Cisco 4500 VLAN ACL
Hi All, I have 5 VLANs in my network configured in my L3 switch 4500. currently all VLANs can ping and reach each others, means 192.168.3.100 host in my vlan2 can reach 192.168.1.100 which is vlan3. I want to create an ACL in my L3 switch to deny the Vlans to access or ping each other, I just want them to access my servers 172.16.1.10 - 172.16.1.30 which are in the default Vlan1. can someone advise me which the commands and where to apply them in the L3 switch. Thanks interface Vlan2 ip address 192.168.3.1 255.255.255.0 ip helper-address 192.168.16.10 ! interface Vlan3 ip address 192.168.1.1 255.255.255.0 ip helper-address 192.168.16.10 ! interface Vlan4 ip address 192.168.2.1 255.255.255.0 ip helper-address 192.168.16.10 ! interface Vlan5 ip address 192.168.6.1 255.255.255.0 ip helper-address 192.168.16.10 ! interface Vlan6 ip address 192.168.7.1 255.255.255.0 ip helper-address 192.168.16.10 ! ---------------------------------------------- This message has been scanned for viruses and dangerous content by Jambo MailScanner, and is believed to be clean. --------------------------------------------- "easy access to the world"
On Wed, Oct 14, 2009 at 9:25 AM, Cynthia Wahome <cwahome@jambo.co.ke> wrote:
Hi All, I have 5 VLANs in my network configured in my L3 switch 4500. currently all VLANs can ping and reach each others, means 192.168.3.100 host in my vlan2 can reach 192.168.1.100 which is vlan3. I want to create an ACL in my L3 switch to deny the Vlans to access or ping each other, I just want them to access my servers 172.16.1.10 - 172.16.1.30 which are in the default Vlan1. can someone advise me which the commands and where to apply them in the L3 switch.
Thanks
Hey Cynthia, I've no experience on Cisco layer3 but worked on Dlink layer 3. However, pls go to the link below, Cisco has provided all the info about configuring Private VLANs and also enable routing. It has alos given the commands for the ports, which will help. HTHs. http://www.cisco.com/en/US/docs/switches/lan/catalyst4500/12.1/19ew/configur... http://www.cisco.com/en/US/docs/switches/lan/catalyst4500/12.1/19ew/configur...
thanks alot aki
On Wed, Oct 14, 2009 at 9:25 AM, Cynthia Wahome <cwahome@jambo.co.ke> wrote:
Hi All, I have 5 VLANs in my network configured in my L3 switch 4500. currently all VLANs can ping and reach each others, means 192.168.3.100 host in my vlan2 can reach 192.168.1.100 which is vlan3. I want to create an ACL in my L3 switch to deny the Vlans to access or ping each other, I just want them to access my servers 172.16.1.10 - 172.16.1.30 which are in the default Vlan1. can someone advise me which the commands and where to apply them in the L3 switch.
Thanks
Hey Cynthia, I've no experience on Cisco layer3 but worked on Dlink layer 3. However, pls go to the link below, Cisco has provided all the info about configuring Private VLANs and also enable routing. It has alos given the commands for the ports, which will help. HTHs.
http://www.cisco.com/en/US/docs/switches/lan/catalyst4500/12.1/19ew/configur...
http://www.cisco.com/en/US/docs/switches/lan/catalyst4500/12.1/19ew/configur...
---------------------------------------------- This message has been scanned for viruses and dangerous content by Jambo MailScanner, and is believed to be clean. --------------------------------------------- "easy access to the world"
_______________________________________________ Skunkworks mailing list Skunkworks@lists.my.co.ke http://lists.my.co.ke/cgi-bin/mailman/listinfo/skunkworks ------------ Skunkworks Rules http://my.co.ke/phpbb/viewtopic.php?f=24&t=94 ------------ Other services @ http://my.co.ke Other lists ------------- Announce: http://lists.my.co.ke/cgi-bin/mailman/listinfo/skunkworks-announce Science: http://lists.my.co.ke/cgi-bin/mailman/listinfo/science kazi: http://lists.my.co.ke/cgi-bin/mailman/admin/kazi/general
---------------------------------------------- This message has been scanned for viruses and dangerous content by Jambo MailScanner, and is believed to be clean. --------------------------------------------- "easy access to the world"
Thanks Aki. This is good info. @Cynthia: If u still wonna use ACLs, check; http://www.cisco.com/en/US/docs/switches/lan/catalyst4500/12.2/31sga/configu... You can actually do ACLs at layer 2 (using MAC address) On Wed, Oct 14, 2009 at 10:35 AM, Cynthia Wahome <cwahome@jambo.co.ke>wrote:
thanks alot aki
On Wed, Oct 14, 2009 at 9:25 AM, Cynthia Wahome <cwahome@jambo.co.ke> wrote:
Hi All, I have 5 VLANs in my network configured in my L3 switch 4500. currently all VLANs can ping and reach each others, means 192.168.3.100 host in my vlan2 can reach 192.168.1.100 which is vlan3. I want to create an ACL in my L3 switch to deny the Vlans to access or ping each other, I just want them to access my servers 172.16.1.10 - 172.16.1.30 which are in the default Vlan1. can someone advise me which the commands and where to apply them in the L3 switch.
