1. Home
  2. Cisco Systems
  3. Control Inter-Vlan Routing

Control Inter-Vlan Routing

Have a cisco 3750 as the core switch with multiple VLANs. One VLAN is a vlan for public access with a port connected directly to the DMZ of a firewall.

Since IP Routing is enabled on the 3750 to allow routing between VLANs, we need to stop this on this particular VLAN. The purpose is to extend the Public access to another building over the trunk links.

I've tried access-lists and looked into VACLS but cannot find what I need. Here's a synopsis of the config: VLAN 10 - 192.100.10.0/24 VLAN 11 - 192.100.11.0/24 VLAN 12 - 192.100.12.0/24

VLAN 19 - 172.16.1.0/24 - Public/DMZ

When I enable a port in VLAN 19 and connect to my DMZ (IP address of

172.16.1.1), then any PC on any VLAN can ping/access the DMZ. I need to stop this routing to this network via the internal router of the switch.

Thanks for any input or direction.

Ron

Reply to
ronf
Loading thread data ...

Turn up an ACL on VLAN 19 (in bound) that blocks traffic from the other VLANs. Leave a permit any any on the end, and only include the

192.168.0.0 networks (and any other internal ranges) in the denies above it. This should block any traffic from entering VLAN 19, traffic will be allowed to exit VLAN 19, but any response will be blocked, and anything out to the internet or other external ranges will be allowed.
Reply to
Trendkill

Thanks for the reply.

I'm looking for syntax for the catalyst OS. For example, the access- group command is not a valid command. So i'm not sure how to bind the ACL to the interface. By the way, I'm looking to keep this traffic isolated. No inbound or outbound to the other VLANs. Since public traffic will be allowed through the DMZ on the firewall, I would not want any unwanted traffic to enter into the production network.

Thanks again,

Reply to
ronf

Don't create an interface for vlan 19 on your layer-3 switch. Just define the layer-2 vlan itself, and let your firewall do the routing. If you trunk all your vlans to other switches in other buildings, you can define ports on vlan 19 in any closet, but it will stay isolated.

Reply to
Mike Dorn

Very cool. I did not think of it that way. It sometimes is so easy. I really do appreciate this knowledge.

Ron

Reply to
ronf

What you are doing is very big security risk. Never mix public subnets and internal subnets on the same switch. Hacking isn't just for layer 3. Having layer 2 access to your network as insecure as layer 3 access without a firewall.

formatting link
Scott

Reply to
Thrill5

Cabling-Design.com Forums website is not affiliated with any of the manufacturers or service providers discussed here. All logos and trade names are the property of their respective owners.