Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1740
Views
5
Helpful
5
Replies

All access on a vlan

Go to solution
Ipefixe
Level 1
Level 1

‎03-30-2020 01:57 PM

Hi,

I currently have the following configuration (6 VLANs) and I have a question regarding ACLs.
I would like VLANs 100 and 110 to be able to communicate with all other VLANs but other VLANs not to be able to communicate with VLANs 100 and 110.

Thank you in advance for your help !

 

interface Vlan10
 description LAN_DOMAIN
 ip address 10.0.10.1 255.255.255.0
 ip access-group VLAN10_IN in
 ip helper-address 10.0.10.1
 ip nat inside
 ip virtual-reassembly in

interface Vlan20
 description SERVICES
 ip address 10.0.20.1 255.255.255.0
 ip nat inside
 ip nat enable
 ip virtual-reassembly in

interface Vlan30
 description WLAN_DOMAIN
 ip address 10.0.30.1 255.255.255.0
 ip access-group VLAN30_IN in
 ip helper-address 10.0.30.1
 ip nat inside
 ip virtual-reassembly in

interface Vlan60
 description VIDEOSURVEILLANCE
 ip address 10.0.60.1 255.255.255.0
 ip access-group VLAN60_IN in
 ip nat inside
 ip virtual-reassembly in

interface Vlan100
 description INTERCO
 ip address 10.0.100.1 255.255.255.0
 ip nat inside
 ip virtual-reassembly in

interface Vlan110
 description ADMINISTRATION
 ip address 10.0.110.1 255.255.255.0
 ip helper-address 10.0.110.1
 ip nat inside
 ip virtual-reassembly in

ip access-list extended VLAN10_IN
 10 permit ip 10.0.10.0 0.0.0.255 10.0.110.0 0.0.0.255
 20 deny   ip any 10.0.0.0 0.255.255.255
 30 deny   ip any 192.168.1.0 0.0.0.255
 40 permit ip any any

ip access-list extended VLAN30_IN
 10 permit ip 10.0.30.0 0.0.0.255 10.0.110.0 0.0.0.255
 30 permit ip 10.0.30.0 0.0.0.255 host 10.0.100.4
 40 deny   ip any 10.0.0.0 0.255.255.255
 50 deny   ip any 192.168.1.0 0.0.0.255
 60 permit ip any any

ip access-list extended VLAN60_IN
 10 permit ip 10.0.60.0 0.0.0.255 10.0.110.0 0.0.0.255
 20 permit ip 10.0.60.0 0.0.0.255 host 10.0.20.2
 30 deny   ip any 10.0.0.0 0.255.255.255
 40 deny   ip any 192.168.1.0 0.0.0.255
 50 permit ip any any
Labels:
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
Francesco Molino
VIP Alumni
VIP Alumni
In response to Ipefixe

‎03-31-2020 07:10 PM

What type of device are you using? I believe it's a Catalyst switch but which model?

If it's a IOS based and not IOS-XE (Cat3850 or 3650), you can use reflexive acl.

Here some models compatible:

image.png

 

Configuration will look like this:

 

ip access-list extended VLAN100
 permit ip any any reflect MIRROR
ip access-list extended VLANXX
 evaluate MIRROR
 deny ip any 10.10.100.0 0.0.0.255
 permit ip any any

 

On your vlan 100 and 110:

interface vlan 100

 ip access-group VLAN100 in

 

On your vlan XX: (all except vlan 100 and 110)

interface vlan XX

 ip access-group VLANXX in

 

When you do a show access-list, you will see that it will create dynamically the permit for each traffic initiated by you vlan 100 and 110 to allow the return traffic from your other vlans but deny any traffic initiated directly by your vlan xx to vlan 100 and 110.

 

CAT3K#sh access-lists

Extended IP access list VLAN100
10 permit ip any any reflect MIRROR (9 matches)
Extended IP access list VLANXX
10 evaluate MIRROR
20 deny ip any 10.10.100.0 0.0.0.255 (1 match)
30 permit ip any any (2 matches)
Reflexive IP access list MIRROR
permit icmp host 10.10.10.2 host 10.10.100.2 (4 matches) (time left 11)

 

 

Hope this answers your question


Thanks
Francesco
PS: Please don't forget to rate and select as validated answer if this answered your question

View solution in original post

5 Replies 5

Go to solution
Francesco Molino
VIP Alumni
VIP Alumni

‎03-30-2020 07:57 PM

Hi

If you want to allow all vlans to access vlan 100 and 110, you must have them in all your acls.
I see you have both of them on 1 acl and not on the others.
I can't validate all your acls because on some you have a permit for a specific host.
Anyway your acl should look like:
ip access-list extended VLAN-ACL
10 permit ip 10.0.0.0 0.0.255.255 10.0.100.0 0.0.0.255
20 permit ip 10.0.0.0 0.0.255.255 10.0.110.0 0.0.0.255
30 deny ip 10.0.0.0 0.0.255.255 10.0.0.0 0.255.255.255
40 deny ip 10.0.0.0 0.0.255.255 192.168.1.0 0.0.0.255
50 permit ip 10.0.0.0 0.0.255.255 any

Then you can apply this acl to all you svi:
interface vlan xx
ip access-group VLAN-ACL in

If you need to have specific acl for 1 svi, just duplicate it and adapt it. However if the acl should be the same, try to keep only one which will be simple to manage.


