I currently have a few VLANs configured on the 3750 switch (Layer 3
switch) and also have routing enabled (via ip routing). My question
is, can I use access-list commands to control access between VLANs?
(Does this switch even support this type of setup?)

Thanks.

PS: There is one VLAN that I'd like to isolate from the rest of the
other VLANs

BV

bavien@gmail.com wrote:
As far as i know it is only possible by applying VLAN Access maps
http://www.cisco.com/univercd/cc/td/.../swcg/vacl.htm

On Aug 3, 7:34 pm, bav...@gmail.com wrote:
You can use VACL for VLAN access .elow is some thing which is in CCNP
prepration for PVLAN

The set security acl Command
The set security acl command is used to create VLAN access control
lists (VACLs). VACLs allow you to filter upon Layer 3 and Layer 4
parameters and are applied for all inbound access on the entire VLAN.
Although very similar to router ACLs, VACLs can be applied only in the
inbound direction and can also filter traffic switched within a VLAN.
The following tasks are required to configure VACLs:

Create the VACL

Commit the VACL to hardware

Apply the VACL to a VLAN

To create a VACL for IP traffic, you use the set security acl ip
command:

set security acl ip acl-name {permit | deny} {ip | tcp | udp} source
destination


Rate if help

On Aug 3, 11:33 am, CK <chetan.ka...@gmail.com> wrote:
I'd recommend the 3750 Switch Software Configuration Guide's chapter
on Network Security with ACLs:
http://www.cisco.com/en/US/products/...081de 82.html

VACLs are usually used to control traffic within a VLAN (Host A in
VLAN 10 to Host B in VLAN 10), but can be used to filter on layer 2 or
layer 3. A VACL is applied to all traffic in both directions so
creating access-list logic can be more challenging but VACL's can
povide a high level of security.

Router ACL's are easier to manage for filtering traffic between VLANs
(Host A on VLAN 10 to Host B on VLAN 20). Router ACL's can be applied
in inbound and outbound directions and are very similar to ACL's
applied to interfaces on any Cisco router. In a VLAN environment, you
apply the ACL to switch virtual interfaces (SVIs) or routed interfaces
(no switchport).

Here's an example:

Switch(config)# access-list 110 permit tcp any 128.88.0.0 0.0.255.255
gt 1023
Switch(config)# access-list 110 permit tcp any host 128.88.1.2 eq 25
Switch(config)# access-list 110 permit icmp any any

Switch(config)# interface VLAN 10
Switch(config-if)# ip access-group 110 in


3750 switches handle most ACL filtering in hardware so these switches
can handle a fairly large number of access-list statements with little
impact on performance.

On Aug 4, 9:14 pm, bdalson77-nos...@yahoo.com wrote:

I never denied Access-list are not a solution but for VACL are more
secure.

I squirm when I see people treating the routing on a layer 3 capable switch
as a switch instead of a router. A layer 3 switch has the capabilities of a
router and its routing processes should be treated as those of a router.

Do not use a VACL. Use the normal access-list methods that you learned for
a router and apply the access-list to the VLAN interfaces.

Example:

interface vlan 1
ip address 10.1.0.1 255.255.0.0
ip access-group BAN_VLAN_2 in
!
interface vlan 2
ip address 10.2.0.1 255.255.0.0
!
interface vlan 3
ip address 10.3.0.1 255.255.0.0
ip access-group BAN_VLAN_2 in
!
ip access-list extended BAN_VLAN_2
deny ip 10.2.0.0 0.0.255.255 any
permit ip any any

--

===========
Scott Perry
===========
Indianapolis, Indiana
________________________________________
<bavien@gmail.com> wrote in message
news:1186151660.316083.73940@o61g2000hsh.googlegro ups.com...

On Aug 6, 12:49 pm, "Scott Perry" <scottperry@aciscocompany> wrote:
Thank you all for the suggestions and recommendations. Since Scott's
method seems simple enough, I will try that first and post back with
my finding...