Re: Restrict Inter vlan traffic

amit mehta · ‎05-07-2022

Hi,

I want to restrict interval traffic on nexus 9k. I am little confused. Here is my scenario

Vlan2 Ip address 192.168.0.1/24

Vlan3 IP address 192.168.1.0/24

Vlan4 ip address 192.168.3.0/24

Vlan5 ip address 192.168.4.0/24

Requirement

servers in vlan2 should be able to communicate within vlan. Traffic from Vlan2,3,4 should not be able to communicate with with vlan1 and vice versa.

Can i configure it like this.

Vlan1

IP address 192.168.0.1/24

ip access-group Deny_all in

ip access list Deny_all

10 Permit ip 192.168.0.1 0.0.0.255

20 deny ip 192.168.0.0 0.0.255.255 192.168.0.1 0.0.0.255 eq any

30 permit ip any any

The idea here is within vlan all traffic should work any revers traffic from other ip address range other than 192.168.0.0/16 should also be allowed to Vlan1.

I know it little confusing and that's why i am posting it here for suggestion. Any help on this will be highly appreciated

regards,

Amit

MHM Cisco World · ‎05-07-2022

""servers in vlan2 should be able to communicate within vlan"" that mean that VLAN 1 can connect to Server in VLAN 2??

Jon Marshall · ‎05-08-2022

You don't need the first line because any traffic within the vlan will not go to the SVI ie. it is not routed.

There are a couple of issues with your second line, 192.168.0.1 0.0.0.255 does not make much sense, do you mean 192.168.1.0 0.0.0.255 ?

Also the direction you have applied the acl is wrong ie. an acl applied inbound is for traffic from hosts in that vlan and an acl applied outbound is for traffic going to hosts in that vlan.

So your acl should be applied outbound or you need to change the acl ie.

deny ip 192.168.1.0 0.0.0.255 192.168.0.0 0.0.255.255

Jon

amit mehta · ‎05-10-2022

Hi Jon,

The concern here is to restrict Vlan 1 traffic to other Vlan and other vlan to Vlan1. This be applicable to other Vlans as well.

Vlan2 shod not be able to communicate with other vlans and other vlans should not be able to communicate with Vlan2. I'll keep adding vlans as and when required.

Hope I am making sense.

Regards,

Amit

Jon Marshall · ‎05-11-2022

Reading your response to Paul yes you can use that same acl for all your L3 SVIs if that is the requirement, pretty much what I suggested above I just specified the source subnet whereas you have use any, achieves the same thing.

Jon

paul driver · ‎05-08-2022

Hello
vlan 1 & 2 have the same addressing?
To negate vlan 1 from communicating to vlan 2-5 then your routed access list needs to be amended a little.

Ip access extended Deny_all
no 10
no 20
no 30
10 deny ip any 192.168.2.0 0.0.0.255
20 deny ip any 192.168.3.0 0.0.0.255
30 deny ip any 192.168.4.0 0.0.0.255
40 deny ip any 192.168.5.0 0.0.0.255
99 permit ip any any

Please rate and mark as an accepted solution if you have found any of the information provided useful.
This then could assist others on these forums to find a valuable answer and broadens the community’s global network.

Kind Regards
Paul

amit mehta · ‎05-10-2022

Hi Paul,

Vlan 1 & 2 will have different IP address

Thanks for your suggestion, Vlan 1 & 2 will have different IP address, The CIDR is 192.168.0.0/16 and subnet IP's are.

This not only for VLAN 1 & VLAN 2. The requirement is VLAN1 should not be able to talk to VLAN2 and vice versa, further the requirement is all VLAN's should be able to talk to servers within same VLAN, but should not be able to talk to other VLAN's

Vlan1 192.168.0.1/24

Vlan2 192.168.1.0/24

Vlan3 192.168.2.0/24

Vlan4 192.168.3.0/24

Vlan5 192.168.4.0/24

Your recommendation

Ip access extended Deny_all
no 10
no 20
no 30
10 deny ip any 192.168.2.0 0.0.0.255
20 deny ip any 192.168.3.0 0.0.0.255
30 deny ip any 192.168.4.0 0.0.0.255
40 deny ip any 192.168.5.0 0.0.0.255
99 permit ip any any

My requirement

10 deny ip any 192.168.0.0 0.0.255.255

100 permit ip any any.

I will keep adding new vlan's in the range of 192.168.x.x, can i add the entire CIDR for VLAN1 and other VLAN's so that in future if i add VLAN6 with subnet 192.168.5.0/24 and VLAN7 with subnet 192.168.6.0/24 same acl Deny_all can be applied to VLAN6 and VLAN7 SVI, else i'll have to edit Deny_all acl and keep adding subnet IP's for new VLAN's created.

Regards,

Amit