- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
03-30-2020 01:57 PM
Hi,
I currently have the following configuration (6 VLANs) and I have a question regarding ACLs.
I would like VLANs 100 and 110 to be able to communicate with all other VLANs but other VLANs not to be able to communicate with VLANs 100 and 110.
Thank you in advance for your help !
interface Vlan10 description LAN_DOMAIN ip address 10.0.10.1 255.255.255.0 ip access-group VLAN10_IN in ip helper-address 10.0.10.1 ip nat inside ip virtual-reassembly in interface Vlan20 description SERVICES ip address 10.0.20.1 255.255.255.0 ip nat inside ip nat enable ip virtual-reassembly in interface Vlan30 description WLAN_DOMAIN ip address 10.0.30.1 255.255.255.0 ip access-group VLAN30_IN in ip helper-address 10.0.30.1 ip nat inside ip virtual-reassembly in interface Vlan60 description VIDEOSURVEILLANCE ip address 10.0.60.1 255.255.255.0 ip access-group VLAN60_IN in ip nat inside ip virtual-reassembly in interface Vlan100 description INTERCO ip address 10.0.100.1 255.255.255.0 ip nat inside ip virtual-reassembly in interface Vlan110 description ADMINISTRATION ip address 10.0.110.1 255.255.255.0 ip helper-address 10.0.110.1 ip nat inside ip virtual-reassembly in ip access-list extended VLAN10_IN 10 permit ip 10.0.10.0 0.0.0.255 10.0.110.0 0.0.0.255 20 deny ip any 10.0.0.0 0.255.255.255 30 deny ip any 192.168.1.0 0.0.0.255 40 permit ip any any ip access-list extended VLAN30_IN 10 permit ip 10.0.30.0 0.0.0.255 10.0.110.0 0.0.0.255 30 permit ip 10.0.30.0 0.0.0.255 host 10.0.100.4 40 deny ip any 10.0.0.0 0.255.255.255 50 deny ip any 192.168.1.0 0.0.0.255 60 permit ip any any ip access-list extended VLAN60_IN 10 permit ip 10.0.60.0 0.0.0.255 10.0.110.0 0.0.0.255 20 permit ip 10.0.60.0 0.0.0.255 host 10.0.20.2 30 deny ip any 10.0.0.0 0.255.255.255 40 deny ip any 192.168.1.0 0.0.0.255 50 permit ip any any
Solved! Go to Solution.
- Labels:
-
Access List
Accepted Solutions
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
03-31-2020 07:10 PM
What type of device are you using? I believe it's a Catalyst switch but which model?
If it's a IOS based and not IOS-XE (Cat3850 or 3650), you can use reflexive acl.
Here some models compatible:
Configuration will look like this:
ip access-list extended VLAN100
permit ip any any reflect MIRROR
ip access-list extended VLANXX
evaluate MIRROR
deny ip any 10.10.100.0 0.0.0.255
permit ip any any
On your vlan 100 and 110:
interface vlan 100
ip access-group VLAN100 in
On your vlan XX: (all except vlan 100 and 110)
interface vlan XX
ip access-group VLANXX in
When you do a show access-list, you will see that it will create dynamically the permit for each traffic initiated by you vlan 100 and 110 to allow the return traffic from your other vlans but deny any traffic initiated directly by your vlan xx to vlan 100 and 110.
CAT3K#sh access-lists
Extended IP access list VLAN100
10 permit ip any any reflect MIRROR (9 matches)
Extended IP access list VLANXX
10 evaluate MIRROR
20 deny ip any 10.10.100.0 0.0.0.255 (1 match)
30 permit ip any any (2 matches)
Reflexive IP access list MIRROR
permit icmp host 10.10.10.2 host 10.10.100.2 (4 matches) (time left 11)
Hope this answers your question
Thanks
Francesco
PS: Please don't forget to rate and select as validated answer if this answered your question
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
03-30-2020 07:57 PM
If you want to allow all vlans to access vlan 100 and 110, you must have them in all your acls.
I see you have both of them on 1 acl and not on the others.
I can't validate all your acls because on some you have a permit for a specific host.
Anyway your acl should look like:
ip access-list extended VLAN-ACL
10 permit ip 10.0.0.0 0.0.255.255 10.0.100.0 0.0.0.255
20 permit ip 10.0.0.0 0.0.255.255 10.0.110.0 0.0.0.255
30 deny ip 10.0.0.0 0.0.255.255 10.0.0.0 0.255.255.255
40 deny ip 10.0.0.0 0.0.255.255 192.168.1.0 0.0.0.255
50 permit ip 10.0.0.0 0.0.255.255 any
Then you can apply this acl to all you svi:
interface vlan xx
ip access-group VLAN-ACL in
If you need to have specific acl for 1 svi, just duplicate it and adapt it. However if the acl should be the same, try to keep only one which will be simple to manage.
Thanks
Francesco
PS: Please don't forget to rate and select as validated answer if this answered your question
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
03-31-2020 04:21 AM
Hi,
Thanks for your help, but that it's not what I'm looking for.
