Mailing List Archive

Restricted specific VLAN contacting other VLANs in catalyst 3750 switch
Hello,

We use Cisco Catalyst 3750 switch as  small data center (DC)/Core Switch on which nearly
200 VLANs sit, having internet connectivity through a ADSL modem/router.

SVI/RVIs are defined for all these 200 VLANs on the same DC/Core Switch.

We have the following requirement:

VLAN 1 - 190: should communicate among themselves and to internet

VLAN 191: having network address 192.168.1.0/28 should not communicate with any other
VLAN except internet

To meet this requirement we used the following VACL configuration

SW(config)#access-list 100  permit ip 192.168.1.0 0.0.0.15 any

SW(config)#vlan access-group XYZ 10

SW(config-access-map)#match ip address 100

SW(config-access-map)#action drop

SW(config-access-map)#vlan access-group XYZ 20

SW(config)#vlan filter XYZ vlan-list 1-190

By doing this VLAN 1-190 are not able to contact vlan 191, but to internet and
among themselves(vlan 1-190).

Hosts in VLAN 191 are not able to contact the hosts in 1-190 VLANs(this is
also fine), but hosts in VLAN 191 are contacting the SVI/Gateways of 1-190 VLANs.

Is there anything wrong in my VACLs configuration or sequence of ACLs.

Any help is greatly appreciated.

Thanks in advance

Mounika M

### Please consider the environment and print this email only if necessary . Go Green
###
xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
Disclaimer :
This email and any files transmitted with it are confidential and intended
solely for the use of the individual or entity to whom they are addressed.
If you are not the intended recipient you are notified that disclosing,
copying, distributing or taking any action in reliance on the contents of this
information is strictly prohibited. The sender does not accept liability
for any errors or omissions in the contents of this message, which arise as a
result.

--
Open WebMail Project (http://openwebmail.org)


_______________________________________________
cisco-nsp mailing list cisco-nsp@puck.nether.net
https://puck.nether.net/mailman/listinfo/cisco-nsp
archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: Restricted specific VLAN contacting other VLANs in catalyst 3750 switch [ In reply to ]
isn't this what pvlans are for?

On Mon, Sep 26, 2022, at 19:23, trgapp16 via cisco-nsp wrote:
> Hello,
>
> We use Cisco Catalyst 3750 switch as  small data center (DC)/Core
> Switch on which nearly
> 200 VLANs sit, having internet connectivity through a ADSL modem/router.
>
> SVI/RVIs are defined for all these 200 VLANs on the same DC/Core Switch.
>
> We have the following requirement:
>
> VLAN 1 - 190: should communicate among themselves and to internet
>
> VLAN 191: having network address 192.168.1.0/28 should not communicate
> with any other
> VLAN except internet
>
> To meet this requirement we used the following VACL configuration
>
> SW(config)#access-list 100  permit ip 192.168.1.0 0.0.0.15 any
>
> SW(config)#vlan access-group XYZ 10
>
> SW(config-access-map)#match ip address 100
>
> SW(config-access-map)#action drop
>
> SW(config-access-map)#vlan access-group XYZ 20
>
> SW(config)#vlan filter XYZ vlan-list 1-190
>
> By doing this VLAN 1-190 are not able to contact vlan 191, but to internet and
> among themselves(vlan 1-190).
>
> Hosts in VLAN 191 are not able to contact the hosts in 1-190 VLANs(this
> is
> also fine), but hosts in VLAN 191 are contacting the SVI/Gateways of
> 1-190 VLANs.
>
> Is there anything wrong in my VACLs configuration or sequence of ACLs.
>
> Any help is greatly appreciated.
>
> Thanks in advance
>
> Mounika M
>
> ### Please consider the environment and print this email only if
> necessary . Go Green
> ###
> xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
> Disclaimer :
> This email and any files transmitted with it are confidential and
> intended
> solely for the use of the individual or entity to whom they are
> addressed.
> If you are not the intended recipient you are notified that disclosing,
> copying, distributing or taking any action in reliance on the contents
> of this
> information is strictly prohibited. The sender does not accept
> liability
> for any errors or omissions in the contents of this message, which
> arise as a
> result.
>
> --
> Open WebMail Project (http://openwebmail.org)
>
>
> _______________________________________________
> cisco-nsp mailing list cisco-nsp@puck.nether.net
> https://puck.nether.net/mailman/listinfo/cisco-nsp
> archive at http://puck.nether.net/pipermail/cisco-nsp/
_______________________________________________
cisco-nsp mailing list cisco-nsp@puck.nether.net
https://puck.nether.net/mailman/listinfo/cisco-nsp
archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: Restricted specific VLAN contacting other VLANs in catalyst 3750 switch [ In reply to ]
Thanks Garrett.

