- Posts: 10
- Thank you received: 0
IOS Firewall With VLANs
16 years 9 months ago #24902
by darviria
IOS Firewall With VLANs was created by darviria
Hi,
can anyone give me some advice on how to use a 2651 as a firewall to be able to filter on 3 different VLANs coming in on one interface and going out on the other.
In other words I want to bridge for example VLAN10 on fa0/0.10 to VLAN10 on fa0/1.10 and do some filtering in between. I want to bridge a VLAN with the same VLAN, not route between VLANs.
Do I do this as normal but with a seperate bridge per VLAN sub-interface?
can anyone give me some advice on how to use a 2651 as a firewall to be able to filter on 3 different VLANs coming in on one interface and going out on the other.
In other words I want to bridge for example VLAN10 on fa0/0.10 to VLAN10 on fa0/1.10 and do some filtering in between. I want to bridge a VLAN with the same VLAN, not route between VLANs.
Do I do this as normal but with a seperate bridge per VLAN sub-interface?
16 years 9 months ago #24913
by toddwoo
Replied by toddwoo on topic Re: IOS Firewall With VLANs
I'm not 100% sure what your asking for?
Vlans are layer 2 constructs. everything on each VLAN is going to be in one subnet. Are you looking to break down the communication at a layer 2 level? You really can't (as far as I know) everything on the vlan acts as if its on the same physical lan.
Maybe i'm not understanding though.
Vlans are layer 2 constructs. everything on each VLAN is going to be in one subnet. Are you looking to break down the communication at a layer 2 level? You really can't (as far as I know) everything on the vlan acts as if its on the same physical lan.
Maybe i'm not understanding though.
16 years 9 months ago #24944
by darviria
Replied by darviria on topic Re: IOS Firewall With VLANs
I'd like to keep them all as if they are on a seperate physical lan.
I'd like the router to receive traffic on each vlan, apply ACLs to it and then pass it out again the other side (for traffic that the ACLs permit of course), independently for each vlan.
So I want the router to perform firewall functions on each vlan but not route traffic between the vlans
I'd like the router to receive traffic on each vlan, apply ACLs to it and then pass it out again the other side (for traffic that the ACLs permit of course), independently for each vlan.
So I want the router to perform firewall functions on each vlan but not route traffic between the vlans
16 years 9 months ago #24945
by TheBishop
Replied by TheBishop on topic Re: IOS Firewall With VLANs
In basic terms a firewall is just a router that applies rules to decide whether it should forward something or not. By definition you can't really deploy an IP firewall unless the two networks at its input and output are different IP networks. I'm not sure therefore how you envisage this working or fully grasp what you mean when you say you want to apply firewalling between VLANs but you don't want to route. I think what you are saying is that you want to selectively route (or deny) based on some sort of set of rules. If so, you can do so using ACLs but it will be messy and might not allow fine enough control for your needs. But you'll have to have each VLAN configured as a different IP network to do so
- skepticals
- Offline
- Elite Member
-
Less
More
- Posts: 783
- Thank you received: 0
16 years 9 months ago #24952
by skepticals
Replied by skepticals on topic Re: IOS Firewall With VLANs
Yes, I believe you should be able to configure your VLANs, assign them to different subnets, and apply ACLs to permit/deny traffic.
I'm not sure I fully understand what you are after though.
I'm not sure I fully understand what you are after though.
16 years 9 months ago #24964
by Elohim
Replied by Elohim on topic Re: IOS Firewall With VLANs
Just get a switch that you can create VLANS on, create your vlans, assign ports to your vlans. Get a router with at least two ports, put each port of the router in each vlan. Create your acls on the router.
This will make it easy for you. No trunking at all.
This will make it easy for you. No trunking at all.
Time to create page: 0.132 seconds