Thanks
Hey Cynthia, I've no experience on Cisco layer3 but worked on Dlink layer 3. However, pls go to the link below, Cisco has provided all the info about configuring Private VLANs and also enable routing. It has alos given the commands for the ports, which will help. HTHs.
http://www.cisco.com/en/US/docs/switches/lan/catalyst4500/12.1/19ew/configur...
http://www.cisco.com/en/US/docs/switches/lan/catalyst4500/12.1/19ew/configur...
---------------------------------------------- This message has been scanned for viruses and dangerous content by Jambo MailScanner, and is believed to be clean. --------------------------------------------- "easy access to the world"
_______________________________________________ Skunkworks mailing list Skunkworks@lists.my.co.ke http://lists.my.co.ke/cgi-bin/mailman/listinfo/skunkworks ------------ Skunkworks Rules http://my.co.ke/phpbb/viewtopic.php?f=24&t=94 ------------ Other services @ http://my.co.ke Other lists ------------- Announce: http://lists.my.co.ke/cgi-bin/mailman/listinfo/skunkworks-announce Science: http://lists.my.co.ke/cgi-bin/mailman/listinfo/science kazi: http://lists.my.co.ke/cgi-bin/mailman/admin/kazi/general
---------------------------------------------- This message has been scanned for viruses and dangerous content by Jambo MailScanner, and is believed to be clean. --------------------------------------------- "easy access to the world"
_______________________________________________ Skunkworks mailing list Skunkworks@lists.my.co.ke http://lists.my.co.ke/cgi-bin/mailman/listinfo/skunkworks ------------ Skunkworks Rules http://my.co.ke/phpbb/viewtopic.php?f=24&t=94 ------------ Other services @ http://my.co.ke Other lists ------------- Announce: http://lists.my.co.ke/cgi-bin/mailman/listinfo/skunkworks-announce Science: http://lists.my.co.ke/cgi-bin/mailman/listinfo/science kazi: http://lists.my.co.ke/cgi-bin/mailman/admin/kazi/general
Hello Cynthia, What you are looking for are not just ACL's but what are referred to as VACL ie Vlan-ACL. These are configured a bit different from the usual ACL in that you use VLAN mapping: VACL's are very tricky I shall point out why shortly, I shall also show you how to do it on one VLAN ie vla2 then you can do it on the others. Consult me offlist for more: I shall take a case of Vlan 2, use named ACL's (I prefer them coz of reading the config file) 1. Create ACL to permit and deny traffic to vlan2 from other vlans and also from vlan2 to other Vlans ip access-list extended vlan3_to_vlan2 permit all you want ip access-list extended vlan4_to_vlan2 permit all you want ip access-list extended vlan5_to_vlan2 permit all you want ip access-list extended vlan6_to_vlan2 permit all you want ip access-list extended vlan2_to_otherVlans permit all you want 2) Now once done with the above ACL create access-maps for them, note that * for_vlan2* is the map name, the other is the sequence number ie 10 - 14, this is where it is tricky where you deny traffic here with action cmm yet you had permitted it above in the ACL. vlan access-map for_vlan2 10 match ip address vlan3_to_vlan2 action forward exit vlan access-map for_vlan2 11 match ip address vlan4_to_vlan2 action forward exit vlan access-map for_vlan2 12 match ip address vlan5_to_vlan2 action forward exit vlan access-map for_vlan2 13 match ip address vlan6_to_vlan2 action forward exit vlan access-map for_vlan2 14 match ip address vlan2_to_otherVlans action forward exit 3) Once the access-maps are done for the ACL's that you had done it is time to appply them to the Vlan interface. The command to apply the above access-map *for_vlan2* to *vlan2* is as below: # vlan filter for_vlan2 vlan 2 After that you are done and you can now test accest to the vlan2 to confirm all is ok Cheers man Themburu On Wed, Oct 14, 2009 at 11:09 AM, techi <myskunkworks@gmail.com> wrote:
Thanks Aki. This is good info.
@Cynthia: If u still wonna use ACLs, check;
http://www.cisco.com/en/US/docs/switches/lan/catalyst4500/12.2/31sga/configu...
