Solved: VLAN Access list

Mr.Mayhem · ‎11-29-2021

I am not understanding how to deny access between VLAN's. Believe that it will be a access list but not understanding the configuration. Any help in helping understanding would be much appreciated.

ROUTER

Building configuration...

Current configuration : 1796 bytes
!
version 15.4
no service timestamps log datetime msec
no service timestamps debug datetime msec
service password-encryption
!
hostname R1
!
!
!
enable secret 5 $1$mERr$9cTjUIEqNGurQiFU.ZeCi1
!
!
ip dhcp excluded-address 172.16.5.1 172.16.5.10
ip dhcp excluded-address 172.16.15.1 172.16.15.10
ip dhcp excluded-address 172.16.100.1 172.16.100.10
!
ip dhcp pool Student
network 172.16.5.0 255.255.255.0
default-router 172.16.5.1
ip dhcp pool Faculity
network 172.16.15.0 255.255.255.0
default-router 172.16.15.1
ip dhcp pool Management
network 172.16.100.0 255.255.255.0
default-router 172.16.100.1
!
!
aaa new-model
!
!
!
!
!
!
!
!
ip cef
no ipv6 cef
!
!
!
!
!
!
!
!
!
!
no ip domain-lookup
!
!
spanning-tree mode pvst
!
!
!
!
!
!
interface Loopback1
ip address 9.3.3.1 255.255.255.252
!
interface GigabitEthernet0/0/0
no ip address
duplex auto
speed auto
!
interface GigabitEthernet0/0/0.5
encapsulation dot1Q 5
ip address 172.16.5.1 255.255.255.0
!
interface GigabitEthernet0/0/0.15
encapsulation dot1Q 15
ip address 172.16.15.1 255.255.255.0
!
interface GigabitEthernet0/0/0.100
encapsulation dot1Q 100 native
ip address 172.16.100.1 255.255.255.0
!
interface GigabitEthernet0/0/1
ip address 10.1.1.1 255.255.255.0
duplex auto
speed auto
!
interface GigabitEthernet0/0/2
no ip address
duplex auto
speed auto
shutdown
!
interface Vlan1
no ip address
shutdown
!
ip default-gateway 10.1.1.1
ip classless
ip route 10.1.1.0 255.255.255.0 GigabitEthernet0/0/0
ip route 0.0.0.0 0.0.0.0 Loopback1
!
ip flow-export version 9
!
!
!
!
radius-server host 10.1.1.2 auth-port 1812 key cisco
!
!
!
!
line con 0
password 7 0822455D0A16
!
line aux 0
!
line vty 0 4
password 7 0822455D0A16
line vty 5 15
password 7 0822455D0A16
!
!
!
end

SWITCH

Building configuration...

Current configuration : 2640 bytes
!
version 16.3.2
no service timestamps log datetime msec
no service timestamps debug datetime msec
service password-encryption
!
hostname S1
!
!
enable secret 5 $1$mERr$9cTjUIEqNGurQiFU.ZeCi1
!
!
!
!
!
!
no ip cef
no ipv6 cef
!
!
!
!
!
!
!
!
!
!
!
!
no ip domain-lookup
!
!
spanning-tree mode pvst
!
!
!
!
!
!
interface GigabitEthernet1/0/1
switchport trunk native vlan 100
switchport trunk encapsulation dot1q
switchport mode trunk
switchport nonegotiate
!
interface GigabitEthernet1/0/2
switchport trunk native vlan 100
switchport trunk encapsulation dot1q
switchport mode trunk
switchport nonegotiate
!
interface GigabitEthernet1/0/3
switchport trunk native vlan 100
switchport trunk encapsulation dot1q
switchport mode trunk
switchport nonegotiate
!
interface GigabitEthernet1/0/4
switchport access vlan 100
switchport trunk native vlan 100
switchport trunk encapsulation dot1q
switchport mode trunk
switchport nonegotiate
!
interface GigabitEthernet1/0/5
switchport access vlan 100
switchport trunk native vlan 100
switchport trunk encapsulation dot1q
switchport mode access
switchport nonegotiate
!
interface GigabitEthernet1/0/6
switchport access vlan 5
switchport mode access
switchport nonegotiate
!
interface GigabitEthernet1/0/7
switchport access vlan 15
switchport mode access
switchport nonegotiate
!
interface GigabitEthernet1/0/8
!
interface GigabitEthernet1/0/9
!
interface GigabitEthernet1/0/10
!
interface GigabitEthernet1/0/11
!
interface GigabitEthernet1/0/12
!
interface GigabitEthernet1/0/13
!
interface GigabitEthernet1/0/14
!
interface GigabitEthernet1/0/15
!
interface GigabitEthernet1/0/16
!
interface GigabitEthernet1/0/17
!
interface GigabitEthernet1/0/18
!
interface GigabitEthernet1/0/19
!
interface GigabitEthernet1/0/20
!
interface GigabitEthernet1/0/21
!
interface GigabitEthernet1/0/22
!
interface GigabitEthernet1/0/23
!
interface GigabitEthernet1/0/24
!
interface GigabitEthernet1/1/1
!
interface GigabitEthernet1/1/2
!
interface GigabitEthernet1/1/3
!
interface GigabitEthernet1/1/4
!
interface Vlan1
no ip address
shutdown
!
interface Vlan5
mac-address 0004.9a3a.4d01
ip address 172.16.5.1 255.255.255.0
!
interface Vlan15
mac-address 0004.9a3a.4d02
ip address 172.16.15.2 255.255.255.0
!
interface Vlan100
mac-address 0004.9a3a.4d03
ip address 172.16.100.2 255.255.255.0
!
ip default-gateway 172.16.100.1
ip classless
!
ip flow-export version 9

