03-30-2020 01:57 PM
Hi,
I currently have the following configuration (6 VLANs) and I have a question regarding ACLs.
I would like VLANs 100 and 110 to be able to communicate with all other VLANs but other VLANs not to be able to communicate with VLANs 100 and 110.
Thank you in advance for your help !
interface Vlan10 description LAN_DOMAIN ip address 10.0.10.1 255.255.255.0 ip access-group VLAN10_IN in ip helper-address 10.0.10.1 ip nat inside ip virtual-reassembly in interface Vlan20 description SERVICES ip address 10.0.20.1 255.255.255.0 ip nat inside ip nat enable ip virtual-reassembly in interface Vlan30 description WLAN_DOMAIN ip address 10.0.30.1 255.255.255.0 ip access-group VLAN30_IN in ip helper-address 10.0.30.1 ip nat inside ip virtual-reassembly in interface Vlan60 description VIDEOSURVEILLANCE ip address 10.0.60.1 255.255.255.0 ip access-group VLAN60_IN in ip nat inside ip virtual-reassembly in interface Vlan100 description INTERCO ip address 10.0.100.1 255.255.255.0 ip nat inside ip virtual-reassembly in interface Vlan110 description ADMINISTRATION ip address 10.0.110.1 255.255.255.0 ip helper-address 10.0.110.1 ip nat inside ip virtual-reassembly in ip access-list extended VLAN10_IN 10 permit ip 10.0.10.0 0.0.0.255 10.0.110.0 0.0.0.255 20 deny ip any 10.0.0.0 0.255.255.255 30 deny ip any 192.168.1.0 0.0.0.255 40 permit ip any any ip access-list extended VLAN30_IN 10 permit ip 10.0.30.0 0.0.0.255 10.0.110.0 0.0.0.255 30 permit ip 10.0.30.0 0.0.0.255 host 10.0.100.4 40 deny ip any 10.0.0.0 0.255.255.255 50 deny ip any 192.168.1.0 0.0.0.255 60 permit ip any any ip access-list extended VLAN60_IN 10 permit ip 10.0.60.0 0.0.0.255 10.0.110.0 0.0.0.255 20 permit ip 10.0.60.0 0.0.0.255 host 10.0.20.2 30 deny ip any 10.0.0.0 0.255.255.255 40 deny ip any 192.168.1.0 0.0.0.255 50 permit ip any any
Solved! Go to Solution.
03-31-2020 07:10 PM
What type of device are you using? I believe it's a Catalyst switch but which model?
If it's a IOS based and not IOS-XE (Cat3850 or 3650), you can use reflexive acl.
Here some models compatible:
Configuration will look like this:
ip access-list extended VLAN100
permit ip any any reflect MIRROR
ip access-list extended VLANXX
evaluate MIRROR
deny ip any 10.10.100.0 0.0.0.255
permit ip any any
On your vlan 100 and 110:
interface vlan 100
ip access-group VLAN100 in
On your vlan XX: (all except vlan 100 and 110)
interface vlan XX
ip access-group VLANXX in
When you do a show access-list, you will see that it will create dynamically the permit for each traffic initiated by you vlan 100 and 110 to allow the return traffic from your other vlans but deny any traffic initiated directly by your vlan xx to vlan 100 and 110.
CAT3K#sh access-lists
Extended IP access list VLAN100
10 permit ip any any reflect MIRROR (9 matches)
Extended IP access list VLANXX
10 evaluate MIRROR
20 deny ip any 10.10.100.0 0.0.0.255 (1 match)
30 permit ip any any (2 matches)
Reflexive IP access list MIRROR
permit icmp host 10.10.10.2 host 10.10.100.2 (4 matches) (time left 11)
Hope this answers your question
03-30-2020 07:57 PM
03-31-2020 04:21 AM
Hi,
Thanks for your help, but that it's not what I'm looking for.
I want VLANs 100 and 110 to be able to communicate (ping for example) with all the other VLANs. But I want all other VLANs to be unable to communicate with VLANs 100 and 110.
I want to allow traffic from VLANs 100 and 110 to other VLANs but prohibit traffic from other VLANs to VLANs 100 and 110.
Thank you !
03-31-2020 07:10 PM
What type of device are you using? I believe it's a Catalyst switch but which model?
