01-04-2020 12:18 AM - edited 02-21-2020 11:12 AM
Hello All,
I would like to allow clients on VLAN 1,2,3,4 below to access VLAN 5 ( 10.3.0.X ) however I want to prevent clients on VLAN 5 from establishing any connections to VLAN 1,2,3,4 or access VLAN 1,2,3,4. However, all of my routers and switches are on VLAN 1 ( 192.168.0.X ). What I have so far is below:
conf t access-list 101 permit ip 192.168.0.0 0.0.0.255 10.3.0.0 0.0.0.255 access-list 101 permit ip 10.0.0.0 0.0.0.255 10.3.0.0 0.0.0.255 access-list 101 permit ip 10.1.0.0 0.0.0.255 10.3.0.0 0.0.0.255 access-list 101 permit ip 10.2.0.0 0.0.0.255 10.3.0.0 0.0.0.255 access-list 101 permit tcp 192.168.0.0 0.0.0.255 10.3.0.0 0.0.0.255 access-list 101 permit tcp 10.0.0.0 0.0.0.255 10.3.0.0 0.0.0.255 access-list 101 permit tcp 10.1.0.0 0.0.0.255 10.3.0.0 0.0.0.255 access-list 101 permit tcp 10.2.0.0 0.0.0.255 10.3.0.0 0.0.0.255 access-list 101 permit udp 192.168.0.0 0.0.0.255 10.3.0.0 0.0.0.255 access-list 101 permit udp 10.0.0.0 0.0.0.255 10.3.0.0 0.0.0.255 access-list 101 permit udp 10.1.0.0 0.0.0.255 10.3.0.0 0.0.0.255 access-list 101 permit udp 10.2.0.0 0.0.0.255 10.3.0.0 0.0.0.255 access-list 101 permit icmp 192.168.0.0 0.0.0.255 10.3.0.0 0.0.0.255 access-list 101 permit icmp 10.0.0.0 0.0.0.255 10.3.0.0 0.0.0.255 access-list 101 permit icmp 10.1.0.0 0.0.0.255 10.3.0.0 0.0.0.255 access-list 101 permit icmp 10.2.0.0 0.0.0.255 10.3.0.0 0.0.0.255 access-list 101 permit ospf 192.168.0.0 0.0.0.255 10.3.0.0 0.0.0.255 access-list 101 permit ospf 10.0.0.0 0.0.0.255 10.3.0.0 0.0.0.255 access-list 101 permit ospf 10.1.0.0 0.0.0.255 10.3.0.0 0.0.0.255 access-list 101 permit ospf 10.2.0.0 0.0.0.255 10.3.0.0 0.0.0.255 access-list 101 permit ip 10.3.0.0 0.0.0.255 192.168.0.1 0.0.0.0 access-list 101 permit tcp 10.3.0.0 0.0.0.255 192.168.0.1 0.0.0.0 access-list 101 permit udp 10.3.0.0 0.0.0.255 192.168.0.1 0.0.0.0 access-list 101 permit icmp 10.3.0.0 0.0.0.255 192.168.0.1 0.0.0.0 access-list 101 permit ospf 10.3.0.0 0.0.0.255 192.168.0.1 0.0.0.0 access-list 101 permit ip 10.3.0.0 0.0.0.255 192.168.0.2 0.0.0.0 access-list 101 permit tcp 10.3.0.0 0.0.0.255 192.168.0.2 0.0.0.0 access-list 101 permit udp 10.3.0.0 0.0.0.255 192.168.0.2 0.0.0.0 access-list 101 permit icmp 10.3.0.0 0.0.0.255 192.168.0.2 0.0.0.0 access-list 101 permit ospf 10.3.0.0 0.0.0.255 192.168.0.2 0.0.0.0 access-list 101 permit ip 10.3.0.0 0.0.0.255 192.168.0.3 0.0.0.0 access-list 101 permit tcp 10.3.0.0 0.0.0.255 192.168.0.3 0.0.0.0 access-list 101 permit udp 10.3.0.0 0.0.0.255 192.168.0.3 0.0.0.0 access-list 101 permit icmp 10.3.0.0 0.0.0.255 192.168.0.3 0.0.0.0 access-list 101 permit ospf 10.3.0.0 0.0.0.255 192.168.0.3 0.0.0.0 access-list 101 permit ip 10.3.0.0 0.0.0.255 192.168.0.4 0.0.0.0 