Access control between VLANs on Cisco 3750 switch

Discussion in 'Cisco' started by bavien@gmail.com, Aug 3, 2007.

  1. Guest

    I currently have a few VLANs configured on the 3750 switch (Layer 3
    switch) and also have routing enabled (via ip routing). My question
    is, can I use access-list commands to control access between VLANs?
    (Does this switch even support this type of setup?)

    Thanks.

    PS: There is one VLAN that I'd like to isolate from the rest of the
    other VLANs

    BV
     
    , Aug 3, 2007
    #1
    1. Advertising

  2. wrote:
    > I currently have a few VLANs configured on the 3750 switch (Layer 3
    > switch) and also have routing enabled (via ip routing). My question
    > is, can I use access-list commands to control access between VLANs?
    > (Does this switch even support this type of setup?)
    >
    > Thanks.
    >
    > PS: There is one VLAN that I'd like to isolate from the rest of the
    > other VLANs
    >
    > BV
    >


    As far as i know it is only possible by applying VLAN Access maps
    http://www.cisco.com/univercd/cc/td/doc/product/core/cis7600/122sx/swcg/vacl.htm
     
    Leander de Graaf, Aug 3, 2007
    #2
    1. Advertising

  3. CK Guest

    On Aug 3, 7:34 pm, wrote:
    > I currently have a few VLANs configured on the 3750 switch (Layer 3
    > switch) and also have routing enabled (via ip routing). My question
    > is, can I use access-list commands to control access between VLANs?
    > (Does this switch even support this type of setup?)
    >
    > Thanks.
    >
    > PS: There is one VLAN that I'd like to isolate from the rest of the
    > other VLANs
    >
    > BV


    You can use VACL for VLAN access .elow is some thing which is in CCNP
    prepration for PVLAN

    The set security acl Command
    The set security acl command is used to create VLAN access control
    lists (VACLs). VACLs allow you to filter upon Layer 3 and Layer 4
    parameters and are applied for all inbound access on the entire VLAN.
    Although very similar to router ACLs, VACLs can be applied only in the
    inbound direction and can also filter traffic switched within a VLAN.
    The following tasks are required to configure VACLs:

    Create the VACL

    Commit the VACL to hardware

    Apply the VACL to a VLAN

    To create a VACL for IP traffic, you use the set security acl ip
    command:

    set security acl ip acl-name {permit | deny} {ip | tcp | udp} source
    destination


    Rate if help
     
    CK, Aug 3, 2007
    #3
  4. Guest

    On Aug 3, 11:33 am, CK <> wrote:
    > On Aug 3, 7:34 pm, wrote:
    >
    > > I currently have a few VLANs configured on the 3750 switch (Layer 3
    > > switch) and also have routing enabled (via ip routing). My question
    > > is, can I use access-list commands to control access between VLANs?
    > > (Does this switch even support this type of setup?)

    >
    > > Thanks.

    >
    > > PS: There is one VLAN that I'd like to isolate from the rest of the
    > > other VLANs

    >
    > > BV

    >
    > You can use VACL for VLAN access .elow is some thing which is in CCNP
    > prepration for PVLAN
    >
    > The set security acl Command
    > The set security acl command is used to create VLAN access control
    > lists (VACLs). VACLs allow you to filter upon Layer 3 and Layer 4
    > parameters and are applied for all inbound access on the entire VLAN.
    > Although very similar to router ACLs, VACLs can be applied only in the
    > inbound direction and can also filter traffic switched within a VLAN.
    > The following tasks are required to configure VACLs:
    >
    > Create the VACL
    >
    > Commit the VACL to hardware
    >
    > Apply the VACL to a VLAN
    >
    > To create a VACL for IP traffic, you use the set security acl ip
    > command:
    >
    > set security acl ip acl-name {permit | deny} {ip | tcp | udp} source
    > destination
    >
    > Rate if help


    I'd recommend the 3750 Switch Software Configuration Guide's chapter
    on Network Security with ACLs:
    http://www.cisco.com/en/US/products...figuration_guide_chapter09186a008081de82.html

    VACLs are usually used to control traffic within a VLAN (Host A in
    VLAN 10 to Host B in VLAN 10), but can be used to filter on layer 2 or
    layer 3. A VACL is applied to all traffic in both directions so
    creating access-list logic can be more challenging but VACL's can
    povide a high level of security.

    Router ACL's are easier to manage for filtering traffic between VLANs
    (Host A on VLAN 10 to Host B on VLAN 20). Router ACL's can be applied
    in inbound and outbound directions and are very similar to ACL's
    applied to interfaces on any Cisco router. In a VLAN environment, you
    apply the ACL to switch virtual interfaces (SVIs) or routed interfaces
    (no switchport).

    Here's an example:

    Switch(config)# access-list 110 permit tcp any 128.88.0.0 0.0.255.255
    gt 1023
    Switch(config)# access-list 110 permit tcp any host 128.88.1.2 eq 25
    Switch(config)# access-list 110 permit icmp any any

    Switch(config)# interface VLAN 10
    Switch(config-if)# ip access-group 110 in


    3750 switches handle most ACL filtering in hardware so these switches
    can handle a fairly large number of access-list statements with little
    impact on performance.
     
    , Aug 4, 2007
    #4
  5. CK Guest

    On Aug 4, 9:14 pm, wrote:
    > On Aug 3, 11:33 am, CK <> wrote:
    >
    >
    >
    >
    >
    > > On Aug 3, 7:34 pm, wrote:

    >
    > > > I currently have a few VLANs configured on the 3750 switch (Layer 3
    > > > switch) and also have routing enabled (via ip routing). My question
    > > > is, can I use access-list commands to control access between VLANs?
    > > > (Does this switch even support this type of setup?)

    >
    > > > Thanks.

    >
    > > > PS: There is one VLAN that I'd like to isolate from the rest of the
    > > > other VLANs

    >
    > > > BV

    >
    > > You can use VACL for VLAN access .elow is some thing which is in CCNP
    > > prepration for PVLAN

    >
    > > The set security acl Command
    > > The set security acl command is used to create VLAN access control
    > > lists (VACLs). VACLs allow you to filter upon Layer 3 and Layer 4
    > > parameters and are applied for all inbound access on the entire VLAN.
    > > Although very similar to router ACLs, VACLs can be applied only in the
    > > inbound direction and can also filter traffic switched within a VLAN.
    > > The following tasks are required to configure VACLs:

    >
    > > Create the VACL

    >
    > > Commit the VACL to hardware

    >
    > > Apply the VACL to a VLAN

    >
    > > To create a VACL for IP traffic, you use the set security acl ip
    > > command:

    >
    > > set security acl ip acl-name {permit | deny} {ip | tcp | udp} source
    > > destination

    >
    > > Rate if help

    >
    > I'd recommend the 3750 Switch Software Configuration Guide's chapter
    > on Network Security with ACLs:http://www.cisco.com/en/US/products/hw/switches/ps5023/products_confi...
    >
    > VACLs are usually used to control traffic within a VLAN (Host A in
    > VLAN 10 to Host B in VLAN 10), but can be used to filter on layer 2 or
    > layer 3. A VACL is applied to all traffic in both directions so
    > creating access-list logic can be more challenging but VACL's can
    > povide a high level of security.
    >
    > Router ACL's are easier to manage for filtering traffic between VLANs
    > (Host A on VLAN 10 to Host B on VLAN 20). Router ACL's can be applied
    > in inbound and outbound directions and are very similar to ACL's
    > applied to interfaces on any Cisco router. In a VLAN environment, you
    > apply the ACL to switch virtual interfaces (SVIs) or routed interfaces
    > (no switchport).
    >
    > Here's an example:
    >
    > Switch(config)# access-list 110 permit tcp any 128.88.0.0 0.0.255.255
    > gt 1023
    > Switch(config)# access-list 110 permit tcp any host 128.88.1.2 eq 25
    > Switch(config)# access-list 110 permit icmp any any
    >
    > Switch(config)# interface VLAN 10
    > Switch(config-if)# ip access-group 110 in
    >
    > 3750 switches handle most ACL filtering in hardware so these switches
    > can handle a fairly large number of access-list statements with little
    > impact on performance.- Hide quoted text -
    >
    > - Show quoted text -



    I never denied Access-list are not a solution but for VACL are more
    secure.
     
    CK, Aug 4, 2007
    #5
  6. Scott Perry Guest

    I squirm when I see people treating the routing on a layer 3 capable switch
    as a switch instead of a router. A layer 3 switch has the capabilities of a
    router and its routing processes should be treated as those of a router.