Thanks
Francesco
PS: Please don't forget to rate and select as validated answer if this answered your question
0 Helpful

Go to solution
Ipefixe
Level 1
Level 1
In response to Francesco Molino

‎03-31-2020 04:21 AM

Hi,

Thanks for your help, but that it's not what I'm looking for.
I want VLANs 100 and 110 to be able to communicate (ping for example) with all the other VLANs. But I want all other VLANs to be unable to communicate with VLANs 100 and 110.
I want to allow traffic from VLANs 100 and 110 to other VLANs but prohibit traffic from other VLANs to VLANs 100 and 110.

Thank you !

0 Helpful

Go to solution
Francesco Molino
VIP Alumni
VIP Alumni
In response to Ipefixe

‎03-31-2020 07:10 PM

What type of device are you using? I believe it's a Catalyst switch but which model?

If it's a IOS based and not IOS-XE (Cat3850 or 3650), you can use reflexive acl.

Here some models compatible:

image.png

 

Configuration will look like this:

 

ip access-list extended VLAN100
 permit ip any any reflect MIRROR
ip access-list extended VLANXX
 evaluate MIRROR
 deny ip any 10.10.100.0 0.0.0.255
 permit ip any any

 

On your vlan 100 and 110:

interface vlan 100

 ip access-group VLAN100 in

 

On your vlan XX: (all except vlan 100 and 110)

interface vlan XX

 ip access-group VLANXX in

 

When you do a show access-list, you will see that it will create dynamically the permit for each traffic initiated by you vlan 100 and 110 to allow the return traffic from your other vlans but deny any traffic initiated directly by your vlan xx to vlan 100 and 110.

 

CAT3K#sh access-lists

Extended IP access list VLAN100
10 permit ip any any reflect MIRROR (9 matches)
Extended IP access list VLANXX
10 evaluate MIRROR
20 deny ip any 10.10.100.0 0.0.0.255 (1 match)
30 permit ip any any (2 matches)
Reflexive IP access list MIRROR
permit icmp host 10.10.10.2 host 10.10.100.2 (4 matches) (time left 11)

 

 

Hope this answers your question


Thanks
Francesco
PS: Please don't forget to rate and select as validated answer if this answered your question

Go to solution
Ipefixe
Level 1
Level 1
In response to Francesco Molino

‎04-01-2020 03:16 AM

Hi Francesco,

Thank you very much for your help, what I wanted to do works very well thanks to you. THANK YOU !
However, I have a little problem that I cannot solve. My router has the management IP address 10.0.100.1 and it is the only one that cannot communicate with other VLANs...
My switches are in the same IP range (10.0.100.x) and manage to ping all the other VLANs.
Router 10.0.100.1 -> Camera 10.0.60.2 = No response
Router 10.0.100.1 -> PC 10.0.110.103 = OK

Router 10.0.100.1 -> Router 10.0.110.1 (the same router) = OK
Router 10.0.100.1 -> Router 10.0.60.1 (the same router) = No response
Switch 10.0.100.2 -> Camera / PC / Router = Full OK

 

*** CONFIG VLANS ***

interface Vlan10
 description LAN_DOMAIN
 ip address 10.0.10.1 255.255.255.0
 ip access-group VLAN10_IN in
 ip helper-address 10.0.10.1
 ip nat inside
 ip virtual-reassembly in

interface Vlan20
 description SERVICES
 ip address 10.0.20.1 255.255.255.0
 ip access-group VLAN20_IN in
 ip nat inside
 ip nat enable
 ip virtual-reassembly in

interface Vlan30
 description WLAN_DOMAIN
 ip address 10.0.30.1 255.255.255.0
 ip access-group VLAN30_IN in
 ip helper-address 10.0.30.1
 ip nat inside
 ip virtual-reassembly in

interface Vlan60
 description VIDEOSURVEILLANCE
 ip address 10.0.60.1 255.255.255.0
 ip access-group VLAN60_IN in
 ip nat inside
 ip virtual-reassembly in

interface Vlan100
 description INTERCO
 ip address 10.0.100.1 255.255.255.0
 ip access-group VLAN100_IN in
 ip nat inside
 ip virtual-reassembly in

interface Vlan110
 description ADMINISTRATION
 ip address 10.0.110.1 255.255.255.0
 ip access-group VLAN110_IN in
 ip helper-address 10.0.110.1
 ip nat inside
 ip virtual-reassembly in


*** SHOW IP ACCESS-LISTS ***

Extended IP access list VLAN100_IN
    10 permit ip any any reflect MIRROR
Extended IP access list VLAN10_IN
    10 evaluate MIRROR
    20 deny ip any 10.0.0.0 0.0.255.255
    25 deny ip any 192.168.1.0 0.0.0.255
    30 permit ip any any
Extended IP access list VLAN110_IN
    10 permit ip any any reflect MIRROR
Extended IP access list VLAN20_IN
    10 evaluate MIRROR
    20 deny ip any 10.0.0.0 0.0.255.255
    25 deny ip any 192.168.1.0 0.0.0.255
    30 permit ip any any
Extended IP access list VLAN30_IN
    10 evaluate MIRROR
    30 deny ip any 10.0.0.0 0.0.255.255
    35 deny ip any 192.168.1.0 0.0.0.255
    40 permit ip any any
Extended IP access list VLAN60_IN
    20 evaluate MIRROR
    30 deny ip any 10.0.0.0 0.0.255.255
    35 deny ip any 192.168.1.0 0.0.0.255
    40 permit ip any any

Merci encore pour ton aide très précieuse !

0 Helpful

Go to solution
Francesco Molino
VIP Alumni
VIP Alumni
In response to Ipefixe

‎04-01-2020 06:18 PM

You can permit these specific IPs using sequences from 1 to 10 in your ACL and bypass the reflexive feature

Thanks
Francesco
PS: Please don't forget to rate and select as validated answer if this answered your question
0 Helpful
Customers Also Viewed These Support Documents