access-list 101 permit tcp 10.3.0.0 0.0.0.255 192.168.0.4 0.0.0.0 access-list 101 permit udp 10.3.0.0 0.0.0.255 192.168.0.4 0.0.0.0 access-list 101 permit icmp 10.3.0.0 0.0.0.255 192.168.0.4 0.0.0.0 access-list 101 permit ospf 10.3.0.0 0.0.0.255 192.168.0.4 0.0.0.0 access-list 101 permit ip 10.3.0.0 0.0.0.255 192.168.0.5 0.0.0.0 access-list 101 permit tcp 10.3.0.0 0.0.0.255 192.168.0.5 0.0.0.0 access-list 101 permit udp 10.3.0.0 0.0.0.255 192.168.0.5 0.0.0.0 access-list 101 permit icmp 10.3.0.0 0.0.0.255 192.168.0.5 0.0.0.0 access-list 101 permit ospf 10.3.0.0 0.0.0.255 192.168.0.5 0.0.0.0 access-list 101 permit ip 10.3.0.0 0.0.0.255 192.168.0.6 0.0.0.0 access-list 101 permit tcp 10.3.0.0 0.0.0.255 192.168.0.6 0.0.0.0 access-list 101 permit udp 10.3.0.0 0.0.0.255 192.168.0.6 0.0.0.0 access-list 101 permit icmp 10.3.0.0 0.0.0.255 192.168.0.6 0.0.0.0 access-list 101 permit ospf 10.3.0.0 0.0.0.255 192.168.0.6 0.0.0.0 access-list 101 permit ip 10.3.0.0 0.0.0.255 192.168.0.7 0.0.0.0 access-list 101 permit tcp 10.3.0.0 0.0.0.255 192.168.0.7 0.0.0.0 access-list 101 permit udp 10.3.0.0 0.0.0.255 192.168.0.7 0.0.0.0 access-list 101 permit icmp 10.3.0.0 0.0.0.255 192.168.0.7 0.0.0.0 access-list 101 permit ospf 10.3.0.0 0.0.0.255 192.168.0.7 0.0.0.0 access-list 101 permit ip 10.3.0.0 0.0.0.255 192.168.0.8 0.0.0.0 access-list 101 permit tcp 10.3.0.0 0.0.0.255 192.168.0.8 0.0.0.0 access-list 101 permit udp 10.3.0.0 0.0.0.255 192.168.0.8 0.0.0.0 access-list 101 permit icmp 10.3.0.0 0.0.0.255 192.168.0.8 0.0.0.0 access-list 101 permit ospf 10.3.0.0 0.0.0.255 192.168.0.8 0.0.0.0 access-list 101 deny ip 10.3.0.0 0.0.0.255 192.168.0.0 0.0.0.255 access-list 101 deny ip 10.3.0.0 0.0.0.255 10.0.0.0 0.0.0.255 access-list 101 deny ip 10.3.0.0 0.0.0.255 10.1.0.0 0.0.0.255 access-list 101 deny ip 10.3.0.0 0.0.0.255 10.2.0.0 0.0.0.255 access-list 101 deny tcp 10.3.0.0 0.0.0.255 192.168.0.0 0.0.0.255 access-list 101 deny tcp 10.3.0.0 0.0.0.255 10.0.0.0 0.0.0.255 access-list 101 deny tcp 10.3.0.0 0.0.0.255 10.1.0.0 0.0.0.255 access-list 101 deny tcp 10.3.0.0 0.0.0.255 10.2.0.0 0.0.0.255 access-list 101 deny udp 10.3.0.0 0.0.0.255 192.168.0.0 0.0.0.255 access-list 101 deny udp 10.3.0.0 0.0.0.255 10.0.0.0 0.0.0.255 access-list 101 deny udp 10.3.0.0 0.0.0.255 10.1.0.0 0.0.0.255 access-list 101 deny udp 10.3.0.0 0.0.0.255 10.2.0.0 0.0.0.255 access-list 101 deny icmp 10.3.0.0 0.0.0.255 192.168.0.0 0.0.0.255 access-list 101 deny icmp 10.3.0.0 0.0.0.255 10.0.0.0 0.0.0.255 access-list 101 deny icmp 10.3.0.0 0.0.0.255 10.1.0.0 0.0.0.255 access-list 101 deny icmp 10.3.0.0 0.0.0.255 10.2.0.0 0.0.0.255 access-list 101 permit ip any any access-list 101 permit tcp any any access-list 101 permit udp any any access-list 101 permit icmp any any access-list 101 permit ospf any any int vlan 5 ip access-group 101 in ip access-group 101 out int vlan 4 ip access-group 101 in ip access-group 101 out int vlan 3 ip access-group 101 in ip access-group 101 out int vlan 2 ip access-group 101 in ip access-group 101 out int vlan 1 ip access-group 101 in ip access-group 101 out
