cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
1845
Views
5
Helpful
16
Replies

Access list for interVLAN

JasonOwen
Level 1
Level 1

Hi all,

I have a Cisco WS-C3560X-24 with 6 VLANs:

VLAN 1: 192.168.1.0/24

VLAN 2: 192.168.2.0/24

VLAN 3: 192.168.3.0/24

VLAN 4: 192.168.4.0/24

VLAN 5: 192.168.5.0/24

VLAN 6: 192.168.6.0/24

I want to configure ACL so that: All VLANs can access VLAN 1, only VLAN 1 and VLAN 2 can access other VLANs

My expected output is:

vlan 1,2 can each other and access 3,4,5,6
vlan 3 can access vlan 1, cannot access vlan 2,4,5,6
vlan 4 can access vlan 1, cannot access vlan 2,3,5,6
vlan 5 can access vlan 1, cannot access vlan 2,3,4,6
vlan 6 can access vlan 1, cannot access vlan 2,3,4,5


Can you please help me with the Cisco command ?

Thank for your help !

16 Replies 16

JasonOwen
Level 1
Level 1

Can anyone help me, please?

Thank you very much :)

Naresh Murali
Cisco Employee
Cisco Employee

Hi JasonOwen,

Please see the below ACL as per your request.

The first 8 commands allows vlan 1 and 2 to communicate only to 3,4,5,6

The next 4 commands allows vlan 3,4,5,6 to communicate only to vlan 1

ip access-list extended test
permit ip 192.168.1.0 0.0.0.255 192.168.3.0 0.0.0.255
permit ip 192.168.1.0 0.0.0.255 192.168.4.0 0.0.0.255
permit ip 192.168.1.0 0.0.0.255 192.168.5.0 0.0.0.255
permit ip 192.168.1.0 0.0.0.255 192.168.6.0 0.0.0.255
permit ip 192.168.2.0 0.0.0.255 192.168.3.0 0.0.0.255
permit ip 192.168.2.0 0.0.0.255 192.168.4.0 0.0.0.255
permit ip 192.168.2.0 0.0.0.255 192.168.5.0 0.0.0.255
permit ip 192.168.2.0 0.0.0.255 192.168.6.0 0.0.0.255
permit ip 192.168.3.0 0.0.0.255 192.168.1.0 0.0.0.255
permit ip 192.168.4.0 0.0.0.255 192.168.1.0 0.0.0.255
permit ip 192.168.5.0 0.0.0.255 192.168.1.0 0.0.0.255
permit ip 192.168.6.0 0.0.0.255 192.168.1.0 0.0.0.255

Hope this helps. Additionally if you had a proper range we can still restrict the ACL commands. Currently the range will not work as it will allow the other networks as well.

Regards

Naresh M

Thank @Naresh Murali so much for your advice!

Sorry for my missing expectation:

regarding vlan 1,2: they can access each other and access all the rest vlans.

So i have to add 1 more line as below, right?

 

permit ip 192.168.1.0 0.0.0.255 192.168.2.0 0.0.0.255

 

Then the commands should be:

ip access-list extended test

permit ip 192.168.1.0 0.0.0.255 192.168.2.0 0.0.0.255
permit ip 192.168.1.0 0.0.0.255 192.168.3.0 0.0.0.255
permit ip 192.168.1.0 0.0.0.255 192.168.4.0 0.0.0.255
permit ip 192.168.1.0 0.0.0.255 192.168.5.0 0.0.0.255
permit ip 192.168.1.0 0.0.0.255 192.168.6.0 0.0.0.255
permit ip 192.168.2.0 0.0.0.255 192.168.3.0 0.0.0.255
permit ip 192.168.2.0 0.0.0.255 192.168.4.0 0.0.0.255
permit ip 192.168.2.0 0.0.0.255 192.168.5.0 0.0.0.255
permit ip 192.168.2.0 0.0.0.255 192.168.6.0 0.0.0.255
permit ip 192.168.3.0 0.0.0.255 192.168.1.0 0.0.0.255
permit ip 192.168.4.0 0.0.0.255 192.168.1.0 0.0.0.255
permit ip 192.168.5.0 0.0.0.255 192.168.1.0 0.0.0.255
permit ip 192.168.6.0 0.0.0.255 192.168.1.0 0.0.0.255

 

then configure all vlans access this ACL

int range vlan 1-6

ip access-group test in

 

Otherwise, please advise.

Thank you!

 

Hi JasonOwen,

It will be two more line then.

permit ip 192.168.1.0 0.0.0.255 192.168.2.0 0.0.0.255

permit ip 192.168.2.0 0.0.0.255 192.168.1.0 0.0.0.255

Regards

Naresh M

Hello,

 

just for clarifification:

 

vlan 1,2 can access 3,4,5,6
vlan 3 can access vlan 1, cannot access vlan 2,4,5,6
vlan 4 can access vlan 1, cannot access vlan 2,3,5,6
vlan 5 can access vlan 1, cannot access vlan 2,3,4,6
vlan 6 can access vlan 1, cannot access vlan 2,3,4,5

 

You want Vlan 2 to access Vlan 3,4,5,6, but not vice versa, that is, you don't want Vlan 3,4,5,6 to access Vlan 2 ? If that is the case (one way traffic only), you need something like a reflexive access list...

