LAN Routing
1748195 Members
5163 Online
108759 Solutions
New Discussion

ACLs to permit routing only between pairs of VLANs

 
bouli3
Occasional Contributor

ACLs to permit routing only between pairs of VLANs

Hi all

 

I'm a bit confused about ACLs and routing with an E5406zl. Any help and ideas appreciated.

 

I have 4 VLANs connected to an E5406zl.

 

vlan 30

   name "OFFICE"

   ip address 10.30.10.11 255.255.255.0

   exit

vlan 31

   name "OFFICE_NLB"

   ip address 10.31.10.11 255.255.255.0

   exit

vlan 40

   name "SERVER"

   ip address 10.40.10.11 255.255.255.0

   exit

vlan 41

   name "SERVER_NLB"

   ip address 10.41.10.11 255.255.255.0

   exit

 

VLANs 31 and 41 are connected to my Microsoft TMG firewalls.

I use NLB to have a redundant setup for my TMG firewalls.

I need these separate NLB VLANs, to prevent flooding of ARP multicasts into the OFFICE and SERVER VLANs.

 

I want the traffic to flow like this:

Workstation > 30 > 31 > TMG > 41 > 40 > Server

and vice versa.

 

Traffic must not flow like this:

Workstation > 30 > 40 > Server

 

Actually I want to allow any traffic only between 30 and 31 but no other VLAN.

And between 40 and 41 but no other VLAN.

 

What routes and ACLs would i need?

Or am I on a wrong way?

 

Thanks in advance

Bouli

4 REPLIES 4
LucianoCarvalho
Respected Contributor

Re: ACLs to permit routing only between pairs of VLANs

Hello,

I think you will need to apply access-list like this:
But I don't remember the exact commands.

Vlan 30
access-list permit 10.31.10.0 0.255.255.255

Vlan 31
access-list permit 10.30.10.0 0.255.255.255

Vlan 40
access-list permit 10.41.10.0 0.255.255.255

Vlan 41
access-list permit 10.40.10.0 0.255.255.255

Best regards

bouli3
Occasional Contributor

Re: ACLs to permit routing only between pairs of VLANs

Hi Luciano

 

I forgot to mention that my Firewall will route the traffic between 31 and 41, I don't want to use NAT.

I know the commands for the ACLs, but I think I can't distinguish if a packet is coming from 30 directly to 40 or via Firewall from 41 to 40.

 

Example Packet:

Source: 10.30.10.210

Destination: 10.40.10.35

 

Doesn’t the packet looks the same when it flows from 30 to 40 as if it flows from 41 to 40?

And if I understand ACLs right, they will only inspect the source and destination addresses of the packet. There seems no way to say allow traffic only between VLAN 30 and 31 no matter what the source and destination of the packets are?

 

Regards

LucianoCarvalho
Respected Contributor

Re: ACLs to permit routing only between pairs of VLANs

Hello bouli3,

 

Coud you attach the topology you are using on your network so we can analyse and try to sugest a solution ?

 

Best Regards,

bouli3
Occasional Contributor

Re: ACLs to permit routing only between pairs of VLANs

Hi, I attached a topology picture. Best Regards