Isolating VLANs 2

[VivSavage]

I have inherited a series of 2950 switches and a 2600 router. Multiple VLANs are configured and are trunked to the router. The router has been configured with multiple IP addresses using subinterfaces with 802.1q encapsulation.
For security purposes, I need to completely isolate traffic from one VLAN to another. As it stands now, a host on one VLAN can potentially access a host on any other as the router provides connectivity. I've tried using access lists to disable inter-VLAN traffic on the router but they ain't working. Do I need to get away from 802.1q encapsulation and use secondary addresses instead or does anyone have any other ideas? Thanks.

 

[lambent]

can you post the access-list related configuration including the interface commands and the access-list definitions?

Also can you post the output of "show access-list xxx"?

Do you actually want 3 totally isolated VLANs or you want them to connect to the rest of your network without any connectivity among the VLANs?

 

[VivSavage]

Thanks for your response. Essentially, in this case, I need the router to route anywhere except between VLANs. Each VLAN needs to be isolated from all other VLANs. Can this be done and what's the best way to get there?

Here's the config info on the interfaces:

interface FastEthernet0/0
no ip address
no ip unreachables
ip nat inside
no ip route-cache
no ip route-cache cef
no ip mroute cache
!
interface FastEthernet0/0.1
encapsulation dot1Q 1 native
ip address 192.168.1.1 255.255.255.0
ip nat inside
no ip route-cache
!
interface FastEthernet0/0.2
encapsulation dot1Q 2
ip address 192.168.2.1 255.255.255.0
ip access group 102 in
ip nat inside
no ip route-cache
no cdp enable
!
interface FastEthernet0/0.3
encapsulation dot1Q 3
ip address 192.168.3.1 255.255.255.0
ip access group 103 in
ip nat inside
no ip route-cache
no cdp enable
!
ip access-list standard NAT
permit 192.168.0.0 0.0.255.255

Here's the access list definitions:

access-list 102 deny tcp 192.168.3.0 0.0.0.255 192.168.2.0 0.0.0.255
access-list 102 permit tcp any any

access-list 103 deny tcp 192.168.2.0 0.0.0.255 192.168.3.0 0.0.0.255
access-list 103 permit any any

Here's the 'show access list' output:

Standard IP access list NAT
10 permit 192.168.0.0 wildcard bits 0.0.255.255
Extended IP access list 102
10 deny tcp 192.168.3.0 0.0.0.255 192.168.2.0 0.0.0.255
20 permit tcp any any
Extended IP access list 103
10 deny tcp 192.168.2.0 0.0.0.255 192.168.3.0 0.0.0.255
20 permit tcp any any

The two extended access lists are not currently in action (they are not tied to the interface as listed above) because I lost Internet connectivity with them in place. Any suggestions or help is greatly appreciated. Thanks.

 

[PeterHurst]

As I read that you seem to have your access lists the wrong way around. Using ip access group 102 in on the 192.168.2.1 interface means checking packets incoming to port from the 192.168.2.x network.

The access list is denying tcp with source of 192.168.3.x - there won't be any of those on that interface.

As a quick test try swapping the lists - 102 on 192.168.3.x and 103 on 192.168.2.x.... I think it should work how you want.

Bear in mind you may need to block UDP as well and posssibly ICMP if you find ping is working.

 

[lambent]

or simply "deny ip

 

[VivSavage]

Thanks PeterHurst and lambent for your help. Indeed, I had my access list 'bass-ackwards'. You've both earned my vote for tipster of the week.