Hello, I work in a large enterprise environment. We have access and control of all the switches, but no control over the router/routing side of things. Currently, our management IP addresses of our switches are in the same VLAN as the rest of our end users and devices, VLAN 100. I would like to create a separate VLAN 60 solely for our management addresses. I understand how to create SVIs and how to use our Layer 3 switch to make communication between VLANs possible. What I am a little stuck on is how to correctly apply ACLs so that only 4 workstations with IP addresses 172.0.0.10, 172.0.0.11, 172.0.0.12 and 172.0.0.25 can access and communicate with the management VLANs. Everyone else should not be able to ping, http etc to the management addresses of the management VLAN. I understand that for this application I should be using an Extended Access List, which leads me to my next question: As Extended Access Lists are meant to be put closest to the source of the packets, how does this work in a large enterprise environment with 30 switches? Do I need to put the ACL on every capable L3 switch that we have? Or is there one L3 switch I can put it on to make it work everywhere? I have attached a network diagram of the environment I'm working in. Any help would be greatly appreciated. Thank you.
No comments:
Post a Comment