Block VLan access
Hi,
I want to block access to a 10.x.x.x network from a 172.16.x.x vlan and not sure of the best way to do this. I was thinking of using extended access lists and simply applying those to the vlan but was wondering if there were any better suggestions which might make this more easier.
I want to block access to a 10.x.x.x network from a 172.16.x.x vlan and not sure of the best way to do this. I was thinking of using extended access lists and simply applying those to the vlan but was wondering if there were any better suggestions which might make this more easier.
Who is Participating?
I have given some example for this... please understand the same.
===============
ip access-list extended BAN_VLAN_20
permit tcp 10.10.20.0 0.0.0.255 established
deny tcp 10.10.20.0 0.0.0.255 any
permit ip any any
!
interface Vlan100
description SVI_VLAN100
ip address 10.10.100.254 255.255.255.0
ip access-group BAN_VLAN_20 out
!
The above would block the 10.10.20.0 network from initiating access to the 10.10.100.0 network via TCP protocols such as Telnet or SSH. However, if 10.10.100.0 network initiated the connection then with the "permit tcp 10.10.20.0 0.0.0.255 established" added the return traffic from the 10.10.20.0 network would be allowed. This will allow the 10.10.100.0 network, your management Vlan, to access the 10.10.20.0 network hosts via TCP protocols, such as the Telnet and SSH for management.
========================
===============
ip access-list extended BAN_VLAN_20
permit tcp 10.10.20.0 0.0.0.255 established
deny tcp 10.10.20.0 0.0.0.255 any
permit ip any any
!
interface Vlan100
description SVI_VLAN100
ip address 10.10.100.254 255.255.255.0
ip access-group BAN_VLAN_20 out
!
The above would block the 10.10.20.0 network from initiating access to the 10.10.100.0 network via TCP protocols such as Telnet or SSH. However, if 10.10.100.0 network initiated the connection then with the "permit tcp 10.10.20.0 0.0.0.255 established" added the return traffic from the 10.10.20.0 network would be allowed. This will allow the 10.10.100.0 network, your management Vlan, to access the 10.10.20.0 network hosts via TCP protocols, such as the Telnet and SSH for management.
========================
For a small number of VLAN's that need to be isolated, ACL's are the best option. For a large number of VLAN's, where managing a lot of ACL's would become difficult, you can use private VLAN's.
These articles from Cisco explain private VLAN's
http://www.cisco.com/en/US/tech/tk389/tk814/tk840/tsd_technology_support_sub-protocol_home.html
http://www.cisco.com/en/US/products/hw/switches/ps700/products_tech_note09186a008013565f.shtml
These articles from Cisco explain private VLAN's
http://www.cisco.com/en/US/tech/tk389/tk814/tk840/tsd_technology_support_sub-protocol_home.html
http://www.cisco.com/en/US/products/hw/switches/ps700/products_tech_note09186a008013565f.shtml
Question has a verified solution.
Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.
Have a better answer? Share it in a comment.
All Courses
From novice to tech pro — start learning today.
-
Course of the Month7 days, 14 hours left to enrollMonitoring and Operating a Private Cloud with System Center 2012 R2 273 lessons
Here is one good documnet to learn more on vlan access map, vlan acl..you can go thru it if time permits you.
http://www.cisco.com/en/US/docs/switches/lan/catalyst6500/ios/12.2SX/configuration/guide/vacl.pdf