The VLAN's are:
VLAN 1: 192.168.0.X VLAN 2: 10.0.0.X VLAN 3: 10.1.0.X VLAN 4: 10.2.0.X VLAN 5: 10.3.0.X
The above works but prevents access from VLAN 1,2,3,4 to VLAN 5, which is not what I want. How do I allow VLAN 1,2,3,4 to access VLAN 5 while preventing VLAN 5 from establishing connections to VLAN 1,2,3,4?
The switch is a Cisco 3750G. Since all traffic is always two way, I think I need to block just the initiating traffic to VLAN 1,2,3,4 from VLAN 5 I believe. I'm not sure how.
Cheers,
TK
Solved! Go to Solution.
01-04-2020 05:47 AM
In your ACL you have to allow return tcp traffic using 'tcp established' from VLAN5 back to other vlans not all tcp.
HTH
01-04-2020 05:47 AM
In your ACL you have to allow return tcp traffic using 'tcp established' from VLAN5 back to other vlans not all tcp.
HTH
01-04-2020 08:15 AM - edited 01-04-2020 08:27 AM
Thank you. So I suppose I can shorten the rules in this manner I think but these still didn't work:
conf t access-list 101 permit ip 192.168.0.0 0.0.0.255 10.3.0.0 0.0.0.255 access-list 101 permit ip 10.0.0.0 0.0.0.255 10.3.0.0 0.0.0.255 access-list 101 permit ip 10.1.0.0 0.0.0.255 10.3.0.0 0.0.0.255 access-list 101 permit ip 10.2.0.0 0.0.0.255 10.3.0.0 0.0.0.255 access-list 101 permit tcp 192.168.0.0 0.0.0.255 10.3.0.0 0.0.0.255 established access-list 101 permit tcp 10.0.0.0 0.0.0.255 10.3.0.0 0.0.0.255 established access-list 101 permit tcp 10.1.0.0 0.0.0.255 10.3.0.0 0.0.0.255 established access-list 101 permit tcp 10.2.0.0 0.0.0.255 10.3.0.0 0.0.0.255 established access-list 101 permit udp 192.168.0.0 0.0.0.255 10.3.0.0 0.0.0.255 access-list 101 permit udp 10.0.0.0 0.0.0.255 10.3.0.0 0.0.0.255 access-list 101 permit udp 10.1.0.0 0.0.0.255 10.3.0.0 0.0.0.255 access-list 101 permit udp 10.2.0.0 0.0.0.255 10.3.0.0 0.0.0.255 access-list 101 permit icmp 192.168.0.0 0.0.0.255 10.3.0.0 0.0.0.255 echo-reply access-list 101 permit icmp 10.0.0.0 0.0.0.255 10.3.0.0 0.0.0.255 echo-reply access-list 101 permit icmp 10.1.0.0 0.0.0.255 10.3.0.0 0.0.0.255 echo-reply access-list 101 permit icmp 10.2.0.0 0.0.0.255 10.3.0.0 0.0.0.255 echo-reply access-list 101 permit icmp 192.168.0.0 0.0.0.255 10.3.0.0 0.0.0.255 net-unreachable access-list 101 permit icmp 10.0.0.0 0.0.0.255 10.3.0.0 0.0.0.255 net-unreachable access-list 101 permit icmp 10.1.0.0 0.0.0.255 10.3.0.0 0.0.0.255 net-unreachable access-list 101 permit icmp 10.2.0.0 0.0.0.255 10.3.0.0 0.0.0.255 net-unreachable