Access control between VLANs on Cisco 3750 switch

Discussion in 'Cisco' started by bavien, Aug 3, 2007.

  1. bavien

    bavien Guest

    I currently have a few VLANs configured on the 3750 switch (Layer 3
    switch) and also have routing enabled (via ip routing). My question
    is, can I use access-list commands to control access between VLANs?
    (Does this switch even support this type of setup?)


    PS: There is one VLAN that I'd like to isolate from the rest of the
    other VLANs

    bavien, Aug 3, 2007
    1. Advertisements

  2. As far as i know it is only possible by applying VLAN Access maps
    Leander de Graaf, Aug 3, 2007
    1. Advertisements

  3. bavien

    CK Guest

    You can use VACL for VLAN access .elow is some thing which is in CCNP
    prepration for PVLAN

    The set security acl Command
    The set security acl command is used to create VLAN access control
    lists (VACLs). VACLs allow you to filter upon Layer 3 and Layer 4
    parameters and are applied for all inbound access on the entire VLAN.
    Although very similar to router ACLs, VACLs can be applied only in the
    inbound direction and can also filter traffic switched within a VLAN.
    The following tasks are required to configure VACLs:

    Create the VACL

    Commit the VACL to hardware

    Apply the VACL to a VLAN

    To create a VACL for IP traffic, you use the set security acl ip

    set security acl ip acl-name {permit | deny} {ip | tcp | udp} source

    Rate if help
    CK, Aug 3, 2007
  4. bavien

    Guest Guest

    I'd recommend the 3750 Switch Software Configuration Guide's chapter
    on Network Security with ACLs:

    VACLs are usually used to control traffic within a VLAN (Host A in
    VLAN 10 to Host B in VLAN 10), but can be used to filter on layer 2 or
    layer 3. A VACL is applied to all traffic in both directions so
    creating access-list logic can be more challenging but VACL's can
    povide a high level of security.

    Router ACL's are easier to manage for filtering traffic between VLANs
    (Host A on VLAN 10 to Host B on VLAN 20). Router ACL's can be applied
    in inbound and outbound directions and are very similar to ACL's
    applied to interfaces on any Cisco router. In a VLAN environment, you
    apply the ACL to switch virtual interfaces (SVIs) or routed interfaces
    (no switchport).

    Here's an example:

    Switch(config)# access-list 110 permit tcp any
    gt 1023
    Switch(config)# access-list 110 permit tcp any host eq 25
    Switch(config)# access-list 110 permit icmp any any

    Switch(config)# interface VLAN 10
    Switch(config-if)# ip access-group 110 in

    3750 switches handle most ACL filtering in hardware so these switches
    can handle a fairly large number of access-list statements with little
    impact on performance.
    Guest, Aug 4, 2007
  5. bavien

    CK Guest

    I never denied Access-list are not a solution but for VACL are more
    CK, Aug 4, 2007
  6. bavien

    Scott Perry Guest

    I squirm when I see people treating the routing on a layer 3 capable switch
    as a switch instead of a router. A layer 3 switch has the capabilities of a
    router and its routing processes should be treated as those of a router.

    Do not use a VACL. Use the normal access-list methods that you learned for
    a router and apply the access-list to the VLAN interfaces.


    interface vlan 1
    ip address
    ip access-group BAN_VLAN_2 in
    interface vlan 2
    ip address
    interface vlan 3
    ip address
    ip access-group BAN_VLAN_2 in
    ip access-list extended BAN_VLAN_2
    deny ip any
    permit ip any any


    Scott Perry
    Indianapolis, Indiana
    Scott Perry, Aug 6, 2007
  7. bavien

    bavien Guest

    Thank you all for the suggestions and recommendations. Since Scott's
    method seems simple enough, I will try that first and post back with
    my finding...
    bavien, Aug 7, 2007
    1. Advertisements

Ask a Question

Want to reply to this thread or ask your own question?

You'll need to choose a username for the site, which only take a couple of moments (here). After that, you can post your question and our members will help you out.