You can actually do ACLs at layer 2 (using MAC address)
On Wed, Oct 14, 2009 at 10:35 AM, Cynthia Wahome <cwahome@jambo.co.ke>wrote:
thanks alot aki
On Wed, Oct 14, 2009 at 9:25 AM, Cynthia Wahome <cwahome@jambo.co.ke> wrote:
Hi All, I have 5 VLANs in my network configured in my L3 switch 4500. currently all VLANs can ping and reach each others, means 192.168.3.100 host in my vlan2 can reach 192.168.1.100 which is vlan3. I want to create an ACL in my L3 switch to deny the Vlans to access or ping each other, I just want them to access my servers 172.16.1.10 - 172.16.1.30 which are in the default Vlan1. can someone advise me which the commands and where to apply them in the L3 switch.
Thanks
Hey Cynthia, I've no experience on Cisco layer3 but worked on Dlink layer 3. However, pls go to the link below, Cisco has provided all the info about configuring Private VLANs and also enable routing. It has alos given the commands for the ports, which will help. HTHs.
http://www.cisco.com/en/US/docs/switches/lan/catalyst4500/12.1/19ew/configur...
http://www.cisco.com/en/US/docs/switches/lan/catalyst4500/12.1/19ew/configur...
---------------------------------------------- This message has been scanned for viruses and dangerous content by Jambo MailScanner, and is believed to be clean. --------------------------------------------- "easy access to the world"
_______________________________________________ Skunkworks mailing list Skunkworks@lists.my.co.ke http://lists.my.co.ke/cgi-bin/mailman/listinfo/skunkworks ------------ Skunkworks Rules http://my.co.ke/phpbb/viewtopic.php?f=24&t=94 ------------ Other services @ http://my.co.ke Other lists ------------- Announce: http://lists.my.co.ke/cgi-bin/mailman/listinfo/skunkworks-announce Science: http://lists.my.co.ke/cgi-bin/mailman/listinfo/science kazi: http://lists.my.co.ke/cgi-bin/mailman/admin/kazi/general
---------------------------------------------- This message has been scanned for viruses and dangerous content by Jambo MailScanner, and is believed to be clean. --------------------------------------------- "easy access to the world"
_______________________________________________ Skunkworks mailing list Skunkworks@lists.my.co.ke http://lists.my.co.ke/cgi-bin/mailman/listinfo/skunkworks ------------ Skunkworks Rules http://my.co.ke/phpbb/viewtopic.php?f=24&t=94 ------------ Other services @ http://my.co.ke Other lists ------------- Announce: http://lists.my.co.ke/cgi-bin/mailman/listinfo/skunkworks-announce Science: http://lists.my.co.ke/cgi-bin/mailman/listinfo/science kazi: http://lists.my.co.ke/cgi-bin/mailman/admin/kazi/general
_______________________________________________ Skunkworks mailing list Skunkworks@lists.my.co.ke http://lists.my.co.ke/cgi-bin/mailman/listinfo/skunkworks ------------ Skunkworks Rules http://my.co.ke/phpbb/viewtopic.php?f=24&t=94 ------------ Other services @ http://my.co.ke Other lists ------------- Announce: http://lists.my.co.ke/cgi-bin/mailman/listinfo/skunkworks-announce Science: http://lists.my.co.ke/cgi-bin/mailman/listinfo/science kazi: http://lists.my.co.ke/cgi-bin/mailman/admin/kazi/general
-- Conservatism is the adherence to the old tried against the new untried.
thats my guy! frank On Wed, Oct 14, 2009 at 11:51 PM, George Njoroge <themburu@gmail.com> wrote:
Hello Cynthia, What you are looking for are not just ACL's but what are referred to as VACL ie Vlan-ACL. These are configured a bit different from the usual ACL in that you use VLAN mapping: VACL's are very tricky I shall point out why shortly, I shall also show you how to do it on one VLAN ie vla2 then you can do it on the others. Consult me offlist for more: I shall take a case of Vlan 2, use named ACL's (I prefer them coz of reading the config file) 1. Create ACL to permit and deny traffic to vlan2 from other vlans and also from vlan2 to other Vlans ip access-list extended vlan3_to_vlan2 permit all you want ip access-list extended vlan4_to_vlan2 permit all you want ip access-list extended vlan5_to_vlan2 permit all you want ip access-list extended vlan6_to_vlan2 permit all you want ip access-list extended vlan2_to_otherVlans permit all you want 2) Now once done with the above ACL create access-maps for them, note that *for_vlan2* is the map name, the other is the sequence number ie 10 - 14, this is where it is tricky where you deny traffic here with action cmm yet you had permitted it above in the ACL. vlan access-map for_vlan2 10 match ip address vlan3_to_vlan2 action forward exit vlan access-map for_vlan2 11 match ip address vlan4_to_vlan2 action forward exit vlan access-map for_vlan2 12 match ip address vlan5_to_vlan2 action forward exit vlan access-map for_vlan2 13 match ip address vlan6_to_vlan2 action forward exit vlan access-map for_vlan2 14 match ip address vlan2_to_otherVlans action forward exit 3) Once the access-maps are done for the ACL's that you had done it is time to appply them to the Vlan interface. The command to apply the above access-map *for_vlan2* to *vlan2* is as below: # vlan filter for_vlan2 vlan 2 After that you are done and you can now test accest to the vlan2 to confirm all is ok Cheers man Themburu On Wed, Oct 14, 2009 at 11:09 AM, techi <myskunkworks@gmail.com> wrote:
Thanks Aki. This is good info.
