Solved

Traffic security on L3 device

Posted on 2009-05-10
12
329 Views
Last Modified: 2013-11-08
Hi Experts,

I have vlans on cisco 6500 switch running IOS ver 12.2(18). I have following two VLANs

Int vlan 100                                                 Int vlan 200
no shut                                                       no shut
ip address 172.20.100.23                          no ip address

both are active and each has two servers in them and both vlns can pass traffic to each other due to inter-vlan routing. I want traffic from vlan 100 not to enter vlan 200, but rest of the traffic should go as normal.

Can some one help?   Thanks:)
0
Comment
Question by:vbongarala
  • 8
  • 4
12 Comments
 
LVL 23

Expert Comment

by:that1guy15
ID: 24351800
Apply an ACL to VLAN 200 that blocks all inbound traffic from VLAN 100.
0
 

Author Comment

by:vbongarala
ID: 24351936
Thanks for the prompt reply.

By applying the ACL, only traffic from VLAN 200 will be blocked..right.and rest of the traffic will pass thru. Am i right?

Thanks:)
0
 
LVL 23

Expert Comment

by:that1guy15
ID: 24351985
If set up correctly then yes only traffic from VLAN 200 will be blocked. Here is a sample ACL that will do that

access list 101 deny ip 172.20.100.0 0.0.0.255 any
access list 101 permit ip any any

line one blocks all inbound traffic from the 172.20.100.0 subnet from entering VLAN 200
line two allows all other traffic in to VLAN 200. You will then apply this acl to the VLAN 200 interface.

int vlan 200
access-group 101 out
0
 

Author Comment

by:vbongarala
ID: 24352348

Thanks.again for prompt response. After implementation, in some time i will post the update.
0
 

Author Comment

by:vbongarala
ID: 24352420

I forgot one question, in the ACL below,

access list 101 deny ip 172.20.100.0 0.0.0.255 any
access list 101 permit ip any any

VLAN 100 will not talk to VLAN 200, but it will be talk to all other VLANs..right ?

Thanks:)
0
 

Author Comment

by:vbongarala
ID: 24353232

And shouldn't

int vlan 200
access-group 101 out

this be ...access-group 101 in ...instead of out ?

Thanks:)
0
Top 6 Sources for Identifying Threat Actor TTPs

Understanding your enemy is essential. These six sources will help you identify the most popular threat actor tactics, techniques, and procedures (TTPs).

 

Author Comment

by:vbongarala
ID: 24354084

I tried the cmds as posted, however, under the int vlan 200 i could not find access-group command.  Hence, i could not apply the command. Do v need to use VACL...instead ?

can you figure it out, how else to do ? The device is as i mentioned L3 6500 Switch ver 12.2 (18)sxf7.

Thanks:)
0
 

Author Comment

by:vbongarala
ID: 24354823

Sorry, i missed the 'ip" of the ip access-group and hence the device was giving error.

But finally when i did try the cmds, the traffic from VLAN 100 was still not being blocked and easily going to VLAN 200. I tested blocking by pinging a server in vlan 200 from a server in vlan 100 and the ping was going.

Can you tell me if i missed some thing or some thing else needs to be done ?

Thanks:)
0
 
LVL 23

Expert Comment

by:that1guy15
ID: 24356205
"VLAN 100 will not talk to VLAN 200, but it will be talk to all other VLANs..right ?"

yes it will be able to communicate with all other vlans since the ACL is only applied to VLAN 200


"Sorry, i missed the 'ip" of the ip access-group and hence the device was giving error."

sorry it was late here and i missed typing that in.

please post the ACL you created and how you applied it to the interface so I can see what you have going on.

0
 

Author Comment

by:vbongarala
ID: 24356358
access-list 153 deny ip 172.20.100.0 0.0.0.255 any
access-list 153 permit ip any any

Int vlan 200
no shut
no ip address
ip access-group 153 out ( i tried 'in' also)

After this..i ran a ping frm a server in vlan 100 to a server in vlan 200 and the ping was happening, when it was suppose to be blocked. ?

Here i want you to notice: int vlan 200 does not ve any ip address. The servers under vlan 200 are being load balanced using CSM module and there fore ve their local gwy as CSM VLAN Server Ip addr..which is 172.20.200.1. Would this b making any difference ?

Thanks:)
0
 
LVL 23

Accepted Solution

by:
that1guy15 earned 250 total points
ID: 24356725
yeah that could be it. You might be correct on needing to use VACLs. I have limited knowledge/experience on VALCs so i dont know how much help I could be, but check out this doc. lets see what we can figure out.


http://ipcnetworking.com/2008/11/how-to-setup-access-list-for-a-cisco-vlan.html
0
 

Author Comment

by:vbongarala
ID: 24370904

I'm going to try today to apply VACLs between two different L3 VLANs to control traffic. But i ve heard that VACLs are only to control traffic within a VLAN but not between two different VLANs.

PLz clarify ..Thnks:)
0

Featured Post

Do You Know the 4 Main Threat Actor Types?

Do you know the main threat actor types? Most attackers fall into one of four categories, each with their own favored tactics, techniques, and procedures.

Join & Write a Comment

This article is a step by step guide on how to create a basic PTP link using Ubiquiti airOS devices. This guide can be used on the following Ubiquiti AirMAX devices. Nanostation, Bullets, AirBridge, Nanobeam, NanoBridge to name a few. Please review …
Storage devices are generally used to save the data or sometime transfer the data from one computer system to another system. However, sometimes user accidentally erased their important data from the Storage devices. Users have to know how data reco…
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…

707 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

13 Experts available now in Live!

Get 1:1 Help Now