!
!
!
!
!
line con 0
password 7 0822455D0A16
login
!
line aux 0
!
line vty 0 4
password 7 0822455D0A16
login
line vty 5 15
password 7 0822455D0A16
login
!
!
!
!
end

Richard Burts · ‎12-01-2021

As a first step I suggest that we need to be very clear about what you are trying to accomplish. You said " restrict vlan 5 from accessing vlan 15 and vice versa" So the objective is to prevent any communication between vlan 5 and vlan 15. Correct?

As the next step we need to decide where the access list should be placed. Assuming that the router is doing the inter vlan routing, you will need an access list on one of the interfaces on the router for these subnets/vlans. Note that you do not need access lists on both interfaces. Successful communication requires sending and receiving between the devices. As long as you prevent traffic in one subnet you will have prevented communication between both subnets.

I will suggest that the access list be placed on the interface for vlan 5. But it could just as effectively be placed on vlan 15.

As the next step we need to decide whether the access list should be configured as in or out. It could work either way but I will suggest that we do it as inbound.

As the next step we need to decide whether the access list should be a numbered access list or a named access list. For simplicity I will suggest that we use numbered. Perhaps use access list 100.

As the next step we need to configure the access list. The access list will need a statement that denies traffic from 172.16.5.0/24 to 172.16.15.0/24. And the access list will need a statement that allows traffic from 172.16.5.0/24 to everything else.

As the last step we need to assign access list 100 to interface GigabitEthernet0/0/0.5 in the inbound direction.

Give this a try and let us know how it turns out.

HTH

Rick

View solution in original post

balaji.bandi · ‎11-29-2021

Most of the access list will be applied in Layer 3 Interface what you like from source to destination - depends on direction you need to apply IN or Out

IN = originating from within the vlan going out
OUT = originating from outside the vlan going into the vlan

some example :

https://www.cisco.com/c/en/us/td/docs/switches/lan/catalyst6500/ios/12-2SX/configuration/guide/book/vacl.html

BB

***** Rate All Helpful Responses *****

How to Ask The Cisco Community for Help

Mr.Mayhem · ‎11-29-2021

That is the guide I have been using but I am not understanding what I need to do to restrict vlan 5 from accessing vlan 15 and vice versa

Joseph W. Doherty · ‎11-29-2021

You block their SVI IP network prefixes from each other.

Given:

interface Vlan5
ip address 172.16.5.1 255.255.255.0

interface Vlan15
ip address 172.16.15.2 255.255.255.0

You block 172.16.5.0/24 and 172.16.15.0/24 from each other.

Mr.Mayhem · ‎11-29-2021

And I would do this on the switch? Correct?

Joseph W. Doherty · ‎11-29-2021

Yes, on a L3 switch with SVIs for the VLANs involved. (NB: In theory, just blocking both in and out on just one of the two interfaces would work, but a tiny bit more efficient would be to use IN ACLs on both interfaces. [This because more efficient to drop ASAP.])

As you have an attached router, if it had interfaces on those VLANs too, they should have ACLs on them.

Richard Burts · ‎11-29-2021

There are several aspects of this environment that are not clear, such as it is not clear whether this switch is layer 3 or layer 2. From the fact that I do not see an ip routing statement on the switch, and the fact that the DHCP pools clearly specify that the router is the gateway for the various subnets, I am assuming that the switch is in fact operating as layer 2. And so the access lists would be configured and applied on the router.

