topic Re: Access list for interVLAN in Routing and SD-WAN

Access list for interVLAN

JasonOwen — Fri, 22 May 2020 09:01:35 GMT

Hi all,

I have a Cisco WS-C3560X-24 with 6 VLANs:

VLAN 1: 192.168.1.0/24

VLAN 2: 192.168.2.0/24

VLAN 3: 192.168.3.0/24

VLAN 4: 192.168.4.0/24

VLAN 5: 192.168.5.0/24

VLAN 6: 192.168.6.0/24

I want to configure ACL so that: All VLANs can access VLAN 1, only VLAN 1 and VLAN 2 can access other VLANs

My expected output is:

vlan 1,2 can each other and access 3,4,5,6
vlan 3 can access vlan 1, cannot access vlan 2,4,5,6
vlan 4 can access vlan 1, cannot access vlan 2,3,5,6
vlan 5 can access vlan 1, cannot access vlan 2,3,4,6
vlan 6 can access vlan 1, cannot access vlan 2,3,4,5

Can you please help me with the Cisco command ?

Thank for your help !

Re: Access list for interVLAN

JasonOwen — Fri, 22 May 2020 04:02:40 GMT

Can anyone help me, please?

Thank you very much 🙂

Re: Access list for interVLAN

Naresh Murali — Fri, 22 May 2020 05:42:19 GMT

Hi JasonOwen,

Please see the below ACL as per your request.

The first 8 commands allows vlan 1 and 2 to communicate only to 3,4,5,6

The next 4 commands allows vlan 3,4,5,6 to communicate only to vlan 1

ip access-list extended test
permit ip 192.168.1.0 0.0.0.255 192.168.3.0 0.0.0.255
permit ip 192.168.1.0 0.0.0.255 192.168.4.0 0.0.0.255
permit ip 192.168.1.0 0.0.0.255 192.168.5.0 0.0.0.255
permit ip 192.168.1.0 0.0.0.255 192.168.6.0 0.0.0.255
permit ip 192.168.2.0 0.0.0.255 192.168.3.0 0.0.0.255
permit ip 192.168.2.0 0.0.0.255 192.168.4.0 0.0.0.255
permit ip 192.168.2.0 0.0.0.255 192.168.5.0 0.0.0.255
permit ip 192.168.2.0 0.0.0.255 192.168.6.0 0.0.0.255
permit ip 192.168.3.0 0.0.0.255 192.168.1.0 0.0.0.255
permit ip 192.168.4.0 0.0.0.255 192.168.1.0 0.0.0.255
permit ip 192.168.5.0 0.0.0.255 192.168.1.0 0.0.0.255
permit ip 192.168.6.0 0.0.0.255 192.168.1.0 0.0.0.255

Hope this helps. Additionally if you had a proper range we can still restrict the ACL commands. Currently the range will not work as it will allow the other networks as well.

Regards

Naresh M

Re: Access list for interVLAN

JasonOwen — Fri, 22 May 2020 06:31:27 GMT

Thank @Naresh Murali so much for your advice!

Sorry for my missing expectation:

regarding vlan 1,2: they can access each other and access all the rest vlans.

So i have to add 1 more line as below, right?

permit ip 192.168.1.0 0.0.0.255 192.168.2.0 0.0.0.255

Then the commands should be:

ip access-list extended test

permit ip 192.168.1.0 0.0.0.255 192.168.2.0 0.0.0.255
permit ip 192.168.1.0 0.0.0.255 192.168.3.0 0.0.0.255
permit ip 192.168.1.0 0.0.0.255 192.168.4.0 0.0.0.255
permit ip 192.168.1.0 0.0.0.255 192.168.5.0 0.0.0.255
permit ip 192.168.1.0 0.0.0.255 192.168.6.0 0.0.0.255
permit ip 192.168.2.0 0.0.0.255 192.168.3.0 0.0.0.255
permit ip 192.168.2.0 0.0.0.255 192.168.4.0 0.0.0.255
permit ip 192.168.2.0 0.0.0.255 192.168.5.0 0.0.0.255
permit ip 192.168.2.0 0.0.0.255 192.168.6.0 0.0.0.255
permit ip 192.168.3.0 0.0.0.255 192.168.1.0 0.0.0.255
permit ip 192.168.4.0 0.0.0.255 192.168.1.0 0.0.0.255
permit ip 192.168.5.0 0.0.0.255 192.168.1.0 0.0.0.255
permit ip 192.168.6.0 0.0.0.255 192.168.1.0 0.0.0.255

then configure all vlans access this ACL

int range vlan 1-6

ip access-group test in

Otherwise, please advise.

Thank you!

Re: Access list for interVLAN

Georg Pauwen — Fri, 22 May 2020 06:46:26 GMT

Hello,

just for clarifification:

vlan 1,2 can access 3,4,5,6
vlan 3 can access vlan 1, cannot access vlan 2,4,5,6
vlan 4 can access vlan 1, cannot access vlan 2,3,5,6
vlan 5 can access vlan 1, cannot access vlan 2,3,4,6
vlan 6 can access vlan 1, cannot access vlan 2,3,4,5

You want Vlan 2 to access Vlan 3,4,5,6, but not vice versa, that is, you don't want Vlan 3,4,5,6 to access Vlan 2 ? If that is the case (one way traffic only), you need something like a reflexive access list...

Re: Access list for interVLAN

JasonOwen — Fri, 22 May 2020 07:25:21 GMT

Exactly @Georg Pauwen That's is my expectation, Just one way ! Can you help me?

Re: Access list for interVLAN

Georg Pauwen — Fri, 22 May 2020 08:04:38 GMT

Hello,

thanks for the clarification. I'll work something out and get back with you...

Re: Access list for interVLAN

Giuseppe Larosa — Fri, 22 May 2020 08:23:49 GMT

Hello @JasonOwen ,

I am afraid that reflexive ACLs may be not supported on a multilayer switch like yours.

However you can achieve an approximate solution using extended IP ACLs if all you need is that TCP connections can be started from hosts in Vlan 1,2 to vlans 3,4,5,6 and not viceversa.

The key command is to permit tcp between for example Vlan3 Ip subnet and Vlan1 subnet adding the keyword established at the end.

In this way all TCP sessions starting from Vlan3 to Vlan1 would be denied as the initial packet has the TCP flag SYN set and established keyword check for this to be not set.

A similar reasoning could be done for ICMP allowing ICMP echo-reply but not ICMP echo-.request.

A true one way connectivity is useless what we would like to achieve is usually what side can initiate a TCP session.

UDP misses the concept of session.

With the proposed ACLs the return packets of traffic initiated from Vlan 1 or 2 to Vlan 3-6 could be blocked breaking the connectivity.

Hope to help

Giuseppe

Re: Access list for interVLAN

Naresh Murali — Fri, 22 May 2020 09:29:53 GMT

Hi JasonOwen,

It will be two more line then.

permit ip 192.168.1.0 0.0.0.255 192.168.2.0 0.0.0.255

permit ip 192.168.2.0 0.0.0.255 192.168.1.0 0.0.0.255

Regards

Naresh M

Re: Access list for interVLAN

JasonOwen — Fri, 22 May 2020 09:31:55 GMT

Thank @Giuseppe Larosa 🙂 That's a nice explanation. But i confused something, can you help to explain more?

You said: "I am afraid that reflexive ACLs may be not supported on a multilayer switch like yours." -> That means my switch don't support running reflexive ACL?

Re: Access list for interVLAN

Giuseppe Larosa — Fri, 22 May 2020 09:53:25 GMT

Hello @JasonOwen ,

I'm not sure that reflexive ACLs are not supported on C3560 but it is likely as it is a security feature that is typically configured on routers.