access-list 101 permit icmp 192.168.0.0 0.0.0.255 10.3.0.0 0.0.0.255 host-unreachable access-list 101 permit icmp 10.0.0.0 0.0.0.255 10.3.0.0 0.0.0.255 host-unreachable access-list 101 permit icmp 10.1.0.0 0.0.0.255 10.3.0.0 0.0.0.255 host-unreachable access-list 101 permit icmp 10.2.0.0 0.0.0.255 10.3.0.0 0.0.0.255 host-unreachable access-list 101 permit icmp 192.168.0.0 0.0.0.255 10.3.0.0 0.0.0.255 port-unreachable access-list 101 permit icmp 10.0.0.0 0.0.0.255 10.3.0.0 0.0.0.255 port-unreachable access-list 101 permit icmp 10.1.0.0 0.0.0.255 10.3.0.0 0.0.0.255 port-unreachable access-list 101 permit icmp 10.2.0.0 0.0.0.255 10.3.0.0 0.0.0.255 port-unreachable access-list 101 permit ospf 192.168.0.0 0.0.0.255 10.3.0.0 0.0.0.255 access-list 101 permit ospf 10.0.0.0 0.0.0.255 10.3.0.0 0.0.0.255 access-list 101 permit ospf 10.1.0.0 0.0.0.255 10.3.0.0 0.0.0.255 access-list 101 permit ospf 10.2.0.0 0.0.0.255 10.3.0.0 0.0.0.255 access-list 101 deny ip 10.3.0.0 0.0.0.255 192.168.0.0 0.0.0.255 access-list 101 deny ip 10.3.0.0 0.0.0.255 10.0.0.0 0.0.0.255 access-list 101 deny ip 10.3.0.0 0.0.0.255 10.1.0.0 0.0.0.255 access-list 101 deny ip 10.3.0.0 0.0.0.255 10.2.0.0 0.0.0.255 access-list 101 deny tcp 10.3.0.0 0.0.0.255 192.168.0.0 0.0.0.255 access-list 101 deny tcp 10.3.0.0 0.0.0.255 10.0.0.0 0.0.0.255 access-list 101 deny tcp 10.3.0.0 0.0.0.255 10.1.0.0 0.0.0.255 access-list 101 deny tcp 10.3.0.0 0.0.0.255 10.2.0.0 0.0.0.255 access-list 101 deny udp 10.3.0.0 0.0.0.255 192.168.0.0 0.0.0.255 access-list 101 deny udp 10.3.0.0 0.0.0.255 10.0.0.0 0.0.0.255 access-list 101 deny udp 10.3.0.0 0.0.0.255 10.1.0.0 0.0.0.255 access-list 101 deny udp 10.3.0.0 0.0.0.255 10.2.0.0 0.0.0.255 access-list 101 deny icmp 10.3.0.0 0.0.0.255 192.168.0.0 0.0.0.255 access-list 101 deny icmp 10.3.0.0 0.0.0.255 10.0.0.0 0.0.0.255 access-list 101 deny icmp 10.3.0.0 0.0.0.255 10.1.0.0 0.0.0.255 access-list 101 deny icmp 10.3.0.0 0.0.0.255 10.2.0.0 0.0.0.255 access-list 101 permit ip any any access-list 101 permit tcp any any access-list 101 permit udp any any access-list 101 permit icmp any any access-list 101 permit ospf any any int vlan 5 ip access-group 101 in ip access-group 101 out int vlan 4 ip access-group 101 in ip access-group 101 out int vlan 3 ip access-group 101 in ip access-group 101 out int vlan 2 ip access-group 101 in ip access-group 101 out int vlan 1 ip access-group 101 in ip access-group 101 out
2) I tried to create rules similarly for ICMP above but pingbacks still didn't work,
3) What about the other protocols that you could recommend? I want to be able to detect devices on VLAN 5 as well as logging into those devices, just don't want VLAN 5 to be able to initiate any connections to devices on VLAN 1,2,3,4 .
