• Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 345
  • Last Modified:

Traffic security on L3 device

Hi Experts,

I have vlans on cisco 6500 switch running IOS ver 12.2(18). I have following two VLANs

Int vlan 100                                                 Int vlan 200
no shut                                                       no shut
ip address 172.20.100.23                          no ip address

both are active and each has two servers in them and both vlns can pass traffic to each other due to inter-vlan routing. I want traffic from vlan 100 not to enter vlan 200, but rest of the traffic should go as normal.

Can some one help?   Thanks:)
0
vbongarala
Asked:
vbongarala
  • 8
  • 4
1 Solution
 
that1guy15Commented:
Apply an ACL to VLAN 200 that blocks all inbound traffic from VLAN 100.
0
 
vbongaralaAuthor Commented:
Thanks for the prompt reply.

By applying the ACL, only traffic from VLAN 200 will be blocked..right.and rest of the traffic will pass thru. Am i right?

Thanks:)
0
 
that1guy15Commented:
If set up correctly then yes only traffic from VLAN 200 will be blocked. Here is a sample ACL that will do that

access list 101 deny ip 172.20.100.0 0.0.0.255 any
access list 101 permit ip any any

line one blocks all inbound traffic from the 172.20.100.0 subnet from entering VLAN 200
line two allows all other traffic in to VLAN 200. You will then apply this acl to the VLAN 200 interface.

int vlan 200
access-group 101 out
0
Concerto's Cloud Advisory Services

Want to avoid the missteps to gaining all the benefits of the cloud? Learn more about the different assessment options from our Cloud Advisory team.

 
vbongaralaAuthor Commented:

Thanks.again for prompt response. After implementation, in some time i will post the update.
0
 
vbongaralaAuthor Commented:

I forgot one question, in the ACL below,

access list 101 deny ip 172.20.100.0 0.0.0.255 any
access list 101 permit ip any any

VLAN 100 will not talk to VLAN 200, but it will be talk to all other VLANs..right ?

Thanks:)
0
 
vbongaralaAuthor Commented:

And shouldn't

int vlan 200
access-group 101 out

this be ...access-group 101 in ...instead of out ?

Thanks:)
0
 
vbongaralaAuthor Commented:

I tried the cmds as posted, however, under the int vlan 200 i could not find access-group command.  Hence, i could not apply the command. Do v need to use VACL...instead ?

can you figure it out, how else to do ? The device is as i mentioned L3 6500 Switch ver 12.2 (18)sxf7.

Thanks:)
0
 
vbongaralaAuthor Commented:

Sorry, i missed the 'ip" of the ip access-group and hence the device was giving error.

But finally when i did try the cmds, the traffic from VLAN 100 was still not being blocked and easily going to VLAN 200. I tested blocking by pinging a server in vlan 200 from a server in vlan 100 and the ping was going.

Can you tell me if i missed some thing or some thing else needs to be done ?

Thanks:)
0
 
that1guy15Commented:
"VLAN 100 will not talk to VLAN 200, but it will be talk to all other VLANs..right ?"

yes it will be able to communicate with all other vlans since the ACL is only applied to VLAN 200


"Sorry, i missed the 'ip" of the ip access-group and hence the device was giving error."

sorry it was late here and i missed typing that in.

please post the ACL you created and how you applied it to the interface so I can see what you have going on.

0
 
vbongaralaAuthor Commented:
access-list 153 deny ip 172.20.100.0 0.0.0.255 any
access-list 153 permit ip any any

Int vlan 200
no shut
no ip address
ip access-group 153 out ( i tried 'in' also)

After this..i ran a ping frm a server in vlan 100 to a server in vlan 200 and the ping was happening, when it was suppose to be blocked. ?

Here i want you to notice: int vlan 200 does not ve any ip address. The servers under vlan 200 are being load balanced using CSM module and there fore ve their local gwy as CSM VLAN Server Ip addr..which is 172.20.200.1. Would this b making any difference ?

Thanks:)
0
 
that1guy15Commented:
yeah that could be it. You might be correct on needing to use VACLs. I have limited knowledge/experience on VALCs so i dont know how much help I could be, but check out this doc. lets see what we can figure out.


http://ipcnetworking.com/2008/11/how-to-setup-access-list-for-a-cisco-vlan.html
0
 
vbongaralaAuthor Commented:

I'm going to try today to apply VACLs between two different L3 VLANs to control traffic. But i ve heard that VACLs are only to control traffic within a VLAN but not between two different VLANs.

PLz clarify ..Thnks:)
0

Featured Post

Become a Leader in Data Analytics

Gain the power to turn raw data into better business decisions and outcomes in your industry. Transform your career future by earning your MS in Data Analytics. WGU’s MSDA program curriculum features IT certifications from Oracle and SAS.  

  • 8
  • 4
Tackle projects and never again get stuck behind a technical roadblock.
Join Now