Re: VLAN ACL design

johnny_5 · ‎10-31-2019

Trying to figure an ACL design or at least troubleshoot.

Cisco 4507 switch that I have 2 VLANs configured. One VLAN has an ACL applied as a "IN" statement, the second VLAN has no ACL applied. My question relates to traffic direction...when applying an ACL on a VLAN the "IN" refers to traffic been inspected as it leaves the interface correct?

As it stands below in the configs I can ping any device on the Device_Net(172.22.46.x) network from the 172.16.33.0 and 172.16.34.0 networks. I don't have any ACL applied the 2 VLANs.

When I remove the 2 lines statements underlined I don't have any connectivity. Could someone explain why?

access-list 186 permit ip 172.22.46.0 0.0.0.255 172.16.33.0 0.0.0.255

access-list 186 permit ip 172.22.46.0 0.0.0.255 172.16.34.0 0.0.0.255

When traceroute from VLAN 63 or 53 it dies at gateway. 172.16.34.1 or 172.16.33.1

interface Vlan86

description Device_Net

ip address 172.22.46.1 255.255.255.248

ip access-group 186 in

no ip redirects

no ip proxy-arp

end

interface Vlan63
description Server_access
ip address 172.16.34.1 255.255.255.0
end

interface Vlan53
description Client_access
ip address 172.16.33.1 255.255.255.0
end

#sh run | inc 186

ip access-group 186 in

access-list 186 remark Restrict Device_Net IN

access-list 186 permit ip 172.22.46.0 0.0.0.255 172.16.33.0 0.0.0.255

access-list 186 permit ip 172.22.46.0 0.0.0.255 172.16.34.0 0.0.0.255

access-list 186 deny ip any any log

Jaderson Pessoa · ‎10-31-2019

Hello,

Looks it:

You acl is applied as IN on interface vlan 86
and your ACL is configured as source 172.22.46.0/24, but the traffic is coming from 172.16.33.0 and 172.16.34.0. I suggest you two ways.

1. change your acl under interface vlan86 from IN to OUT

2. change your acl from:
access-list 186 permit ip 172.22.46.0 0.0.0.255 172.16.33.0 0.0.0.255
access-list 186 permit ip 172.22.46.0 0.0.0.255 172.16.34.0 0.0.0.255
2. change your acl to:
access-list 186 permit ip 172.16.33.0 0.0.0.255 172.22.46.0 0.0.0.255
access-list 186 permit ip 172.16.34.0 0.0.0.255 172.22.46.0 0.0.0.255

try it and return the results...

Regards,

Jaderson Pessoa
*** Rate All Helpful Responses ***

johnny_5 · ‎10-31-2019

If I only wanted traffic from 172.22.46.0 network to communicate out doesn't the "IN" statement work just as well?

I'm trying to achieve a scenario where a device on the 172.22.46.0 can communicate out to certain networks but certain return traffic cannot get to the device

Allow traffic from 172.22.46.0 to talk to 172.16.33.0 and 172.16.34.0

Deny traffic from 172.16.34.0 to 172.22.46.0

I though I achieved this by removing the single line:

access-list 186 permit ip 172.22.46.0 0.0.0.255 172.16.34.0 0.0.0.255

because i couldn't ping or connect from the 172.16.34.0 network.

Jaderson Pessoa · ‎10-31-2019

ip access-list extended PERMIT_CONTROL_TRAFFIC
remark BETWEEN_VLANS
permit ip 172.22.46.0 0.0.0.255 172.16.33.0 0.0.0.255

permit ip 172.22.46.0 0.0.0.255 172.16.33.0 0.0.0.255

ip access-list extended DENY_CONTROL_TRAFFIC
permit ip 10.163.118.0 0.0.1.255 10.163.116.0 0.0.1.255
permit ip 172.16.34.0 0.0.0.255 172.22.46.0 0.0.0.255

vlan access-map MAP_CONTROL_TRAFFIC 10
match ip address PERMIT_CONTROL_TRAFFIC
action forward

vlan access-map MAP_CONTROL_TRAFFIC 1020
match ip address DENY_CONTROL_TRAFFIC
action drop

vlan access-map MAP_CONTROL_TRAFFIC 30
action forward

vlan filter MAP_CONTROL_TRAFFIC vlan-list 86,63,53

look this solution, it can help you.

Jaderson Pessoa
*** Rate All Helpful Responses ***

johnny_5 · ‎11-04-2019

To make this easier:

I want 172.22.46.0 to talk to 172.16.33.0 only

I want 172.16.34.0 to talk to 172.22.46.0 only.

Can one apply IN and OUT statement on VLAN?

Jaderson Pessoa · ‎11-04-2019

No internet access?

Jaderson Pessoa
*** Rate All Helpful Responses ***

johnny_5 · ‎11-04-2019

No internet access.

Jaderson Pessoa · ‎10-31-2019

my suggestion solve your problem?

Jaderson Pessoa
*** Rate All Helpful Responses ***