Correct, PVLAN works if the interface connecting to internet is a layer 2 interface which can be configured as promiscuous port.

What if the interface connecting to internet router is a layer 3 port having IP address.

Thanks,

Mounika M

On Mon, 26 Sep 2022 19:33:36 -0700, Garrett via cisco-nsp wrote

> isn't this what pvlans are for?
>
> On Mon, Sep 26, 2022, at 19:23, trgapp16 via cisco-nsp wrote:
> > Hello,
> >
> > We use Cisco Catalyst 3750 switch as  small data center (DC)/Core
> > Switch on which nearly
> > 200 VLANs sit, having internet connectivity through a ADSL modem/router.
> >
> > SVI/RVIs are defined for all these 200 VLANs on the same DC/Core Switch.
> >
> > We have the following requirement:
> >
> > VLAN 1 - 190: should communicate among themselves and to internet
> >
> > VLAN 191: having network address 192.168.1.0/28 should not communicate
> > with any other
> > VLAN except internet
> >
> > To meet this requirement we used the following VACL configuration
> >
> > SW(config)#access-list 100  permit ip 192.168.1.0 0.0.0.15 any
> >
> > SW(config)#vlan access-group XYZ 10
> >
> > SW(config-access-map)#match ip address 100
> >
> > SW(config-access-map)#action drop
> >
> > SW(config-access-map)#vlan access-group XYZ 20
> >
> > SW(config)#vlan filter XYZ vlan-list 1-190
> >
> > By doing this VLAN 1-190 are not able to contact vlan 191, but to internet and
> > among themselves(vlan 1-190).
> >
> > Hosts in VLAN 191 are not able to contact the hosts in 1-190 VLANs(this
> > is
> > also fine), but hosts in VLAN 191 are contacting the SVI/Gateways of
> > 1-190 VLANs.
> >
> > Is there anything wrong in my VACLs configuration or sequence of ACLs.
> >
> > Any help is greatly appreciated.
> >
> > Thanks in advance
> >
> > Mounika M
> >
> > ### Please consider the environment and print this email only if
> > necessary . Go Green
> > ###
> > xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
> > Disclaimer :
> > This email and any files transmitted with it are confidential and
> > intended
> > solely for the use of the individual or entity to whom they are
> > addressed.
> > If you are not the intended recipient you are notified that disclosing,
> > copying, distributing or taking any action in reliance on the contents
> > of this
> > information is strictly prohibited. The sender does not accept
> > liability
> > for any errors or omissions in the contents of this message, which
> > arise as a
> > result.
> >
> > --
> > Open WebMail Project (http://openwebmail.org)
> >
> >
> > _______________________________________________
> > cisco-nsp mailing list  cisco-nsp@puck.nether.net
> > https://puck.nether.net/mailman/listinfo/cisco-nsp
> > archive at http://puck.nether.net/pipermail/cisco-nsp/
> _______________________________________________
> cisco-nsp mailing list  cisco-nsp@puck.nether.net
> https://puck.nether.net/mailman/listinfo/cisco-nsp
> archive at http://puck.nether.net/pipermail/cisco-nsp/

### Please consider the environment and print this email only if necessary . Go Green ###
xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
Disclaimer :
This email and any files transmitted with it are confidential and intended
solely for the use of the individual or entity to whom they are addressed.
If you are not the intended recipient you are notified that disclosing,
copying, distributing or taking any action in reliance on the contents of this
information is strictly prohibited. The sender does not accept liability
for any errors or omissions in the contents of this message, which arise as a
result.

--
Open WebMail Project (http://openwebmail.org)


_______________________________________________
cisco-nsp mailing list cisco-nsp@puck.nether.net
https://puck.nether.net/mailman/listinfo/cisco-nsp
archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: Restricted specific VLAN contacting other VLANs in catalyst 3750 switch [ In reply to ]
Since you have layer3 in the mix, why not just have ACLs on the each of the SVIs (Or Routed Interface) vs trying to use it on a VACL.

Is your existing configuration not working? I know on some 3750 models, there were some limitations in 12 code that may cause heartburn, but that was like 8 years ago.