IF they create dynamic entries for return traffic this is likely not supported on the TCAM in switch hardware.

For this reason I have written my post.

Edit:

see

https://www.cisco.com/c/en/us/td/docs/switches/lan/catalyst3560/software/release/12-2_58_se/configuration/guide/3560scg/swacl.html?dtid=osscdc000283

only standard and extended ACLs can be applied to an SVI on a C3560.

Even if the link is about an old release I think this limitation is caused by HW limitation.

Hope to help

Giuseppe

Re: Access list for interVLAN

Georg Pauwen — Fri, 22 May 2020 09:55:04 GMT

Hello,

sorry, it took a while, I had to test this first. Below is the config I have come up with. For the sake of simplicity, I have added a DHCP pool for each Vlan, you might or might not need this:

ip dhcp excluded-address 192.168.1.1
ip dhcp excluded-address 192.168.2.1
ip dhcp excluded-address 192.168.3.1
ip dhcp excluded-address 192.168.4.1
ip dhcp excluded-address 192.168.5.1
ip dhcp excluded-address 192.168.6.1
!
ip dhcp pool VLAN1
network 192.168.1.0 255.255.255.0
default-router 192.168.1.1
!
ip dhcp pool VLAN2
network 192.168.2.0 255.255.255.0
default-router 192.168.2.1
!
ip dhcp pool VLAN3
network 192.168.3.0 255.255.255.0
default-router 192.168.3.1
!
ip dhcp pool VLAN4
network 192.168.4.0 255.255.255.0
default-router 192.168.4.1
!
ip dhcp pool VLAN5
network 192.168.5.0 255.255.255.0
default-router 192.168.5.1
!
ip dhcp pool VLAN6
network 192.168.6.0 255.255.255.0
default-router 192.168.6.1
!
interface Vlan1
ip address 192.168.1.1 255.255.255.0
ip access-group 101 in
!
interface Vlan2
ip address 192.168.2.1 255.255.255.0
ip access-group 102 in
!
interface Vlan3
ip address 192.168.3.1 255.255.255.0
ip access-group 103 in
!
interface Vlan4
ip address 192.168.4.1 255.255.255.0
ip access-group 104 in
!
interface Vlan5
ip address 192.168.5.1 255.255.255.0
ip access-group 105 in
!
interface Vlan6
ip address 192.168.6.1 255.255.255.0
ip access-group 106 in
!
access-list 101 permit ip 192.168.1.0 0.0.0.255 192.168.3.0 0.0.0.255
access-list 101 permit ip 192.168.1.0 0.0.0.255 192.168.4.0 0.0.0.255
access-list 101 permit ip 192.168.1.0 0.0.0.255 192.168.5.0 0.0.0.255
access-list 101 permit ip 192.168.1.0 0.0.0.255 192.168.6.0 0.0.0.255
!
access-list 102 permit ip 192.168.2.0 0.0.0.255 192.168.3.0 0.0.0.255
access-list 102 permit ip 192.168.2.0 0.0.0.255 192.168.4.0 0.0.0.255
access-list 102 permit ip 192.168.2.0 0.0.0.255 192.168.5.0 0.0.0.255
access-list 102 permit ip 192.168.2.0 0.0.0.255 192.168.6.0 0.0.0.255
!
access-list 103 permit ip 192.168.3.0 0.0.0.255 192.168.1.0 0.0.0.255
access-list 103 permit tcp 192.168.3.0 0.0.0.255 192.168.2.0 0.0.0.255 established
!
access-list 104 permit ip 192.168.4.0 0.0.0.255 192.168.1.0 0.0.0.255
access-list 104 permit tcp 192.168.4.0 0.0.0.255 192.168.2.0 0.0.0.255 established
!
access-list 105 permit ip 192.168.5.0 0.0.0.255 192.168.1.0 0.0.0.255
access-list 105 permit tcp 192.168.5.0 0.0.0.255 192.168.2.0 0.0.0.255 established
!
access-list 106 permit ip 192.168.6.0 0.0.0.255 192.168.1.0 0.0.0.255
access-list 106 permit tcp 192.168.6.0 0.0.0.255 192.168.2.0 0.0.0.255 established

Re: Access list for interVLAN

JasonOwen — Fri, 22 May 2020 10:05:11 GMT

@Giuseppe Larosa Ok, thank for your comment. What i need is only one way blocking .