Cheers,
TK
01-04-2020 10:41 AM - edited 01-04-2020 10:46 AM
Enabled some logging:
3w4d: %SEC-6-IPACCESSLOGP: list 101 denied tcp 10.3.0.100(22) (Vlan5 0050.5686.4105) -> 192.168.0.100(37784), 1 packet 3w4d: %SEC-6-IPACCESSLOGDP: list 101 denied icmp 10.3.0.100 (Vlan5 0050.5686.4105) -> 192.168.0.100 (0/0), 1 packet
access-list 101 deny ip 10.3.0.0 0.0.0.255 192.168.0.0 0.0.0.255 log-input
370 deny ip 10.3.0.0 0.0.0.255 192.168.0.0 0.0.0.255 log-input (402 matches)
Just not clear what type though. But maybe I'm not seeing the forest through the trees.
Cheers,
TK
01-04-2020 10:54 AM
One way of doing this would be to have ACL on SVI for VLAN1,2,3,4 which:
allows tcp established traffic from 10.3.x.x
then denies any other traffic from 10.3.x.x
then allows all traffic coming in.
Regards.
01-04-2020 12:33 PM
Definitely! I'm looking to make this a little cleaner as well. However, just working off a known set to help me understand each change for now. Now I have ICMP working (though I haven't tested it the other way yet till I get my ssh working as well).
conf t access-list 101 permit ip 192.168.0.0 0.0.0.255 10.3.0.0 0.0.0.255 access-list 101 permit ip 10.0.0.0 0.0.0.255 10.3.0.0 0.0.0.255 access-list 101 permit ip 10.1.0.0 0.0.0.255 10.3.0.0 0.0.0.255 access-list 101 permit ip 10.2.0.0 0.0.0.255 10.3.0.0 0.0.0.255 access-list 101 permit tcp 192.168.0.0 0.0.0.255 10.3.0.0 0.0.0.255 established access-list 101 permit tcp 10.0.0.0 0.0.0.255 10.3.0.0 0.0.0.255 established access-list 101 permit tcp 10.1.0.0 0.0.0.255 10.3.0.0 0.0.0.255 established access-list 101 permit tcp 10.2.0.0 0.0.0.255 10.3.0.0 0.0.0.255 established access-list 101 permit udp 192.168.0.0 0.0.0.255 10.3.0.0 0.0.0.255 access-list 101 permit udp 10.0.0.0 0.0.0.255 10.3.0.0 0.0.0.255 access-list 101 permit udp 10.1.0.0 0.0.0.255 10.3.0.0 0.0.0.255 access-list 101 permit udp 10.2.0.0 0.0.0.255 10.3.0.0 0.0.0.255 access-list 101 permit icmp 192.168.0.0 0.0.0.255 10.3.0.0 0.0.0.255 access-list 101 permit icmp 10.0.0.0 0.0.0.255 10.3.0.0 0.0.0.255 access-list 101 permit icmp 10.1.0.0 0.0.0.255 10.3.0.0 0.0.0.255 access-list 101 permit icmp 10.2.0.0 0.0.0.255 10.3.0.0 0.0.0.255 access-list 101 permit ospf 192.168.0.0 0.0.0.255 10.3.0.0 0.0.0.255 access-list 101 permit ospf 10.0.0.0 0.0.0.255 10.3.0.0 0.0.0.255 access-list 101 permit ospf 10.1.0.0 0.0.0.255 10.3.0.0 0.0.0.255 access-list 101 permit ospf 10.2.0.0 0.0.0.255 10.3.0.0 0.0.0.255 access-list 101 permit icmp 10.3.0.0 0.0.0.255 192.168.0.0 0.0.0.255 echo-reply access-list 101 permit icmp 10.3.0.0 0.0.0.255 10.0.0.0 0.0.0.255 echo-reply access-list 101 permit icmp 10.3.0.0 0.0.0.255 10.1.0.0 0.0.0.255 echo-reply access-list 101 permit icmp 10.3.0.0 0.0.0.255 10.2.0.0 0.0.0.255 echo-reply access-list 101 permit icmp 10.3.0.0 0.0.0.255 192.168.0.0 0.0.0.255 net-unreachable