If it's a IOS based and not IOS-XE (Cat3850 or 3650), you can use reflexive acl.
Here some models compatible:
Configuration will look like this:
ip access-list extended VLAN100
permit ip any any reflect MIRROR
ip access-list extended VLANXX
evaluate MIRROR
deny ip any 10.10.100.0 0.0.0.255
permit ip any any
On your vlan 100 and 110:
interface vlan 100
ip access-group VLAN100 in
On your vlan XX: (all except vlan 100 and 110)
interface vlan XX
ip access-group VLANXX in
When you do a show access-list, you will see that it will create dynamically the permit for each traffic initiated by you vlan 100 and 110 to allow the return traffic from your other vlans but deny any traffic initiated directly by your vlan xx to vlan 100 and 110.
CAT3K#sh access-lists
Extended IP access list VLAN100
10 permit ip any any reflect MIRROR (9 matches)
Extended IP access list VLANXX
10 evaluate MIRROR
20 deny ip any 10.10.100.0 0.0.0.255 (1 match)
30 permit ip any any (2 matches)
Reflexive IP access list MIRROR
permit icmp host 10.10.10.2 host 10.10.100.2 (4 matches) (time left 11)
Hope this answers your question
04-01-2020 03:16 AM
Hi Francesco,
Thank you very much for your help, what I wanted to do works very well thanks to you. THANK YOU !
However, I have a little problem that I cannot solve. My router has the management IP address 10.0.100.1 and it is the only one that cannot communicate with other VLANs...
My switches are in the same IP range (10.0.100.x) and manage to ping all the other VLANs.
Router 10.0.100.1 -> Camera 10.0.60.2 = No response
Router 10.0.100.1 -> PC 10.0.110.103 = OK
Router 10.0.100.1 -> Router 10.0.110.1 (the same router) = OK
Router 10.0.100.1 -> Router 10.0.60.1 (the same router) = No response
Switch 10.0.100.2 -> Camera / PC / Router = Full OK
*** CONFIG VLANS *** interface Vlan10 description LAN_DOMAIN ip address 10.0.10.1 255.255.255.0 ip access-group VLAN10_IN in ip helper-address 10.0.10.1 ip nat inside ip virtual-reassembly in interface Vlan20 description SERVICES ip address 10.0.20.1 255.255.255.0 ip access-group VLAN20_IN in ip nat inside ip nat enable ip virtual-reassembly in interface Vlan30 description WLAN_DOMAIN ip address 10.0.30.1 255.255.255.0 ip access-group VLAN30_IN in ip helper-address 10.0.30.1 ip nat inside ip virtual-reassembly in interface Vlan60 description VIDEOSURVEILLANCE ip address 10.0.60.1 255.255.255.0 ip access-group VLAN60_IN in ip nat inside ip virtual-reassembly in interface Vlan100 description INTERCO ip address 10.0.100.1 255.255.255.0 ip access-group VLAN100_IN in ip nat inside ip virtual-reassembly in interface Vlan110 description ADMINISTRATION ip address 10.0.110.1 255.255.255.0 ip access-group VLAN110_IN in ip helper-address 10.0.110.1 ip nat inside ip virtual-reassembly in *** SHOW IP ACCESS-LISTS *** Extended IP access list VLAN100_IN 10 permit ip any any reflect MIRROR Extended IP access list VLAN10_IN 10 evaluate MIRROR 20 deny ip any 10.0.0.0 0.0.255.255 25 deny ip any 192.168.1.0 0.0.0.255 30 permit ip any any Extended IP access list VLAN110_IN 10 permit ip any any reflect MIRROR Extended IP access list VLAN20_IN 10 evaluate MIRROR 20 deny ip any 10.0.0.0 0.0.255.255 25 deny ip any 192.168.1.0 0.0.0.255 30 permit ip any any Extended IP access list VLAN30_IN 10 evaluate MIRROR 30 deny ip any 10.0.0.0 0.0.255.255 35 deny ip any 192.168.1.0 0.0.0.255 40 permit ip any any Extended IP access list VLAN60_IN 20 evaluate MIRROR 30 deny ip any 10.0.0.0 0.0.255.255 35 deny ip any 192.168.1.0 0.0.0.255 40 permit ip any any
Merci encore pour ton aide très précieuse !
04-01-2020 06:18 PM
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide