Solved

Block VLan access

Posted on 2013-01-08
3
301 Views
Last Modified: 2013-02-05
Hi,


I want to block access to a 10.x.x.x network from a 172.16.x.x vlan and not sure of the best way to do this. I was thinking of using extended access lists and simply applying those to the vlan but was wondering if there were any better suggestions which might make this more easier.
0
Comment
Question by:dcirona86
3 Comments
 
LVL 1

Expert Comment

by:thpipfh
ID: 38757661
I have given some example for this... please understand the same.

===============
ip access-list extended BAN_VLAN_20
permit tcp 10.10.20.0 0.0.0.255 established
deny   tcp 10.10.20.0 0.0.0.255 any
permit ip any any
!
interface Vlan100
description SVI_VLAN100
ip address 10.10.100.254 255.255.255.0
ip access-group BAN_VLAN_20 out
!
 
 
The above would block the 10.10.20.0 network from initiating access to the 10.10.100.0 network via TCP protocols such as Telnet or SSH.  However, if 10.10.100.0 network initiated the connection then with the "permit tcp 10.10.20.0 0.0.0.255 established" added the return traffic from the 10.10.20.0 network would be allowed.  This will allow the 10.10.100.0 network, your management Vlan, to access the 10.10.20.0 network hosts via TCP protocols, such as the Telnet and SSH for management.
 ========================
0
 
LVL 9

Accepted Solution

by:
Sandeep Gupta earned 250 total points
ID: 38757885
Hi,

Here is one good documnet to learn more on vlan access map, vlan acl..you can go thru it if time permits you.

http://www.cisco.com/en/US/docs/switches/lan/catalyst6500/ios/12.2SX/configuration/guide/vacl.pdf
0
 
LVL 22

Expert Comment

by:eeRoot
ID: 38761141
For a small number of VLAN's that need to be isolated, ACL's are the best option.  For a large number of VLAN's, where managing a lot of ACL's would become difficult, you can use private VLAN's.

These articles from Cisco explain private VLAN's
http://www.cisco.com/en/US/tech/tk389/tk814/tk840/tsd_technology_support_sub-protocol_home.html
http://www.cisco.com/en/US/products/hw/switches/ps700/products_tech_note09186a008013565f.shtml
0

Featured Post

PRTG Network Monitor: Intuitive Network Monitoring

Network Monitoring is essential to ensure that computer systems and network devices are running. Use PRTG to monitor LANs, servers, websites, applications and devices, bandwidth, virtual environments, remote systems, IoT, and many more. PRTG is easy to set up & use.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Suggested Solutions

Title # Comments Views Activity
Monitor bandwidth 3 108
Link issue 11 61
Cisco 2911/Etherswitch: Bringing up SVI and not seeing vlan on one side of trunk 7 54
Etherchannel balancing 10 21
Hello to you all, I hear of many people congratulate AWS (Amazon Web Services) on how easy it is to spin up and create new EC2 (Elastic Compute Cloud) instances, but then fail and struggle to connect to them using simple tools such as SSH (Secure…
David Varnum recently wrote up his impressions of PRTG, based on a presentation by my colleague Christian at Tech Field Day at VMworld in Barcelona. Thanks David, for your detailed and honest evaluation!
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…

772 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question