Solved: Re: All access on a vlan

Ipefixe · ‎03-30-2020

Hi,

I currently have the following configuration (6 VLANs) and I have a question regarding ACLs.
I would like VLANs 100 and 110 to be able to communicate with all other VLANs but other VLANs not to be able to communicate with VLANs 100 and 110.

Thank you in advance for your help !

interface Vlan10
 description LAN_DOMAIN
 ip address 10.0.10.1 255.255.255.0
 ip access-group VLAN10_IN in
 ip helper-address 10.0.10.1
 ip nat inside
 ip virtual-reassembly in

interface Vlan20
 description SERVICES
 ip address 10.0.20.1 255.255.255.0
 ip nat inside
 ip nat enable
 ip virtual-reassembly in

interface Vlan30
 description WLAN_DOMAIN
 ip address 10.0.30.1 255.255.255.0
 ip access-group VLAN30_IN in
 ip helper-address 10.0.30.1
 ip nat inside
 ip virtual-reassembly in

interface Vlan60
 description VIDEOSURVEILLANCE
 ip address 10.0.60.1 255.255.255.0
 ip access-group VLAN60_IN in
 ip nat inside
 ip virtual-reassembly in

interface Vlan100
 description INTERCO
 ip address 10.0.100.1 255.255.255.0
 ip nat inside
 ip virtual-reassembly in

interface Vlan110
 description ADMINISTRATION
 ip address 10.0.110.1 255.255.255.0
 ip helper-address 10.0.110.1
 ip nat inside
 ip virtual-reassembly in

ip access-list extended VLAN10_IN
 10 permit ip 10.0.10.0 0.0.0.255 10.0.110.0 0.0.0.255
 20 deny   ip any 10.0.0.0 0.255.255.255
 30 deny   ip any 192.168.1.0 0.0.0.255
 40 permit ip any any

ip access-list extended VLAN30_IN
 10 permit ip 10.0.30.0 0.0.0.255 10.0.110.0 0.0.0.255
 30 permit ip 10.0.30.0 0.0.0.255 host 10.0.100.4
 40 deny   ip any 10.0.0.0 0.255.255.255
 50 deny   ip any 192.168.1.0 0.0.0.255
 60 permit ip any any

ip access-list extended VLAN60_IN
 10 permit ip 10.0.60.0 0.0.0.255 10.0.110.0 0.0.0.255
 20 permit ip 10.0.60.0 0.0.0.255 host 10.0.20.2
 30 deny   ip any 10.0.0.0 0.255.255.255
 40 deny   ip any 192.168.1.0 0.0.0.255
 50 permit ip any any

Francesco Molino · ‎03-31-2020

What type of device are you using? I believe it's a Catalyst switch but which model?

If it's a IOS based and not IOS-XE (Cat3850 or 3650), you can use reflexive acl.

Here some models compatible:

Configuration will look like this:

ip access-list extended VLAN100
permit ip any any reflect MIRROR
ip access-list extended VLANXX
evaluate MIRROR
deny ip any 10.10.100.0 0.0.0.255
permit ip any any

On your vlan 100 and 110:

interface vlan 100

ip access-group VLAN100 in

On your vlan XX: (all except vlan 100 and 110)

interface vlan XX

ip access-group VLANXX in

When you do a show access-list, you will see that it will create dynamically the permit for each traffic initiated by you vlan 100 and 110 to allow the return traffic from your other vlans but deny any traffic initiated directly by your vlan xx to vlan 100 and 110.

CAT3K#sh access-lists

Extended IP access list VLAN100
10 permit ip any any reflect MIRROR (9 matches)
Extended IP access list VLANXX
10 evaluate MIRROR
20 deny ip any 10.10.100.0 0.0.0.255 (1 match)
30 permit ip any any (2 matches)
Reflexive IP access list MIRROR
permit icmp host 10.10.10.2 host 10.10.100.2 (4 matches) (time left 11)

Hope this answers your question

Thanks
Francesco
PS: Please don't forget to rate and select as validated answer if this answered your question

View solution in original post

Francesco Molino · ‎03-30-2020

Hi

If you want to allow all vlans to access vlan 100 and 110, you must have them in all your acls.
I see you have both of them on 1 acl and not on the others.
I can't validate all your acls because on some you have a permit for a specific host.
Anyway your acl should look like:
ip access-list extended VLAN-ACL
10 permit ip 10.0.0.0 0.0.255.255 10.0.100.0 0.0.0.255
20 permit ip 10.0.0.0 0.0.255.255 10.0.110.0 0.0.0.255
30 deny ip 10.0.0.0 0.0.255.255 10.0.0.0 0.255.255.255
40 deny ip 10.0.0.0 0.0.255.255 192.168.1.0 0.0.0.255
50 permit ip 10.0.0.0 0.0.255.255 any

Then you can apply this acl to all you svi:
interface vlan xx
ip access-group VLAN-ACL in

If you need to have specific acl for 1 svi, just duplicate it and adapt it. However if the acl should be the same, try to keep only one which will be simple to manage.

Thanks
Francesco
PS: Please don't forget to rate and select as validated answer if this answered your question

Ipefixe · ‎03-31-2020

Hi,

Thanks for your help, but that it's not what I'm looking for.
I want VLANs 100 and 110 to be able to communicate (ping for example) with all the other VLANs. But I want all other VLANs to be unable to communicate with VLANs 100 and 110.
I want to allow traffic from VLANs 100 and 110 to other VLANs but prohibit traffic from other VLANs to VLANs 100 and 110.

