ACL for restricting VLAN ingress but allow Egress

titusroz03 · ‎07-15-2024

Dear All,

I have multiple vlans in my core switch along with VLAN A in my Core switch and only this vlan A is extended to a DMZ downstream switch. VRF is created for that VLAN A in downstream dmz switch and route is pointed to VLAN A;s SVI of core switch.

Now I can ping VLAN A interface on the DMZ switch and vice versa and all the vlans in core switch from DMZ is also pingable. My requirement is I want to restrict this so that VLAN A in DMZ shouldn't ping or access any of the networks in core switch but networks in core switch should access VLAN A.

Kindly let me know any suggestions for this through ACL.

MHM Cisco World · ‎07-15-2024

It hard to do this without FW' but I will give you some point

The traffic is mostly classify into three main categories

1- tcp

2- udp

3- icmp

So to allow one side access to other side and prevent reverse connection we use

Allow any any from side A to side B

We allow traffic from side B to side A but with conditions

1- for tcp we use established keywords in ACL

2- for icmp we use echo-reply

3- for udp' here mostly serve use udp like dhcp dns ...etc. so we allow traffic only for specific udp port (port server use)

That all

Thanks

MHM

ahollifield · ‎07-15-2024

As @MHM Cisco World said, you really need to do this with a firewall.