Book now with code EOY2025
networker050184 wrote: You can have the server VLAN communicate with the all other VLANs but not have them communicate with each other. Make sure you read the known limitations section though because there are some limitations. Also, I'm not sure about the scalability of this solution so you will probably want to do some testing first before deploying. Maybe someone with more experience with PVLANs and VACLs will chime in.
You could create 1 ACL to deny traffic to all the VLANs which should not be able to communicate with one another and apply it to each VLAN. This way any traffic leaving the VLAN to be routed would be blocked but whatever you don't deny (ie internet/server vlan) would pass through.
xwesleyxwillisx wrote: VLAN 100 = 192.168.100.0 /24 VLAN 200 = 192.168.200.0 /24 VLAN 300 = 192.168.300.0 /24 VLAN 400 = 192.168.400.0 /24 access-list 100 deny ip any 192.168.100.0 0.0.0.255 access-list 100 deny ip any 192.168.200.0 0.0.0.255 access-list 100 deny ip any 192.168.300.0 0.0.0.255 access-list 100 permit ip any any int vlan 100 ip access-group 100 in int vlan 200 ip access-group 100 in int vlan 300 ip access-group 100 in Is my thought correct that traffic destined to hosts inside the same subnet would not hit this ACL and thus be permitted?
svo4dot6 wrote: I believe Jason really means intra-vlan and not inter-vlan. For example, traffic from VLAN 100 or 10.0.100.x destined to any of the other vlans should be filtered unless it is to specific hosts. What I have done in a similiar case is to add a permit for necessary intra-vlan communication and deny all else on the block. IE say you have servers on VLAN 20: ip access-list extended block_vlan_100_to_all permit 10.0.100.0 0.0.0.255 10.0.20.0 0.0.0.255 deny 10.0.100.0 0.0.0.0.255 10.0.0.0 0.0.255.255 permit ip any any Of course for my setup I only have 10 VLANs and its on a pix
mikearama wrote: I have a similar type of network, though with only a dozen divisions... 30? That's nuts. I do not understand the business case for having to block traffic from one vlan to all others. The first thing you need to do is get that list shortened. In our company, we've taken steps to protect accounting and hr. What possible reason could there be to do what you need to do for other, less important divisions. So what if manufacturing can see the advertising range... they still need to authenticate against shares/files. If you can get it down to a couple vital vlans, then writing your acl's isn't such a big deal... it's exactly what we had to do as well.
jason_leong7 wrote: ip access-list extended Block_VLAN_100_to_all deny 10.0.100.0 0.0.0.255 10.0.101.0 0.0.0.255 deny 10.0.100.0 0.0.0.255 10.0.102.0 0.0.0.255 | | ***repeat 29 times until deny 10.0.100.0 0.0.0.255 10.0.0 10.130 0.0.0.255 permit ip any any
cisco_trooper wrote: With your current addressing you can simplify this a LITTLE to something like this: ip access-list extended Block_VLAN_100_to_all deny 10.0.100.0 0.0.0.255 10.0.101.0 0.0.0.255 deny 10.0.100.0 0.0.0.255 10.0.102.0 0.0.1.255 deny 10.0.100.0 0.0.0.255 10.0.104.0 0.0.7.255 deny 10.0.100.0 0.0.0.255 10.0.112.0 0.0.15.255 deny 10.0.100.0 0.0.0.255 10.0.128.0 0.0.1.255 deny 10.0.100.0 0.0.0.255 10.0.130.0 0.0.0.255 BUT, I would recommend using a better addressing scheme so you don't have to screw with all your access lists every time you bring in a new VLAN. Perhaps all your LAN segments can be in 10.1.0.0 rather than 10.0.0.0 where your server VLAN resides. Then you can do this AND you don't have to rewrite the ACL if you add a new VLAN to 10.1.0.0: ip access-list extended Block_VLAN_100_to_all deny 10.0.100.0 0.0.0.255 10.1.0.0 0.0.255.255
jason_leong7 wrote: Thanks for the idea, it really greatly reduced it. From 870 lines to (6 multiply 30 = 180 lines). If im not mistaken that ACL can be shorten by using a prefixlist....Anyone knows how to use it and reduce the number of lines further?
cisco_trooper wrote: I'm not an expert with prefix-lists, but my initial thought is that they probably won't help you much more than the access-list I provided because of where your network boundaries lie. Your server VLAN is only one bit away from the rest of your LAN segments.....I'll look into those later since I need to anyway...
jason_leong7 wrote: cisco_trooper wrote: I'm not an expert with prefix-lists, but my initial thought is that they probably won't help you much more than the access-list I provided because of where your network boundaries lie. Your server VLAN is only one bit away from the rest of your LAN segments.....I'll look into those later since I need to anyway... I think one of the earlier post assume my server VLAN is in VLAN 120. Actually my server VLAN is somewhere between VLAN 1-99 which is not defined yet. Just assume my server VLAN is vlan 51. VLAN 100 and above is purely for user segments. (100 to 130 is only an example...im not surprise if they hit 140).
