Announcement

Collapse
No announcement yet.

Securing InterVLAN communication

Collapse
X
  • Filter
  • Time
  • Show
Clear All
new posts

  • Securing InterVLAN communication

    Hello all!

    I have L3 switch with IP ROUTING enabled. There are two VLANs defined - VLAN 10 and VLAN 30.

    Is there someone who can advise me how to accomplish following configuration:

    - all machines from VLAN 10 should access all machines from VLAN 30
    - BUT all machine from VLAN 30 are restricted to access machines in VLAN 10

    I know how to configure ACL, but this give me configuration where VLAN 10 cannot see VLAN 30 and VLAN 30 cannot see VLAN 10.

    Please help! Thanks!

  • #2
    Re: Securing InterVLAN communication

    Easiest way is with ACL's. You could also use VACL's or private vlan's as well.


    ACL Example:


    vlan 10 - 10.10.10.0/24

    vlan 30 - 10.10.30.0/24


    int vlan 30
    ip address 10.10.30.1 255.255.255.0
    ip access-group VLAN30_TO_VLAN10 in


    ip access-list extended VLAN30_TO_VLAN10
    permit tcp 10.10.30.0 0.0.0.255 10.10.10.0 0.0.0.255 established
    deny ip 10.10.30.0 0.0.0.255 10.10.10.0 0.0.0.255
    permit ip any any

    This will allow traffic from vlan 30 to vlan 10 only if vlan 10 initiated the connection (the established keyword). Granted this only works on tcp traffic but the deny ip after takes care of the rest.
    CCNA, CCNA-Security, CCNP
    CCIE Security (In Progress)

    Comment


    • #3
      Re: Securing InterVLAN communication

      I have tested configuration proposed in your latest post, and I thank you for your effort, but this does not meet my needs.
      In this case VLAN 10 and VLAN 30 are not able to communicate at all.

      Do you have VACL example? Or maybe some other suggestion?

      Thanks a lot!

      Comment


      • #4
        Re: Securing InterVLAN communication

        I have tested configuration proposed in your latest post, and I thank you for your effort, but this does not meet my needs.
        In this case VLAN 10 and VLAN 30 are not able to communicate at all.
        Not sure what you mean. The acl allows tcp traffic from vlan 30 to vlan 10 only if 10 initiates the connection. (IE if the syn bit is set) Remember this only works for tcp based traffic. I have tested as well and works. If the traffic is not tcp based then it won't work. What type of access do you need from vlan 10 to vlan 30 and what restriction from vlan 30 to vlan 10? Be more specific.
        Last edited by auglan; 23rd October 2012, 12:49.
        CCNA, CCNA-Security, CCNP
        CCIE Security (In Progress)

        Comment


        • #5
          Re: Securing InterVLAN communication

          Hello again,

          I have tested with packet tracer, initiating http (which is tcp 80) from VLAN 10 to VLAN 30 > does not work and vice versa.

          I will need complete access from VLAN 10 to VLAN 30 (e.g ICMP, TCP, UDP .. ). VLAN 30 cannot access any machine in VLAN 10.

          This should be trivial and firewall can surely do that; however I need it on L3 switch.

          It looks better with following:

          ip access-list extended VLAN30_TO_VLAN10
          permit tcp 10.10.30.0 0.0.0.255 10.10.10.0 0.0.0.255 established
          permit icmp 10.10.30.0 0.0.0.255 10.10.10.0 0.0.0.255 echo-reply


          Any idea how to accomplish this with VACL?

          Thank you very much!!
          Last edited by barbitaster; 23rd October 2012, 15:28. Reason: additionnal info

          Comment


          • #6
            Re: Securing InterVLAN communication

            Dont rely on packet tracer as a test bed. That acl will work as I previously stated. Is there anything listening on vlan 30 on port 80? I have very similiar acl's on my network and it works.


            I will need complete access from VLAN 10 to VLAN 30 (e.g ICMP, TCP, UDP .. ). VLAN 30 cannot access any machine in VLAN 10.
            In order for vlan 30 to respond to vlan 10 there has to be some access from vlan 30 back to vlan 10. You need to figure out what access you need and configure the appropriate ACL entries.


            VACL's where designed to filter traffic within the same vlan. They can be used to filter inter-vlan traffic but usually ACL's on the SVI's or routed interfaces are used. Also VACL's have no directionality applied to them (IE no in or out etc) If you permit something one way you have to permit the return traffic as well.
            Last edited by auglan; 23rd October 2012, 15:41.
            CCNA, CCNA-Security, CCNP
            CCIE Security (In Progress)

            Comment


            • #7
              Re: Securing InterVLAN communication

              Thank you for your explanation and suggested configuration.

              Works like a charm! Cheers

              Comment


              • #8
                Re: Securing InterVLAN communication

                Glad its working for you.
                CCNA, CCNA-Security, CCNP
                CCIE Security (In Progress)

                Comment

                Working...
                X