HTH

Rick

Joseph W. Doherty · ‎11-29-2021

@Richard Burts good note about DHCP gateway assignments - I overlooked that, but something I thought curious was:

(router)
interface GigabitEthernet0/0/0.5
encapsulation dot1Q 5
ip address 172.16.5.1 255.255.255.0
!
interface GigabitEthernet0/0/0.15
encapsulation dot1Q 15
ip address 172.16.15.1 255.255.255.0

(switch)
interface Vlan5
mac-address 0004.9a3a.4d01
ip address 172.16.5.1 255.255.255.0
!
interface Vlan15
mac-address 0004.9a3a.4d02
ip address 172.16.15.2 255.255.255.0

If the above, VLAN 5 has same interface IP on router and switch. Not good!

VLAN 15 has different IPs, .1 and .2. If switch is L3, it's possible to use both interfaces, but I won't further delve into that.

However, as switch also doesn't appear to have an ip routing statement and has "ip default-gateway 172.16.100.1", I agree with Rick's assumption that switch is operating in L2 mode, which would mean ACL MUST be there. I.e. whatever interfaces are being used, would need the ACLs.

Notwithstanding the prior, as I noted in my prior reply you could need ACL on either/both router and switch, but again, to your prior question to me "And I would do this on the switch? Correct?", Rick is correct you must have them on the router interfaces, if they are being used. However, again, if you also use the switch (in L3 mode) and router together, or move to the switch alone for router, you need ACLs on the SVIs.

Basically, the interfaces are where you apply ACL to control traffic to and/or from a network/VLAN.

Also again, I mentioned it's a bit more efficient to block traffic ASAP, this is more true on a software based router than a switch.

Richard Burts · ‎11-30-2021

@Joseph W. Doherty yes it is a bit ambiguous whether the switch is operating as layer 2 or as layer 3. But if the router is the gateway for the vlans then it is clear that the access lists should be on the router.

I did notice the same IP address configured on router and on switch. Certainly that is a problem.

I noticed several other problems in the config including:

- ip default-gateway 10.1.1.1 configured on the router. default-gateway is for layer 2 devices. On layer 3 devices like the router it is ignored. This statement in the config does not damage anything. But it is not correct and should be removed.

- ip route 10.1.1.0 255.255.255.0 GigabitEthernet0/0/0 configured on the router. But 10.1.1.0/24 is the subnet configured on G0/0/1. The connected subnet will be preferred to the static route so the static route has no effect. This static route should be removed.

- ip route 0.0.0.0 0.0.0.0 Loopback1 configured on the router. This is the most serious one. I do not understand the logic of pointing the static default route to a local loopback interface. It is not clear where the static default route should be pointing, but certainly a loopback interface is not a good choice.

HTH

Rick

Mr.Mayhem · ‎12-01-2021

I corrected the IP address on the switch, thank you for noticing that. The Loopback Ip route is just there to simulate the internet, I am doing this in packet tracer right now. I am still having difficulty in understanding how to set up the ACL on the router, I have tried several times and each time my traffic is still getting through. Can you possibly provide me an example of the proper commands?

Richard Burts · ‎12-01-2021

As a first step I suggest that we need to be very clear about what you are trying to accomplish. You said " restrict vlan 5 from accessing vlan 15 and vice versa" So the objective is to prevent any communication between vlan 5 and vlan 15. Correct?

As the next step we need to decide where the access list should be placed. Assuming that the router is doing the inter vlan routing, you will need an access list on one of the interfaces on the router for these subnets/vlans. Note that you do not need access lists on both interfaces. Successful communication requires sending and receiving between the devices. As long as you prevent traffic in one subnet you will have prevented communication between both subnets.

I will suggest that the access list be placed on the interface for vlan 5. But it could just as effectively be placed on vlan 15.

As the next step we need to decide whether the access list should be configured as in or out. It could work either way but I will suggest that we do it as inbound.

As the next step we need to decide whether the access list should be a numbered access list or a named access list. For simplicity I will suggest that we use numbered. Perhaps use access list 100.

As the next step we need to configure the access list. The access list will need a statement that denies traffic from 172.16.5.0/24 to 172.16.15.0/24. And the access list will need a statement that allows traffic from 172.16.5.0/24 to everything else.

As the last step we need to assign access list 100 to interface GigabitEthernet0/0/0.5 in the inbound direction.

Give this a try and let us know how it turns out.

HTH

Rick

Mr.Mayhem · ‎12-02-2021

Thank you, that works and I now have a much better understanding. Thanks again.

Richard Burts · ‎12-02-2021

You are welcome. I am glad that my explanation was helpful. This community is an excellent place to ask questions and to learn about networking. I hope to see you continue to be active in the community.

HTH

Rick