If below is line-for-line, you probably need to add a forwarding statement under your access-group 20, with a permit any/match all, since the default is drop.

Good luck!

Reg,
-Garrett


On September 26, 2022 9:18:18 PM PDT, trgapp16 <trgapp16@cdot.in> wrote:
>Thanks Garrett.
>
>Correct, PVLAN works if the interface connecting to internet is a layer 2 interface which can be configured as promiscuous port.
>
>What if the interface connecting to internet router is a layer 3 port having IP address.
>
>Thanks,
>
>Mounika M
>
>On Mon, 26 Sep 2022 19:33:36 -0700, Garrett via cisco-nsp wrote
>
>> isn't this what pvlans are for?
>>
>> On Mon, Sep 26, 2022, at 19:23, trgapp16 via cisco-nsp wrote:
>> > Hello,
>> >
>> > We use Cisco Catalyst 3750 switch as  small data center (DC)/Core
>> > Switch on which nearly
>> > 200 VLANs sit, having internet connectivity through a ADSL modem/router.
>> >
>> > SVI/RVIs are defined for all these 200 VLANs on the same DC/Core Switch.
>> >
>> > We have the following requirement:
>> >
>> > VLAN 1 - 190: should communicate among themselves and to internet
>> >
>> > VLAN 191: having network address 192.168.1.0/28 should not communicate
>> > with any other
>> > VLAN except internet
>> >
>> > To meet this requirement we used the following VACL configuration
>> >
>> > SW(config)#access-list 100  permit ip 192.168.1.0 0.0.0.15 any
>> >
>> > SW(config)#vlan access-group XYZ 10
>> >
>> > SW(config-access-map)#match ip address 100
>> >
>> > SW(config-access-map)#action drop
>> >
>> > SW(config-access-map)#vlan access-group XYZ 20
>> >
>> > SW(config)#vlan filter XYZ vlan-list 1-190
>> >
>> > By doing this VLAN 1-190 are not able to contact vlan 191, but to internet and
>> > among themselves(vlan 1-190).
>> >
>> > Hosts in VLAN 191 are not able to contact the hosts in 1-190 VLANs(this
>> > is
>> > also fine), but hosts in VLAN 191 are contacting the SVI/Gateways of
>> > 1-190 VLANs.
>> >
>> > Is there anything wrong in my VACLs configuration or sequence of ACLs.
>> >
>> > Any help is greatly appreciated.
>> >
>> > Thanks in advance
>> >
>> > Mounika M
>> >
>> > ### Please consider the environment and print this email only if
>> > necessary . Go Green
>> > ###
>> > xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
>> > Disclaimer :
>> > This email and any files transmitted with it are confidential and
>> > intended
>> > solely for the use of the individual or entity to whom they are
>> > addressed.
>> > If you are not the intended recipient you are notified that disclosing,
>> > copying, distributing or taking any action in reliance on the contents
>> > of this
>> > information is strictly prohibited. The sender does not accept
>> > liability
>> > for any errors or omissions in the contents of this message, which
>> > arise as a
>> > result.
>> >
>> > --
>> > Open WebMail Project (http://openwebmail.org)
>> >
>> >
>> > _______________________________________________
>> > cisco-nsp mailing list  cisco-nsp@puck.nether.net
>> > https://puck.nether.net/mailman/listinfo/cisco-nsp
>> > archive at http://puck.nether.net/pipermail/cisco-nsp/
>> _______________________________________________
>> cisco-nsp mailing list  cisco-nsp@puck.nether.net
>> https://puck.nether.net/mailman/listinfo/cisco-nsp
>> archive at http://puck.nether.net/pipermail/cisco-nsp/
>
>### Please consider the environment and print this email only if necessary . Go Green ###
>xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
>Disclaimer :
>This email and any files transmitted with it are confidential and intended
>solely for the use of the individual or entity to whom they are addressed.
>If you are not the intended recipient you are notified that disclosing,
>copying, distributing or taking any action in reliance on the contents of this
>information is strictly prohibited. The sender does not accept liability
>for any errors or omissions in the contents of this message, which arise as a
>result.
>
>--
>Open WebMail Project (http://openwebmail.org)
>
>
_______________________________________________
cisco-nsp mailing list cisco-nsp@puck.nether.net
https://puck.nether.net/mailman/listinfo/cisco-nsp
archive at http://puck.nether.net/pipermail/cisco-nsp/