Thank you !

Francesco Molino · ‎03-31-2020

What type of device are you using? I believe it's a Catalyst switch but which model?

If it's a IOS based and not IOS-XE (Cat3850 or 3650), you can use reflexive acl.

Here some models compatible:

Configuration will look like this:

ip access-list extended VLAN100
permit ip any any reflect MIRROR
ip access-list extended VLANXX
evaluate MIRROR
deny ip any 10.10.100.0 0.0.0.255
permit ip any any

On your vlan 100 and 110:

interface vlan 100

ip access-group VLAN100 in

On your vlan XX: (all except vlan 100 and 110)

interface vlan XX

ip access-group VLANXX in

When you do a show access-list, you will see that it will create dynamically the permit for each traffic initiated by you vlan 100 and 110 to allow the return traffic from your other vlans but deny any traffic initiated directly by your vlan xx to vlan 100 and 110.

CAT3K#sh access-lists

Extended IP access list VLAN100
10 permit ip any any reflect MIRROR (9 matches)
Extended IP access list VLANXX
10 evaluate MIRROR
20 deny ip any 10.10.100.0 0.0.0.255 (1 match)
30 permit ip any any (2 matches)
Reflexive IP access list MIRROR
permit icmp host 10.10.10.2 host 10.10.100.2 (4 matches) (time left 11)

Hope this answers your question

Thanks
Francesco
PS: Please don't forget to rate and select as validated answer if this answered your question

Ipefixe · ‎04-01-2020

Hi Francesco,

Thank you very much for your help, what I wanted to do works very well thanks to you. THANK YOU !
However, I have a little problem that I cannot solve. My router has the management IP address 10.0.100.1 and it is the only one that cannot communicate with other VLANs...
My switches are in the same IP range (10.0.100.x) and manage to ping all the other VLANs.
Router 10.0.100.1 -> Camera 10.0.60.2 = No response
Router 10.0.100.1 -> PC 10.0.110.103 = OK

Router 10.0.100.1 -> Router 10.0.110.1 (the same router) = OK
Router 10.0.100.1 -> Router 10.0.60.1 (the same router) = No response
Switch 10.0.100.2 -> Camera / PC / Router = Full OK

*** CONFIG VLANS ***

interface Vlan10
 description LAN_DOMAIN
 ip address 10.0.10.1 255.255.255.0
 ip access-group VLAN10_IN in
 ip helper-address 10.0.10.1
 ip nat inside
 ip virtual-reassembly in

interface Vlan20
 description SERVICES
 ip address 10.0.20.1 255.255.255.0
 ip access-group VLAN20_IN in
 ip nat inside
 ip nat enable
 ip virtual-reassembly in

interface Vlan30
 description WLAN_DOMAIN
 ip address 10.0.30.1 255.255.255.0
 ip access-group VLAN30_IN in
 ip helper-address 10.0.30.1
 ip nat inside
 ip virtual-reassembly in

interface Vlan60
 description VIDEOSURVEILLANCE
 ip address 10.0.60.1 255.255.255.0
 ip access-group VLAN60_IN in
 ip nat inside
 ip virtual-reassembly in

interface Vlan100
 description INTERCO
 ip address 10.0.100.1 255.255.255.0
 ip access-group VLAN100_IN in
 ip nat inside
 ip virtual-reassembly in

interface Vlan110
 description ADMINISTRATION
 ip address 10.0.110.1 255.255.255.0
 ip access-group VLAN110_IN in
 ip helper-address 10.0.110.1
 ip nat inside
 ip virtual-reassembly in


*** SHOW IP ACCESS-LISTS ***

Extended IP access list VLAN100_IN
    10 permit ip any any reflect MIRROR
Extended IP access list VLAN10_IN
    10 evaluate MIRROR
    20 deny ip any 10.0.0.0 0.0.255.255
    25 deny ip any 192.168.1.0 0.0.0.255
    30 permit ip any any
Extended IP access list VLAN110_IN
    10 permit ip any any reflect MIRROR
Extended IP access list VLAN20_IN
    10 evaluate MIRROR
    20 deny ip any 10.0.0.0 0.0.255.255
    25 deny ip any 192.168.1.0 0.0.0.255
    30 permit ip any any
Extended IP access list VLAN30_IN
    10 evaluate MIRROR
    30 deny ip any 10.0.0.0 0.0.255.255
    35 deny ip any 192.168.1.0 0.0.0.255
    40 permit ip any any
Extended IP access list VLAN60_IN
    20 evaluate MIRROR
    30 deny ip any 10.0.0.0 0.0.255.255
    35 deny ip any 192.168.1.0 0.0.0.255
    40 permit ip any any

Merci encore pour ton aide très précieuse !

Francesco Molino · ‎04-01-2020

You can permit these specific IPs using sequences from 1 to 10 in your ACL and bypass the reflexive feature

Thanks
Francesco
PS: Please don't forget to rate and select as validated answer if this answered your question

All access on a vlan

Secure Access: How to

Secure Access: ZTA Private Access の3つの Enforcement Mode について

Secure Access: Umbrella動作確認URLのSecure Accessでの使用

Vlan access

[Q&A 集公開] 10/16 開催 Catalyst SD-WAN と Secure Access 連携