    Do not use a VACL. Use the normal access-list methods that you learned for
    a router and apply the access-list to the VLAN interfaces.

    Example:

    interface vlan 1
    ip address 10.1.0.1 255.255.0.0
    ip access-group BAN_VLAN_2 in
    !
    interface vlan 2
    ip address 10.2.0.1 255.255.0.0
    !
    interface vlan 3
    ip address 10.3.0.1 255.255.0.0
    ip access-group BAN_VLAN_2 in
    !
    ip access-list extended BAN_VLAN_2
    deny ip 10.2.0.0 0.0.255.255 any
    permit ip any any

    --

    ===========
    Scott Perry
    ===========
    Indianapolis, Indiana
    ________________________________________
    <> wrote in message
    news:...
    >I currently have a few VLANs configured on the 3750 switch (Layer 3
    > switch) and also have routing enabled (via ip routing). My question
    > is, can I use access-list commands to control access between VLANs?
    > (Does this switch even support this type of setup?)
    >
    > Thanks.
    >
    > PS: There is one VLAN that I'd like to isolate from the rest of the
    > other VLANs
    >
    > BV
    >
     
    Scott Perry, Aug 6, 2007
    #6
  7. Guest

    On Aug 6, 12:49 pm, "Scott Perry" <scottperry@aciscocompany> wrote:
    > I squirm when I see people treating the routing on a layer 3 capable switch
    > as a switch instead of a router. A layer 3 switch has the capabilities of a
    > router and its routing processes should be treated as those of a router.
    >
    > Do not use a VACL. Use the normal access-list methods that you learned for
    > a router and apply the access-list to the VLAN interfaces.
    >
    > Example:
    >
    > interface vlan 1
    > ip address 10.1.0.1 255.255.0.0
    > ip access-group BAN_VLAN_2 in
    > !
    > interface vlan 2
    > ip address 10.2.0.1 255.255.0.0
    > !
    > interface vlan 3
    > ip address 10.3.0.1 255.255.0.0
    > ip access-group BAN_VLAN_2 in
    > !
    > ip access-list extended BAN_VLAN_2
    > deny ip 10.2.0.0 0.0.255.255 any
    > permit ip any any
    >
    > --
    >
    > ===========
    > Scott Perry
    > ===========
    > Indianapolis, Indiana
    > ________________________________________<> wrote in message
    >
    > news:...
    >
    >
    >
    > >I currently have a few VLANs configured on the 3750 switch (Layer 3
    > > switch) and also have routing enabled (via ip routing). My question
    > > is, can I use access-list commands to control access between VLANs?
    > > (Does this switch even support this type of setup?)

    >
    > > Thanks.

    >
    > > PS: There is one VLAN that I'd like to isolate from the rest of the
    > > other VLANs

    >
    > > BV- Hide quoted text -

    >
    > - Show quoted text -


    Thank you all for the suggestions and recommendations. Since Scott's
    method seems simple enough, I will try that first and post back with
    my finding...
     
    , Aug 7, 2007
    #7
    1. Advertising

Want to reply to this thread or ask your own question?

It takes just 2 minutes to sign up (and it's free!). Just click the sign up button to choose a username and then you can ask your own questions on the forum.
Similar Threads
  1. =?ISO-8859-1?Q?=22Joachim_S=2E_M=FCller=22?=

    How to create access between VLANs on Cisco PIX Firewall 6.3(3)?

    =?ISO-8859-1?Q?=22Joachim_S=2E_M=FCller=22?=, Nov 25, 2003, in forum: Cisco
    Replies:
    3
    Views:
    5,294
    =?ISO-8859-1?Q?=22Joachim_S=2E_M=FCller=22?=
    Nov 27, 2003
  2. Replies:
    1
    Views:
    4,347
  3. Replies:
    3
    Views:
    6,502
    conft
    Jan 19, 2008
  4. makhan
    Replies:
    1
    Views:
    1,208
    rajsmilesalways
    Oct 26, 2006
  5. Multi

    Adding vlans to Cisco 3750

    Multi, Sep 17, 2008, in forum: Cisco
    Replies:
    6
    Views:
    7,905
    Schroeder, AJ
    Sep 19, 2008
Loading...

Share This Page