate. EIGRP is not required because the switch has IP addresses on both LAN segments. If you do a "show ip route" Both the VLAN IP will be in your routing table and show as connected. EIGRP would be used to advertise the networks to an outside device such as a router.
VLANs will not communicate at all unless they are routed. That after all is the purpose of a VLAN is to seperate to LAN segments.
So it just makes since that you have to filter by IP address
0
 
gevansmdesAuthor Commented:
So If I remove eigrp (it's not needed) and also remove the "ip routing" then the vlans will become separate lans correct? Would I have to do anything with this

ip route 0.0.0.0 0.0.0.0 10.88.0.1
ip route 10.80.2.0 255.255.255.0 10.88.0.1
ip route 10.80.224.0 255.255.255.0 10.88.0.1
ip route 10.80.226.0 255.255.255.0 10.88.0.1
ip route 10.89.1.0 255.255.255.0 10.88.0.40
0
 
bkepfordCommented:
They are seperate LANs from a layer 2 perspective but they are not resticted from talking. You need the "ip routing" since you are using the Switch to route between VLANs to get out to the Internet.
The only IP routes you need are these two
ip route 0.0.0.0 0.0.0.0 10.88.0.1
ip route 10.89.1.0 255.255.255.0 10.88.0.40
The only way to restrict IP access between the two interfaces is to put in the ACLs that I told you about. Just copy and paste the IP version in (with the update ACLs).

0
 
gevansmdesAuthor Commented:
if I was to remove the "ip route statement"

and only use

ip route 0.0.0.0 0.0.0.0 10.88.0.1
ip route 10.89.1.0 255.255.255.0 10.88.0.40

then the VLANs would not communicate with each other via Layer 3 correct?

also.. what is the purpose of the commands below?

ip route 0.0.0.0 0.0.0.0 10.88.0.1
ip route 10.89.1.0 255.255.255.0 10.88.0.40

Answer this and I should be good to go.. many thanks for your help
0
 
gevansmdesAuthor Commented:
FYI - I plan to make each vlan connect to my firewall  by making sub interfaces on the firewall for each vlan - this way I can use the firewall to control communication instead of acl's on the switch -
0
 
bkepfordCommented:
Yes that will work and I almost suggested it except then I realized that even on the firewall you will have to create a access control list to block from one IP group to the other and I figure it would be just as easy for you to keep what you had and do the blocking on the switch. Plus, I figured you bought a Cisco 3750 for a reason and didn't want you to have you turn off the Layer 3 portion of the switch if you didn't have to.
 
All said and done either way will work  
0
 
bkepfordCommented:
This was a comment I meant to use to reply to yout previous post.
The ip route statements won't work without "ip routing".  What ever your gateway is will allow the two subnets to communicate via layer 3 unless you restrict them with an ACL.
0

Featured Post

Concerto Cloud for Software Providers & ISVs

Can Concerto Cloud Services help you focus on evolving your application offerings, while delivering the best cloud experience to your customers? From DevOps to revenue models and customer support, the answer is yes!

Learn how Concerto can help you.

  • 6
  • 4
Tackle projects and never again get stuck behind a technical roadblock.
Join Now