jason_leong7 wrote: Hi Guys, Im facing a problem in my network design. I have about 30 to 40 Layer 3 VLANs in the Cat 6500 switch. All of these VLANs are broken into different Departments for a large company. Since ip routing is enabled (routing is needed for other networks) all inter VLAN routing for all these departments are allowed. For obvious reasons, all inter VLAN routing should be blocked except to the server VLAN and other subnets such as the internet and other networks through the company's own IP VPN Cloud. For explanation purposes, the 3rd octet for any IP address i stated below is the VLAN ID. I.e 10.0.100.X --> VLAN 100, 10.0.123.X --> VLAN 123 I know how to use the ACLs for each interface VLANs, by denying traffic to every destination vlan from a source vlan.. i.e ip access-list extended Block_VLAN_100_to_all deny 10.0.100.0 0.0.0.255 10.0.101.0 0.0.0.255 deny 10.0.100.0 0.0.0.255 10.0.102.0 0.0.0.255 | | ***repeat 29 times until deny 10.0.100.0 0.0.0.255 10.0.0 10.130 0.0.0.255 permit ip any any and then interface vlan 100 ip access-group Block_VLAN_100_to_all in well, I would have to repeat those ACLs thirty times for every VLAN. That would cause the Core Switch to have a very very long line of ACL entries. Just imagine if I were to add in another VLAN, then I have to repeat all 30 VLANs with the ACLs for the 31st time. Does anyone have a simpler way of accomplishing this problem?
jason_leong7 wrote: By doin that...how do you allow the traffic to the internet? normally, i need to permit ip 10.0.100.0 0.0.0.255 any. and then denying wat is not needed.... there is no specific permit statement to allow traffic to the internet right?
ip access-list extended Block_VLAN_100_to_all deny 10.0.100.0 0.0.0.255 10.0.101.0 0.0.0.255 deny 10.0.100.0 0.0.0.255 10.0.102.0 0.0.0.255 | | ***repeat 29 times until deny 10.0.100.0 0.0.0.255 10.0.0 10.130 0.0.0.255 permit ip any any and then interface vlan 100 ip access-group Block_VLAN_100_to_all in
rossonieri#1 wrote: your method actually is the safest one - even though you have to type it 29 times in case you are wondering - how about this : deny 10.0.100.0 0.0.0.255 10.0.101.0 0.0.29.255 ? i have not tested though
0.0.29.255 does not mean 29 times.... ><
rossonieri#1 wrote: 0.0.29.255 does not mean 29 times.... >< come on ... what is this??? i know it did not mean 29 times!!! its the inverse mask range from subnet 10.0.101.0/24 subnet to 10.0.130.0/24 but its not safe!!! - try do the binary and check the result yourself.
I tried it out...it didnt work...some vlans are blocked...ur second bit is 0 which fixes it...so for certain vlans, it doesnt take effect.
jason_leong7 wrote: Two ASA 5550 running Active - Standby, one ASA is connected to an edge router (internet) and another connects to an edge router (IP VPN router to their company network). Between the FW and Core Switch, I used Layer 3 interface (VLAN 5) running HSRP. A default route pointing towards the Firewall interface in the same subnet. ip route 0.0.0.0 0.0.0.0 10.0.5.4. Network between the Core switch and Firewall is a 10.0.5.0/ 28 network 10.0.5.1 - Core 1 10.0.5.2 - Core 2 10.0.5.3 - Virtual IP 10.0.5.4 - ASA 1 (Active) 10.0.5.5 - ASA 2 (Passive) --> not in used because 5.4 is always active even if passive fails. I tried following the access list that was sugested by permit traffic 10.0.5.0 /28 but traffic from internet is dropped. access-list 100 permit ip 10.0.100.0 0.0.0.255 10.0.51.0 0.0.0.255 access-list 100 permit ip 10.0.100.0 0.0.0.255 10.0.5.0 0.0.0.15 ** Internet traffic is dropped... Hope you could help
tech-airman wrote: jason_leong7, I've been pondering this issue ever since my last post. I had an idea of reassigning the IP addresses for VLANs 1 ~ 99 as part of the 172.16.x.x range and keep the user end at 10.x.x.x. That way, you can simplify the access lists on each user VLAN to the following... access-list 100 deny ip 10.0.x.0 0.0.0.255 10.0.0.0 0.255.255.255 access-list 100 permit ip any any Where x is the VLAN number system that you wanted. That way, you can block traffic trying to go TO any other user VLAN but the permit ip any any would let them have access to the server vlan as well as the Internet. What do you think of this solution?
jason_leong7 wrote: tech-airman wrote: jason_leong7, I've been pondering this issue ever since my last post. I had an idea of reassigning the IP addresses for VLANs 1 ~ 99 as part of the 172.16.x.x range and keep the user end at 10.x.x.x. That way, you can simplify the access lists on each user VLAN to the following... access-list 100 deny ip 10.0.x.0 0.0.0.255 10.0.0.0 0.255.255.255 access-list 100 permit ip any any Where x is the VLAN number system that you wanted. That way, you can block traffic trying to go TO any other user VLAN but the permit ip any any would let them have access to the server vlan as well as the Internet. What do you think of this solution? I wish it was that easy....i've thought of that before, the 10.0.100.0 till 10.0.254.0 are the new subnets. They are assigned to me to use for the users. Btw, most of thier servers are already configured in that range. i also though of using the 172 and 192 subnets, but it seems it is already used in their IP VPN network. Meaning that if those users want to use the IP VPN, the ip address might clash...
Use code EOY2025 to receive $250 off your 2025 certification boot camp!