access-list 101 permit icmp 10.3.0.0 0.0.0.255 10.0.0.0 0.0.0.255 net-unreachable access-list 101 permit icmp 10.3.0.0 0.0.0.255 10.1.0.0 0.0.0.255 net-unreachable access-list 101 permit icmp 10.3.0.0 0.0.0.255 10.2.0.0 0.0.0.255 net-unreachable access-list 101 permit icmp 10.3.0.0 0.0.0.255 192.168.0.0 0.0.0.255 host-unreachable access-list 101 permit icmp 10.3.0.0 0.0.0.255 10.0.0.0 0.0.0.255 host-unreachable access-list 101 permit icmp 10.3.0.0 0.0.0.255 10.1.0.0 0.0.0.255 host-unreachable access-list 101 permit icmp 10.3.0.0 0.0.0.255 10.2.0.0 0.0.0.255 host-unreachable access-list 101 permit icmp 10.3.0.0 0.0.0.255 192.168.0.0 0.0.0.255 port-unreachable access-list 101 permit icmp 10.3.0.0 0.0.0.255 10.0.0.0 0.0.0.255 port-unreachable access-list 101 permit icmp 10.3.0.0 0.0.0.255 10.1.0.0 0.0.0.255 port-unreachable access-list 101 permit icmp 10.3.0.0 0.0.0.255 10.2.0.0 0.0.0.255 port-unreachable access-list 101 deny tcp 10.3.0.0 0.0.0.255 192.168.0.0 0.0.0.255 access-list 101 deny tcp 10.3.0.0 0.0.0.255 10.0.0.0 0.0.0.255 access-list 101 deny tcp 10.3.0.0 0.0.0.255 10.1.0.0 0.0.0.255 access-list 101 deny tcp 10.3.0.0 0.0.0.255 10.2.0.0 0.0.0.255 access-list 101 deny udp 10.3.0.0 0.0.0.255 192.168.0.0 0.0.0.255 access-list 101 deny udp 10.3.0.0 0.0.0.255 10.0.0.0 0.0.0.255 access-list 101 deny udp 10.3.0.0 0.0.0.255 10.1.0.0 0.0.0.255 access-list 101 deny udp 10.3.0.0 0.0.0.255 10.2.0.0 0.0.0.255 access-list 101 deny icmp 10.3.0.0 0.0.0.255 192.168.0.0 0.0.0.255 access-list 101 deny icmp 10.3.0.0 0.0.0.255 10.0.0.0 0.0.0.255 access-list 101 deny icmp 10.3.0.0 0.0.0.255 10.1.0.0 0.0.0.255 access-list 101 deny icmp 10.3.0.0 0.0.0.255 10.2.0.0 0.0.0.255 access-list 101 deny ip 10.3.0.0 0.0.0.255 192.168.0.0 0.0.0.255 log-input access-list 101 deny ip 10.3.0.0 0.0.0.255 10.0.0.0 0.0.0.255 access-list 101 deny ip 10.3.0.0 0.0.0.255 10.1.0.0 0.0.0.255 access-list 101 deny ip 10.3.0.0 0.0.0.255 10.2.0.0 0.0.0.255 access-list 101 permit ip any any access-list 101 permit tcp any any access-list 101 permit udp any any access-list 101 permit icmp any any access-list 101 permit ospf any any
However, TCP for SSH isn't quite there yet. Despite the rules above, returning traffic from an establishing connection is still blocked:
3w4d: %SEC-6-IPACCESSLOGP: list 101 denied tcp 10.3.0.100(22) (Vlan5 0050.5686.4105) -> 192.168.0.100(37792), 1 packet
And it's logged here:
370 deny tcp 10.3.0.0 0.0.0.255 192.168.0.0 0.0.0.255 (6 matches)
Trying to wrap my head around why it still hits the deny rule despite having established on the permit line earlier:
50 permit tcp 192.168.0.0 0.0.0.255 10.3.0.0 0.0.0.255 established
Thought that should handle round traffic. Unless perhaps I need to add another type from this list:
cisco01(config)#access-list 101 permit tcp 192.168.0.0 0.0.0.255 10.3.0.0 0.0.0.255 established ? dscp Match packets with given dscp value eq Match only packets on a given port number fin Match on the FIN bit gt Match only packets with a greater port number log Log matches against this entry log-input Log matches against this entry, including input interface lt Match only packets with a lower port number neq Match only packets not on a given port number precedence Match packets with given precedence value psh Match on the PSH bit range Match only packets in the range of port numbers syn Match on the SYN bit time-range Specify a time-range tos Match packets with given TOS value urg Match on the URG bit <cr> cisco01(config)#
Just 100% sure what yet. Looks like I need to match on specific like PSH and FIN flags:
https://amits-notes.readthedocs.io/en/latest/networking/tcpdump.html
Cheers,
TK
01-04-2020 01:09 PM
So after doing some packet analysis using tcpdump off my Asus router, I was able to identify what's missing and allow it. Truth be told I should really block SYN not ALL packets from VLAN 5 but this helps me to learn all the communication packets I need to get things to work.
The working set of rules:
conf t access-list 101 permit ip 192.168.0.0 0.0.0.255 10.3.0.0 0.0.0.255 access-list 101 permit ip 10.0.0.0 0.0.0.255 10.3.0.0 0.0.0.255 access-list 101 permit ip 10.1.0.0 0.0.0.255 10.3.0.0 0.0.0.255 access-list 101 permit ip 10.2.0.0 0.0.0.255 10.3.0.0 0.0.0.255 access-list 101 permit tcp 192.168.0.0 0.0.0.255 10.3.0.0 0.0.0.255 established access-list 101 permit tcp 10.0.0.0 0.0.0.255 10.3.0.0 0.0.0.255 established access-list 101 permit tcp 10.1.0.0 0.0.0.255 10.3.0.0 0.0.0.255 established access-list 101 permit tcp 10.2.0.0 0.0.0.255 10.3.0.0 0.0.0.255 established access-list 101 permit udp 192.168.0.0 0.0.0.255 10.3.0.0 0.0.0.255 access-list 101 permit udp 10.0.0.0 0.0.0.255 10.3.0.0 0.0.0.255 access-list 101 permit udp 10.1.0.0 0.0.0.255 10.3.0.0 0.0.0.255 access-list 101 permit udp 10.2.0.0 0.0.0.255 10.3.0.0 0.0.0.255 access-list 101 permit icmp 192.168.0.0 0.0.0.255 10.3.0.0 0.0.0.255 access-list 101 permit icmp 10.0.0.0 0.0.0.255 10.3.0.0 0.0.0.255 access-list 101 permit icmp 10.1.0.0 0.0.0.255 10.3.0.0 0.0.0.255 access-list 101 permit icmp 10.2.0.0 0.0.0.255 10.3.0.0 0.0.0.255 access-list 101 permit ospf 192.168.0.0 0.0.0.255 10.3.0.0 0.0.0.255 access-list 101 permit ospf 10.0.0.0 0.0.0.255 10.3.0.0 0.0.0.255 access-list 101 permit ospf 10.1.0.0 0.0.0.255 10.3.0.0 0.0.0.255 access-list 101 permit ospf 10.2.0.0 0.0.0.255 10.3.0.0 0.0.0.255 access-list 101 permit icmp 10.3.0.0 0.0.0.255 192.168.0.0 0.0.0.255 echo-reply access-list 101 permit icmp 10.3.0.0 0.0.0.255 10.0.0.0 0.0.0.255 echo-reply access-list 101 permit icmp 10.3.0.0 0.0.0.255 10.1.0.0 0.0.0.255 echo-reply access-list 101 permit icmp 10.3.0.0 0.0.0.255 10.2.0.0 0.0.0.255 echo-reply