Hi All,
if anyone can advise me about this I'd be most appreciative - mainly because there is almost nothing regarding it on the web/cisco site....
Our objective is to 'protect' our VLAN 30. Basically, we have cloned 'live' machines into this VLAN and cannot allow them to talk to the real live servers. Our intention is to ringfence VLAN 30 so that no traffic can escape, unless its return traffic from a established tcp session instigated from another VLAN. Apparently 'reflexive ACLs' are the way to go, but I cannot find anything at all about doing 'reflexive VLAN ACLs' which is what we need in this instance.
So, to summerise, Im trying to do the following:
a) allow traffic into (and back from) VLAN 30 (10.100.0.0/24) when initiated from live user/server subnets. For example, MS terminal servers (tcp 3389) traffic. b) block all 'outgoing' ip traffic initiated from VLAN 30 to the live user/server subnets.
Here's the config that I've put on the swithes which 'see' VLAN 30 traffic currently...but the config doesn=92t work :(
vlan access-map protectvlan30 10 match ip address vlan30in action forward
vlan access-map protectvlan30 15 match ip address vlan30return action forward
vlan access-map protectvlan30 20 match ip address vlan30out action drop
vlan filter protectvlan30 vlan-list 30
ip access-list extended vlan30in permit ip 172.16.21.0 0.0.0.255 10.100.0.0 0.0.0.255 reflect returntraffic permit ip 172.16.30.0 0.0.0.255 10.100.0.0 0.0.0.255 reflect returntraffic permit ip 172.16.100.0 0.0.0.255 10.100.0.0 0.0.0.255 reflect returntraffic permit ip 172.16.250.0 0.0.0.255 10.100.0.0 0.0.0.255 reflect returntraffic permit ip 172.16.200.0 0.0.0.255 10.100.0.0 0.0.0.255 reflect returntraffic permit ip 172.16.201.0 0.0.0.255 10.100.0.0 0.0.0.255 reflect returntraffic permit ip 10.0.150.0 0.0.0.255 10.100.0.0 0.0.0.255 reflect returntraffic
ip access-list extenden vlan30return evaluate returntraffic
ip access-list extended vlan30out permit ip 10.100.0.0 0.0.0.255 172.16.21.0 0.0.0.255 permit ip 10.100.0.0 0.0.0.255 172.16.30.0 0.0.0.255 permit ip 10.100.0.0 0.0.0.255 172.16.100.0 0.0.0.255 permit ip 10.100.0.0 0.0.0.255 172.16.250.0 0.0.0.255 permit ip 10.100.0.0 0.0.0.255 172.16.200.0 0.0.0.255 permit ip 10.100.0.0 0.0.0.255 172.16.201.0 0.0.0.255 permit ip 10.100.0.0 0.0.0.255 10.0.150.0 0.0.0.255
thanks, Trevor