Vlan 1, 2 can access each other and all vlans

vlan 3,4,5,6 can access vlan 1 but cannot access each other

Can you help me with simple extended ACL ?

Thank you!

Re: Access list for interVLAN

Georg Pauwen — Fri, 22 May 2020 10:44:58 GMT

Hello,

if you want to Vlan 1 and Vlan 2 to be able to access each other, you need to add the lines marked in bold. I don't think you can achieve what you want with just one ACL (at least I could not).

ip dhcp excluded-address 192.168.1.1
ip dhcp excluded-address 192.168.2.1
ip dhcp excluded-address 192.168.3.1
ip dhcp excluded-address 192.168.4.1
ip dhcp excluded-address 192.168.5.1
ip dhcp excluded-address 192.168.6.1
!
ip dhcp pool VLAN1
network 192.168.1.0 255.255.255.0
default-router 192.168.1.1
!
ip dhcp pool VLAN2
network 192.168.2.0 255.255.255.0
default-router 192.168.2.1
!
ip dhcp pool VLAN3
network 192.168.3.0 255.255.255.0
default-router 192.168.3.1
!
ip dhcp pool VLAN4
network 192.168.4.0 255.255.255.0
default-router 192.168.4.1
!
ip dhcp pool VLAN5
network 192.168.5.0 255.255.255.0
default-router 192.168.5.1
!
ip dhcp pool VLAN6
network 192.168.6.0 255.255.255.0
default-router 192.168.6.1
!
interface Vlan1
ip address 192.168.1.1 255.255.255.0
ip access-group 101 in
!
interface Vlan2
ip address 192.168.2.1 255.255.255.0
ip access-group 102 in
!
interface Vlan3
ip address 192.168.3.1 255.255.255.0
ip access-group 103 in
!
interface Vlan4
ip address 192.168.4.1 255.255.255.0
ip access-group 104 in
!
interface Vlan5
ip address 192.168.5.1 255.255.255.0
ip access-group 105 in
!
interface Vlan6
ip address 192.168.6.1 255.255.255.0
ip access-group 106 in
!
access-list 101 permit ip 192.168.1.0 0.0.0.255 192.168.2.0 0.0.0.255
access-list 101 permit ip 192.168.1.0 0.0.0.255 192.168.3.0 0.0.0.255
access-list 101 permit ip 192.168.1.0 0.0.0.255 192.168.4.0 0.0.0.255
access-list 101 permit ip 192.168.1.0 0.0.0.255 192.168.5.0 0.0.0.255
access-list 101 permit ip 192.168.1.0 0.0.0.255 192.168.6.0 0.0.0.255
!
access-list 102 permit ip 192.168.2.0 0.0.0.255 192.168.1.0 0.0.0.255
access-list 102 permit ip 192.168.2.0 0.0.0.255 192.168.3.0 0.0.0.255
access-list 102 permit ip 192.168.2.0 0.0.0.255 192.168.4.0 0.0.0.255
access-list 102 permit ip 192.168.2.0 0.0.0.255 192.168.5.0 0.0.0.255
access-list 102 permit ip 192.168.2.0 0.0.0.255 192.168.6.0 0.0.0.255
!
access-list 103 permit ip 192.168.3.0 0.0.0.255 192.168.1.0 0.0.0.255
access-list 103 permit tcp 192.168.3.0 0.0.0.255 192.168.2.0 0.0.0.255 established
!
access-list 104 permit ip 192.168.4.0 0.0.0.255 192.168.1.0 0.0.0.255
access-list 104 permit tcp 192.168.4.0 0.0.0.255 192.168.2.0 0.0.0.255 established
!
access-list 105 permit ip 192.168.5.0 0.0.0.255 192.168.1.0 0.0.0.255
access-list 105 permit tcp 192.168.5.0 0.0.0.255 192.168.2.0 0.0.0.255 established
!
access-list 106 permit ip 192.168.6.0 0.0.0.255 192.168.1.0 0.0.0.255
access-list 106 permit tcp 192.168.6.0 0.0.0.255 192.168.2.0 0.0.0.255 established

Re: Access list for interVLAN

Giuseppe Larosa — Fri, 22 May 2020 12:21:06 GMT

Hello @JasonOwen ,

@Georg Pauwen has provided a good example of what you can configure.

First of all, you will need multiple ACLs applied inbound to each SVI interface Vlan.

Second factor to consider these IP ACLs even if extended are not stateful and you need to provide the return path.

So translating the one way connectivity to I would like TCP sessions started from hosts in Vlan 1,2 to hosts in vlans 3-6 to be able to be setup but not the opposite you can use something like

interface vlan 6

ip access-group 106 in

access-list 106 permit tcp 192.168.6.0 0.0.0.255 192.168.1.0 0.0.0.255 established

access-list 106 permit tcp 192.168.6.0 0.0.0.255 192.168.2.0 0.0.0.255 established

if no other networks should be accessed you can rely on the implicit deny any any at the end of the ACL.

However, if you need to allow internet access or access to other networks in general you would need to add

access-list 106 deny ip 192.168.6.0 0.0.0.255 192.168.0.0 0.0.7.255

access-list 106 permit ip 192.168.6.0 0.0.0.255 any

Actually you need to apply inbound ACLs only to the limited SVIs interface Vlan 3 to interface Vlan 6

The ACLs for SVI vlan 3 to vlan 5 would be similar to the one proposed here.

If hosts in Vlans 3 to 6 can access vlan 1 the first line should be like proposed by Georg a permit ip.

Here, I am proposing this alternate version to have only TCP sessions started from Vlan 1 to Vlans 3 to 6 to be able to be setup.

Interface Vlan1 and interface Vlan2 could stay without any ACL applied unless your network is a closed connectivity one and there is no need for internet access and so on.

Note:

in case you need to provide internet access to users in Vlans 3 to 6 you may need to enable the traffic for DNS queries and DNS replies that use UDP port 53.

It really depends where the DNS servers are located.

Hope to help

Giuseppe

Re: Access list for interVLAN

Richard Burts — Fri, 22 May 2020 15:10:48 GMT

There have been several posts in this discussion that mention reflexive access lists. And this relates to a fundamental problem with what you want to achieve. As an example you want a device in vlan 1 (perhaps it is 192.168.1.11) to communicate with a device in vlan 3 (perhaps it is 192.168.3.33). Assuming that you will use an access list inbound on interface vlan 3 to filter the traffic it will receive an IP packet whose source address is 192.168.3.33 and destination is 192.168.1.11 - should the access list permit or deny this packet? The answer is deny if the packet is from 192.168.3.33 initiating some to vlan 1. But the answer is permit if this is 192.168.3.33 responding to something initiated from vlan 1. How does the access list determine whether this is a response or not?

To really achieve your requirements requires doing stateful inspection in which we would know who initiated the traffic. I dont believe that your switch supports doing stateful inspection.

Re: Access list for interVLAN

JasonOwen — Mon, 25 May 2020 02:15:47 GMT

Thank @Georg Pauwen and @Giuseppe Larosa again for your helpful advice.

Please be noted that i just want to block interVLAN access.

I already had another policy to allow all vlans go to internet.

Let me try your advice and give feedback.

Thank all again.