I want VLANs 100 and 110 to be able to communicate (ping for example) with all the other VLANs. But I want all other VLANs to be unable to communicate with VLANs 100 and 110.
I want to allow traffic from VLANs 100 and 110 to other VLANs but prohibit traffic from other VLANs to VLANs 100 and 110.
Thank you !
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
03-31-2020 07:10 PM
What type of device are you using? I believe it's a Catalyst switch but which model?
If it's a IOS based and not IOS-XE (Cat3850 or 3650), you can use reflexive acl.
Here some models compatible:
Configuration will look like this:
ip access-list extended VLAN100
permit ip any any reflect MIRROR
ip access-list extended VLANXX
evaluate MIRROR
deny ip any 10.10.100.0 0.0.0.255
permit ip any any
On your vlan 100 and 110:
interface vlan 100
ip access-group VLAN100 in
On your vlan XX: (all except vlan 100 and 110)
interface vlan XX
ip access-group VLANXX in
When you do a show access-list, you will see that it will create dynamically the permit for each traffic initiated by you vlan 100 and 110 to allow the return traffic from your other vlans but deny any traffic initiated directly by your vlan xx to vlan 100 and 110.
CAT3K#sh access-lists
Extended IP access list VLAN100
10 permit ip any any reflect MIRROR (9 matches)
Extended IP access list VLANXX
10 evaluate MIRROR
20 deny ip any 10.10.100.0 0.0.0.255 (1 match)
30 permit ip any any (2 matches)
Reflexive IP access list MIRROR
permit icmp host 10.10.10.2 host 10.10.100.2 (4 matches) (time left 11)
Hope this answers your question
Thanks
Francesco
PS: Please don't forget to rate and select as validated answer if this answered your question
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
04-01-2020 03:16 AM
Hi Francesco,
Thank you very much for your help, what I wanted to do works very well thanks to you. THANK YOU !
However, I have a little problem that I cannot solve. My router has the management IP address 10.0.100.1 and it is the only one that cannot communicate with other VLANs...
My switches are in the same IP range (10.0.100.x) and manage to ping all the other VLANs.
Router 10.0.100.1 -> Camera 10.0.60.2 = No response
Router 10.0.100.1 -> PC 10.0.110.103 = OK
Router 10.0.100.1 -> Router 10.0.110.1 (the same router) = OK
Router 10.0.100.1 -> Router 10.0.60.1 (the same router) = No response
Switch 10.0.100.2 -> Camera / PC / Router = Full OK
*** CONFIG VLANS *** interface Vlan10 description LAN_DOMAIN ip address 10.0.10.1 255.255.255.0 ip access-group VLAN10_IN in ip helper-address 10.0.10.1 ip nat inside ip virtual-reassembly in interface Vlan20 description SERVICES ip address 10.0.20.1 255.255.255.0 ip access-group VLAN20_IN in ip nat inside ip nat enable ip virtual-reassembly in interface Vlan30 description WLAN_DOMAIN ip address 10.0.30.1 255.255.255.0 ip access-group VLAN30_IN in ip helper-address 10.0.30.1 ip nat inside ip virtual-reassembly in interface Vlan60 description VIDEOSURVEILLANCE ip address 10.0.60.1 255.255.255.0 ip access-group VLAN60_IN in ip nat inside ip virtual-reassembly in interface Vlan100 description INTERCO ip address 10.0.100.1 255.255.255.0 ip access-group VLAN100_IN in ip nat inside ip virtual-reassembly in interface Vlan110 description ADMINISTRATION ip address 10.0.110.1 255.255.255.0 ip access-group VLAN110_IN in ip helper-address 10.0.110.1 ip nat inside ip virtual-reassembly in *** SHOW IP ACCESS-LISTS *** Extended IP access list VLAN100_IN 10 permit ip any any reflect MIRROR Extended IP access list VLAN10_IN 10 evaluate MIRROR 20 deny ip any 10.0.0.0 0.0.255.255 25 deny ip any 192.168.1.0 0.0.0.255 30 permit ip any any Extended IP access list VLAN110_IN 10 permit ip any any reflect MIRROR Extended IP access list VLAN20_IN 10 evaluate MIRROR 20 deny ip any 10.0.0.0 0.0.255.255 25 deny ip any 192.168.1.0 0.0.0.255 30 permit ip any any Extended IP access list VLAN30_IN 10 evaluate MIRROR 30 deny ip any 10.0.0.0 0.0.255.255 35 deny ip any 192.168.1.0 0.0.0.255 40 permit ip any any Extended IP access list VLAN60_IN 20 evaluate MIRROR 30 deny ip any 10.0.0.0 0.0.255.255 35 deny ip any 192.168.1.0 0.0.0.255 40 permit ip any any
Merci encore pour ton aide très précieuse !
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
04-01-2020 06:18 PM
Thanks
Francesco
PS: Please don't forget to rate and select as validated answer if this answered your question
