Allow and disallow access between VLAN's 2

[glamprecht1]

We have site 1 that is on Vlan 60. We also have site 2 that is on vlan 200. These two vlans should not be able to see or talk to one another but yet they both need to connect to VLAN 10 to access our server resources. Call us site 3 if you wish.
Gasp..Currently it is all wide open. Everyone can see anyone and its one big happy party.

These are switched VLANS on a Cisco 3750G. How can I allow 60 to talk to 10; 200 to talk to 10 but deny access between 60 and 200? 10 needs to be able to access both 60 and 200.

In a nutshell, we are a facility that houses resources. The Site one and Site two are companies that are tapped into our network to use our resources (on VLAN 10) But these two sites should not be able to see each other. I am fairly new at this and apparently this is a huge oversight by the company that set it up some time back. I would like to correct it if at all possible.

 

[brianinms]

You create an access-list and tie it to the SVI.

 

[glamprecht1]

Thanks for the reply Brianms.

Could we go into more detail? Could you describe how to create and apply the access list?

 

[brianinms]

Post your config.

 

[glamprecht1]

Here is a sanitized version...

I am looking to allow 60 and 200 to talk to 10 but disallow access between 60 and 200


switch 1 provision ws-c3750g-12s
system mtu routing 1500
ip subnet-zero
ip routing
ip name-server 15.1.3.4
ip name-server 15.1.3.5
ip dhcp smart-relay
ip dhcp excluded-address 15.15.1.1 15.15.1.19
!
ip dhcp pool PublicWireless
network 15.15.0.0 255.255.0.0
default-router 15.15.1.1
dns-server 204.186.82.12 12.13.126.254
!
ip dhcp-server 15.1.3.5

spanning-tree mode mst
spanning-tree extend system-id
!
spanning-tree mst configuration
name HOH
!
!
vlan internal allocation policy ascending
!
!
!
interface Port-channel1
switchport trunk encapsulation dot1q
switchport mode trunk
!
interface GigabitEthernet1/0/1
switchport trunk encapsulation dot1q
switchport mode trunk
!
interface GigabitEthernet1/0/2
switchport trunk encapsulation dot1q
switchport mode trunk
!
interface GigabitEthernet1/0/3
switchport trunk encapsulation dot1q
switchport mode trunk
!
interface GigabitEthernet1/0/4
switchport trunk encapsulation dot1q
switchport mode trunk
!
interface GigabitEthernet1/0/5
switchport trunk encapsulation dot1q
switchport mode trunk
!
interface GigabitEthernet1/0/6
switchport trunk encapsulation dot1q
switchport mode trunk
!
interface GigabitEthernet1/0/7
switchport trunk encapsulation dot1q
switchport mode trunk
!
interface GigabitEthernet1/0/8
switchport trunk encapsulation dot1q
switchport mode trunk
!
interface GigabitEthernet1/0/9
switchport trunk encapsulation dot1q
switchport mode trunk
!
interface GigabitEthernet1/0/10
switchport trunk encapsulation dot1q
switchport mode trunk
!
interface GigabitEthernet1/0/11
switchport trunk encapsulation dot1q
switchport mode trunk
!
interface GigabitEthernet1/0/12
switchport trunk encapsulation dot1q
switchport mode trunk
!

interface Vlan1
description PublicWirelessInternet
ip address 15.15.1.1 255.255.0.0
ip access-group 100 in
!
interface Vlan10
description HOH
ip address 15.1.1.3 255.255.0.0

!
interface Vlan20
description EMC
no ip address
!
interface Vlan60
description OW
ip address 192.168.65.210 255.255.255.0
ip helper-address 15.1.3.4
ip helper-address 15.1.3.5
!
interface Vlan80
description IPphones
ip address 15.3.1.3 255.255.255.0
ip helper-address 15.3.1.1
!
interface Vlan100
description WAPs
ip address 15.100.1.1 255.255.255.0
ip helper-address 15.1.3.4
!
interface Vlan105
description CSystem
ip address 15.105.1.1 255.255.255.0
!
interface Vlan200
description OMB
ip address 15.20.1.1 255.255.0.0
ip helper-address 15.1.3.4
ip helper-address 15.1.3.5
!
router eigrp 1
network 15.1.0.0 0.0.255.255
redistribute static
!
ip classless
ip route 0.0.0.0 0.0.0.0 15.1.1.5
ip route 15.3.1.0 255.255.255.0 15.1.1.20
ip http server
ip http secure-server
!
access-list 100 permit ip 15.15.0.0 0.0.255.255 15.15.0.0 0.0.255.255
access-list 100 permit tcp any host 204.189.82.21 eq domain
access-list 100 permit udp any host 204.189.82.21 eq domain
access-list 100 permit tcp any host 12.13.127.253 eq domain
access-list 100 permit udp any host 12.13.127.253 eq domain
access-list 100 permit udp any host 255.255.255.255 eq bootps
access-list 100 permit ip any host 15.1.1.3
access-list 100 permit tcp any any eq www
access-list 100 permit tcp any any eq 443
access-list 100 deny ip any any log
access-list 110 permit ip any any

 

[brianinms]

interface Vlan60
description OW
access-group secure60 in
ip address 192.168.65.210 255.255.255.0
ip helper-address 15.1.3.4
ip helper-address 15.1.3.5

interface Vlan200
description OMB
access-group secure200 in
ip address 15.20.1.1 255.255.0.0
ip helper-address 15.1.3.4
ip helper-address 15.1.3.5


ip access-list extended secure60
deny ip 15.20.1.0 0.0.0.255
permit ip any any

ip access-list extended secure200
deny ip 192.168.65.0 0.0.0.255
permit ip any any

 

[glamprecht1]

Wow... Thanks brianms!!

So the statements below Create the access list?
interface Vlan60
description OW
access-group secure60 in
ip address 192.168.65.210 255.255.255.0
ip helper-address 15.1.3.4
ip helper-address 15.1.3.5


and the staements below apply it?

ip access-list extended secure60
deny ip 15.20.1.0 0.0.0.255
permit ip any any


Does this have be applied to any particular interface or is this in effect applying it to the VlAN as a whole?

This switch is my VTP server. Is this where i would enter these statements?

Thank you so much for your help!!!

 

[vipergg]

That applies it to any device in vlan 60 . You had your terminology reversed on how you said it


creating it

ip access-list extended secure60
deny ip 15.20.1.0 0.0.0.255
permit ip any any


applying it to an interface
interface Vlan60
access-group secure60 in

 

[glamprecht1]

Thanks Vipergg!!

I am learning thanks to you guys!!

Thanks

 

[burtsbees]

According to your config, you have a 16 bit mask for the 15.x.x.x, not a 24 bit...
deny ip 15.20.1.0 0.0.0.255
should be
deny ip 15.20.1.0 0.0.255.255
Also, with extended acls, you need a "to" entry...
deny ip 15.20.1.0 0.0.255.255 192.168.x.x 0.0.0.255
right? Or is it different with L3 switches? Can't remember...

Burt

 

[brianinms]

I believe you are correct Burt, its been one of those weeks.

 

[burtsbees]

Tell me about it...and it's not even !@$&ing over yet!

Burt