InterVLAN Isolation/Blocking problem

Hi Guys,

Im facing a problem in my network design. I have about 30 to 40 Layer 3 VLANs in the Cat 6500 switch. All of these VLANs are broken into different Departments for a large company. Since ip routing is enabled (routing is needed for other networks) all inter VLAN routing for all these departments are allowed.

For obvious reasons, all inter VLAN routing should be blocked except to the server VLAN and other subnets such as the internet and other networks through the company's own IP VPN Cloud.

For explanation purposes, the 3rd octet for any IP address i stated below is the VLAN ID. I.e 10.0.100.X --> VLAN 100, 10.0.123.X --> VLAN 123

I know how to use the ACLs for each interface VLANs, by denying traffic to every destination vlan from a source vlan.. i.e

ip access-list extended Block_VLAN_100_to_all
deny 10.0.100.0 0.0.0.255 10.0.101.0 0.0.0.255
deny 10.0.100.0 0.0.0.255 10.0.102.0 0.0.0.255
|
|
***repeat 29 times until deny 10.0.100.0 0.0.0.255 10.0.0 10.130 0.0.0.255
permit ip any any

and then

interface vlan 100
ip access-group Block_VLAN_100_to_all in

well, I would have to repeat those ACLs thirty times for every VLAN. That would cause the Core Switch to have a very very long line of ACL entries.

Just imagine if I were to add in another VLAN, then I have to repeat all 30 VLANs with the ACLs for the 31st time.

Does anyone have a simpler way of accomplishing this problem?

Find more posts tagged with

Save $250 on 2025 certification boot camps from Infosec!

Book now with code EOY2025

Button

Comments

jason_leong7

yeah...fixed length..

However, for blocking interVLAN VLAN 100 to VLAN 255 ( I used until 255 just in case of VLAN expansion in the future)...i used the following ACL

ip access-list extended VLAN100_out
5 permit ip any 10.0.100.0 0.0.0.255
10 deny ip any 10.0.100.0 0.0.3.255
20 deny ip any 10.0.104.0 0.0.7.255
30 deny ip any 10.0.112.0 0.0.15.255
40 deny ip any 10.0.128.0 0.0.254.255

interface VLAN 100
ip access-group VLAN100_out in

but ...the a problem lies in

40 deny ip any 10.0.128.0 0.0.254.255
coz it matches in this ACL when i do a continous ping to the internet

i fail to connect to the internet and VLAN 50. The ACLs should only from block from VLAN 100 to VLAN 255, but it block VLAN 50 and internet...doesnt make sense..anyone can spot my mistake?[/b]

tech-airman

jason_leong7 wrote:

yeah...fixed length..

However, for blocking interVLAN VLAN 100 to VLAN 255 ( I used until 255 just in case of VLAN expansion in the future)...i used the following ACL

ip access-list extended VLAN100_out
5 permit ip any 10.0.100.0 0.0.0.255
10 deny ip any 10.0.100.0 0.0.3.255
20 deny ip any 10.0.104.0 0.0.7.255
30 deny ip any 10.0.112.0 0.0.15.255
40 deny ip any 10.0.128.0 0.0.254.255

interface VLAN 100
ip access-group VLAN100_out in

but ...the a problem lies in

40 deny ip any 10.0.128.0 0.0.254.255
coz it matches in this ACL when i do a continous ping to the internet

i fail to connect to the internet and VLAN 50. The ACLs should only from block from VLAN 100 to VLAN 255, but it block VLAN 50 and internet...doesnt make sense..anyone can spot my mistake?[/b]

jason_leong7,

What is the subnet address and subnet mask for VLAN 50?

jason_leong7

tech-airman wrote:

jason_leong7,

What is the subnet address and subnet mask for VLAN 50?

ooo...my IP addressing scheme and VLAN Assignment,

10.0.40.X --> VLAN 40

10.0.50.X --> VLAN 50

10.0.123.X --> VLAN 123

i guess u get the pattern

subnet mask is always /24....easy for network manager's management but wasteful on IP..

tech-airman

jason_leong7 wrote:

tech-airman wrote:

jason_leong7,

What is the subnet address and subnet mask for VLAN 50?

ooo...my IP addressing scheme and VLAN Assignment,

10.0.50.X --> VLAN 50

subnet mask is always /24....easy for network manager's management but wasteful on IP..

jason_leong7,

So how did you determine the following?

jason_leong7 wrote:

but ...the a problem lies in

40 deny ip any 10.0.128.0 0.0.254.255
coz it matches in this ACL when i do a continous ping to the internet

i fail to connect to the internet and VLAN 50. The ACLs should only from block from VLAN 100 to VLAN 255, but it block VLAN 50 and internet...

Since VLAN 50 is 10.0.50.0/24, applying the wildcard mask of 0.0.254.255 to it would result in 10.0.0.0 which when compared to 10.0.128.0 is NOT a match, so how could a ping FROM VLAN 100 or subnet address 10.0.100.0 destined for 10.0.50.0 be blocked by the "40 deny ip any 10.0.128.0 0.0.254.255" access list line?

jason_leong7

40 deny ip any 10.0.128.0 0.0.254.255

was supposed to block 10.0.128.0 till 10.0.255.255...
\
but i found my mistake...i forgot a permit ip any any at the end of the statement...which would have a deny any any at the end without it...
sorry....

but still..do u think the access-list is good enough?..

p/s ...just found out about it when i came back home from office...i will rectify it tomorrow.