access-list 101 permit icmp 10.3.0.0 0.0.0.255 192.168.0.0 0.0.0.255 net-unreachable access-list 101 permit icmp 10.3.0.0 0.0.0.255 10.0.0.0 0.0.0.255 net-unreachable access-list 101 permit icmp 10.3.0.0 0.0.0.255 10.1.0.0 0.0.0.255 net-unreachable access-list 101 permit icmp 10.3.0.0 0.0.0.255 10.2.0.0 0.0.0.255 net-unreachable access-list 101 permit icmp 10.3.0.0 0.0.0.255 192.168.0.0 0.0.0.255 host-unreachable access-list 101 permit icmp 10.3.0.0 0.0.0.255 10.0.0.0 0.0.0.255 host-unreachable access-list 101 permit icmp 10.3.0.0 0.0.0.255 10.1.0.0 0.0.0.255 host-unreachable access-list 101 permit icmp 10.3.0.0 0.0.0.255 10.2.0.0 0.0.0.255 host-unreachable access-list 101 permit icmp 10.3.0.0 0.0.0.255 192.168.0.0 0.0.0.255 port-unreachable access-list 101 permit icmp 10.3.0.0 0.0.0.255 10.0.0.0 0.0.0.255 port-unreachable access-list 101 permit icmp 10.3.0.0 0.0.0.255 10.1.0.0 0.0.0.255 port-unreachable access-list 101 permit icmp 10.3.0.0 0.0.0.255 10.2.0.0 0.0.0.255 port-unreachable access-list 101 permit tcp 10.3.0.0 0.0.0.255 192.168.0.0 0.0.0.255 ack fin psh rst urg access-list 101 permit tcp 10.3.0.0 0.0.0.255 10.0.0.0 0.0.0.255 ack fin psh rst urg access-list 101 permit tcp 10.3.0.0 0.0.0.255 10.1.0.0 0.0.0.255 ack fin psh rst urg access-list 101 permit tcp 10.3.0.0 0.0.0.255 10.2.0.0 0.0.0.255 ack fin psh rst urg access-list 101 deny tcp 10.3.0.0 0.0.0.255 192.168.0.0 0.0.0.255 access-list 101 deny tcp 10.3.0.0 0.0.0.255 10.0.0.0 0.0.0.255 access-list 101 deny tcp 10.3.0.0 0.0.0.255 10.1.0.0 0.0.0.255 access-list 101 deny tcp 10.3.0.0 0.0.0.255 10.2.0.0 0.0.0.255 access-list 101 deny udp 10.3.0.0 0.0.0.255 192.168.0.0 0.0.0.255 access-list 101 deny udp 10.3.0.0 0.0.0.255 10.0.0.0 0.0.0.255 access-list 101 deny udp 10.3.0.0 0.0.0.255 10.1.0.0 0.0.0.255 access-list 101 deny udp 10.3.0.0 0.0.0.255 10.2.0.0 0.0.0.255 access-list 101 deny icmp 10.3.0.0 0.0.0.255 192.168.0.0 0.0.0.255 access-list 101 deny icmp 10.3.0.0 0.0.0.255 10.0.0.0 0.0.0.255 access-list 101 deny icmp 10.3.0.0 0.0.0.255 10.1.0.0 0.0.0.255 access-list 101 deny icmp 10.3.0.0 0.0.0.255 10.2.0.0 0.0.0.255 access-list 101 deny ip 10.3.0.0 0.0.0.255 192.168.0.0 0.0.0.255 log-input access-list 101 deny ip 10.3.0.0 0.0.0.255 10.0.0.0 0.0.0.255 access-list 101 deny ip 10.3.0.0 0.0.0.255 10.1.0.0 0.0.0.255 access-list 101 deny ip 10.3.0.0 0.0.0.255 10.2.0.0 0.0.0.255 access-list 101 permit ip any any access-list 101 permit tcp any any access-list 101 permit udp any any access-list 101 permit icmp any any access-list 101 permit ospf any any int vlan 5 ip access-group 101 in ip access-group 101 out
I did not need to add the config to the rest of the setup. Just for VLAN 5.
My next task would be to simplify this set of rules as you also pointed out @rais .
Cheers,
TK
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide