couple access list questions to seperate vlans subnet

riderfaiz · ‎03-21-2019

Hi everyone,

Hope you can help!! Currently there are over 30 vlans running on our core switch 4507. They all can see and access to each other. But now my boss wants me to seperate the vlans so each vlan cannot access to other client vlans but certainly it should still be able to access the server vlan and dmz vlan and internet. I am planning to just use access control list to achieve the goal.

My server vlan is 10.10.0.0/23

DMZ1 is 172.20.0.0/24

DMZ2 is 10.1.22.0/24

My client vlans are:

10.10.16.0/23

10.10.32.0/23

10.10.48.0/23

... up to 10.10.192.0/23

Here are something I want to ask:

1.) On each vlan which I only want them to be able to access to the server and dmz vlans but not other client vlan... on the vlan interface, shoudl I use access group IN...or OUT? Without asking here...I may pick IN... If I am wrong.. may you tell me why?

2.) For the access-list... if I do the way like this...

#################################

ip access-list extended v190_filter

deny ip any 10.10.16.0 0.0.1.255

deny ip any 10.10.32.0 0.0.1.255

deny ip any 10.10.48.0 0.0.1.255

.....

deny ip any 10.10.192.0 0.0.1.255

permit ip any any

##################################

This way it will be a long long entry...Plus I need to make the similar list for each client vlan. I would like to ask if anyway I can simplify the entries by summarizing network mask? IF so..may I ask what the answer would be...

Thank you for your help in advance.

Takami Chiro

Mike.Cifelli · ‎03-21-2019

1.) On each vlan which I only want them to be able to access to the server and dmz vlans but not other client vlan... on the vlan interface, shoudl I use access group IN...or OUT? Without asking here...I may pick IN... If I am wrong.. may you tell me why?

You should configure your SVI acls both IN and OUT. Think of IN meaning coming into the interface from the local subnet & OUT as external subnets coming into that subnet.

2.) For the access-list...
There are several ways you can accomplish this. You could use object groups to achieve what you want here. I think you will need to create separate acls as you mentioned above. You could potentially look into using Trustsec if you have ISE in your environment.

riderfaiz · ‎03-21-2019

Mike, thank you very much for your response.

You mentioned "You should configure your SVI acls both IN and OUT." Do you mean i should apply the same access list with in and out to the vlan? Thank you for clarifying the access In and out..as I was always confused about it :)

For your answer to question #2, may I ask if Trustsec is a product of software? May you provide an example how to implement object group?...would that reduce the number of entries in my ACL?

Thank you very much again!

Riderfaiz

riderfaiz · ‎03-21-2019

Hi Mike, I just did a quick search on Trustsec and ISE... we are just a small shop and we do not even have AAA server... so I think I may have to just count on ACL for now...

May you just help to clarify "You should configure your SVI acls both IN and OUT" and does it mean I need to implement both in and out on the same access list that i will apply to a vlan?

Thank you very much again.

Riderfaiz

Mike.Cifelli · ‎03-22-2019

Yes you can implement the same acl both in and out on your SVI. For example:
ip access-list ext ACL
permit ip host 8.8.8.8 any
permit ip any host 8.8.8.8 any
deny ip any any

int vlan 2
ip access-group ACL in
ip access-group ACL out

HTH!