Question

Using ACL to isolate all VLAN, only certain VLAN are allow to communicate.


Hi All,

I have an situation, the requirement need us to isolate all VLAN, only allow certain VLAN communicate with each other. However, all VLAN shall able to go Internet.

The challenge is there are OSPF in the network.
Besides, there area VRRP configured in each of the ospf area, I hope it will not affected by ACL.

ospf area A ospf area B ospf area C
-------------------------------------------------------------
Vlan1A Vlan1B Vlan1C
Vlan2A Vlan2B Vlan2C
Vlan3A Vlan3B Vlan3C
Vlan4A Vlan4B Vlan4C
Vlan_p2p_A Vlan_p2p_B Vlan_p2p_C
Vlan_Internet

* Different ospf area have different segment. Hence, there are 12 vlan + 1 vlan_internet
* Vlan_p2p are point-to-point type to establish ospf routing table
* All Vlan shall be isolated. However, they need communicate with Vlan_Internet inorder to go Internet
* Vlan1 are only allow to communicate with Vlan1 in other ospf area, same goes Vlan2, 3 and 4.

My idea on how to create ACL:
* Create 3 different deny ACL (denyICMP, denyTCP, denyUDP) then apply to Vlan1, 2, 3 and 4 in all 3 area. (Lowest priority)
* Create 12 different permit ACL (permitVLAN1A, permitVLAN1B, permitVLAN1C, permitVLAN2A, permitVLAN2B .....) and apply to respective Vlan.
* Create permit ACL (Vlan_Internet) and apply to all Vlan

I am not sure is this the way to configure ACL. It doesn't sound practical to me, in real environment there are 4 ospf area and each area have 13 Vlan. End up there will hundred of ACL rule in each switch. If I applied that much of ACL in each switch, I believe it will burden the CPU and might increase the latency.

I know there are another method called private Vlan, but this network already deployed and is too late for us to make changes.

Please advise is I am doing it correctly or there should be another way to do it.

Thanks.

1 reply

Userlevel 4
I believe your requirement is easily achieved using stateful inspection firewalls.
But I doubt exos acl doesnt do this.
in exos If you add an acl to block on one vlan that will block traffic both ways.[its normal acl not stateful]
So thats why switches have private vlan concept.
same applies to other vendor switches as well.

Reply