@Cynthia: If u still wonna use ACLs, check;
http://www.cisco.com/en/US/docs/switches/lan/catalyst4500/12.2/31sga/configu...
You can actually do ACLs at layer 2 (using MAC address)
On Wed, Oct 14, 2009 at 10:35 AM, Cynthia Wahome <cwahome@jambo.co.ke>wrote:
thanks alot aki
On Wed, Oct 14, 2009 at 9:25 AM, Cynthia Wahome <cwahome@jambo.co.ke> wrote:
Hi All, I have 5 VLANs in my network configured in my L3 switch 4500. currently all VLANs can ping and reach each others, means 192.168.3.100 host in my vlan2 can reach 192.168.1.100 which is vlan3. I want to create an ACL in my L3 switch to deny the Vlans to access or ping each other, I just want them to access my servers 172.16.1.10 - 172.16.1.30 which are in the default Vlan1. can someone advise me which the commands and where to apply them in the L3 switch.
Thanks
Hey Cynthia, I've no experience on Cisco layer3 but worked on Dlink layer 3. However, pls go to the link below, Cisco has provided all the info about configuring Private VLANs and also enable routing. It has alos given the commands for the ports, which will help. HTHs.
http://www.cisco.com/en/US/docs/switches/lan/catalyst4500/12.1/19ew/configur...
http://www.cisco.com/en/US/docs/switches/lan/catalyst4500/12.1/19ew/configur...
---------------------------------------------- This message has been scanned for viruses and dangerous content by Jambo MailScanner, and is believed to be clean. --------------------------------------------- "easy access to the world"
_______________________________________________ Skunkworks mailing list Skunkworks@lists.my.co.ke http://lists.my.co.ke/cgi-bin/mailman/listinfo/skunkworks ------------ Skunkworks Rules http://my.co.ke/phpbb/viewtopic.php?f=24&t=94 ------------ Other services @ http://my.co.ke Other lists ------------- Announce: http://lists.my.co.ke/cgi-bin/mailman/listinfo/skunkworks-announce Science: http://lists.my.co.ke/cgi-bin/mailman/listinfo/science kazi: http://lists.my.co.ke/cgi-bin/mailman/admin/kazi/general
---------------------------------------------- This message has been scanned for viruses and dangerous content by Jambo MailScanner, and is believed to be clean. --------------------------------------------- "easy access to the world"
_______________________________________________ Skunkworks mailing list Skunkworks@lists.my.co.ke http://lists.my.co.ke/cgi-bin/mailman/listinfo/skunkworks ------------ Skunkworks Rules http://my.co.ke/phpbb/viewtopic.php?f=24&t=94 ------------ Other services @ http://my.co.ke Other lists ------------- Announce: http://lists.my.co.ke/cgi-bin/mailman/listinfo/skunkworks-announce Science: http://lists.my.co.ke/cgi-bin/mailman/listinfo/science kazi: http://lists.my.co.ke/cgi-bin/mailman/admin/kazi/general
_______________________________________________ Skunkworks mailing list Skunkworks@lists.my.co.ke http://lists.my.co.ke/cgi-bin/mailman/listinfo/skunkworks ------------ Skunkworks Rules http://my.co.ke/phpbb/viewtopic.php?f=24&t=94 ------------ Other services @ http://my.co.ke Other lists ------------- Announce: http://lists.my.co.ke/cgi-bin/mailman/listinfo/skunkworks-announce Science: http://lists.my.co.ke/cgi-bin/mailman/listinfo/science kazi: http://lists.my.co.ke/cgi-bin/mailman/admin/kazi/general
-- Conservatism is the adherence to the old tried against the new untried.
_______________________________________________ Skunkworks mailing list Skunkworks@lists.my.co.ke http://lists.my.co.ke/cgi-bin/mailman/listinfo/skunkworks ------------ Skunkworks Rules http://my.co.ke/phpbb/viewtopic.php?f=24&t=94 ------------ Other services @ http://my.co.ke Other lists ------------- Announce: http://lists.my.co.ke/cgi-bin/mailman/listinfo/skunkworks-announce Science: http://lists.my.co.ke/cgi-bin/mailman/listinfo/science kazi: http://lists.my.co.ke/cgi-bin/mailman/admin/kazi/general
participants (5)
-
aki -
Cynthia Wahome -
francis kamau -
George Njoroge -
techi