Exactly @Georg Pauwen That's is my expectation, Just one way ! Can you help me?

Hello,

 

thanks for the clarification. I'll work something out and get back with you...

Hello,

 

sorry, it took a while, I had to test this first. Below is the config I have come up with. For the sake of simplicity, I have added a DHCP pool for each Vlan, you might or might not need this:

 

ip dhcp excluded-address 192.168.1.1
ip dhcp excluded-address 192.168.2.1
ip dhcp excluded-address 192.168.3.1
ip dhcp excluded-address 192.168.4.1
ip dhcp excluded-address 192.168.5.1
ip dhcp excluded-address 192.168.6.1
!
ip dhcp pool VLAN1
network 192.168.1.0 255.255.255.0
default-router 192.168.1.1
!
ip dhcp pool VLAN2
network 192.168.2.0 255.255.255.0
default-router 192.168.2.1
!
ip dhcp pool VLAN3
network 192.168.3.0 255.255.255.0
default-router 192.168.3.1
!
ip dhcp pool VLAN4
network 192.168.4.0 255.255.255.0
default-router 192.168.4.1
!
ip dhcp pool VLAN5
network 192.168.5.0 255.255.255.0
default-router 192.168.5.1
!
ip dhcp pool VLAN6
network 192.168.6.0 255.255.255.0
default-router 192.168.6.1
!
interface Vlan1
ip address 192.168.1.1 255.255.255.0
ip access-group 101 in
!
interface Vlan2
ip address 192.168.2.1 255.255.255.0
ip access-group 102 in
!
interface Vlan3
ip address 192.168.3.1 255.255.255.0
ip access-group 103 in
!
interface Vlan4
ip address 192.168.4.1 255.255.255.0
ip access-group 104 in
!
interface Vlan5
ip address 192.168.5.1 255.255.255.0
ip access-group 105 in
!
interface Vlan6
ip address 192.168.6.1 255.255.255.0
ip access-group 106 in
!
access-list 101 permit ip 192.168.1.0 0.0.0.255 192.168.3.0 0.0.0.255
access-list 101 permit ip 192.168.1.0 0.0.0.255 192.168.4.0 0.0.0.255
access-list 101 permit ip 192.168.1.0 0.0.0.255 192.168.5.0 0.0.0.255
access-list 101 permit ip 192.168.1.0 0.0.0.255 192.168.6.0 0.0.0.255
!
access-list 102 permit ip 192.168.2.0 0.0.0.255 192.168.3.0 0.0.0.255
access-list 102 permit ip 192.168.2.0 0.0.0.255 192.168.4.0 0.0.0.255
access-list 102 permit ip 192.168.2.0 0.0.0.255 192.168.5.0 0.0.0.255
access-list 102 permit ip 192.168.2.0 0.0.0.255 192.168.6.0 0.0.0.255
!
access-list 103 permit ip 192.168.3.0 0.0.0.255 192.168.1.0 0.0.0.255
access-list 103 permit tcp 192.168.3.0 0.0.0.255 192.168.2.0 0.0.0.255 established
!
access-list 104 permit ip 192.168.4.0 0.0.0.255 192.168.1.0 0.0.0.255
access-list 104 permit tcp 192.168.4.0 0.0.0.255 192.168.2.0 0.0.0.255 established
!
access-list 105 permit ip 192.168.5.0 0.0.0.255 192.168.1.0 0.0.0.255
access-list 105 permit tcp 192.168.5.0 0.0.0.255 192.168.2.0 0.0.0.255 established
!
access-list 106 permit ip 192.168.6.0 0.0.0.255 192.168.1.0 0.0.0.255
access-list 106 permit tcp 192.168.6.0 0.0.0.255 192.168.2.0 0.0.0.255 established

 

Hello @JasonOwen ,

I am afraid that reflexive ACLs may be not supported on a multilayer switch like yours.

However you can achieve an approximate solution using extended IP ACLs if all you need is that TCP connections can be started from hosts in Vlan 1,2 to vlans 3,4,5,6 and not viceversa.

The key command is to permit tcp between for example Vlan3 Ip subnet and Vlan1 subnet adding the keyword established at the end.

In this way all TCP sessions starting from Vlan3 to Vlan1 would be denied as the initial packet has the TCP flag SYN set and established keyword check for this to be not set.

A similar reasoning could be done for ICMP allowing ICMP echo-reply but not ICMP echo-.request.

 

A true one way connectivity is useless what we would like to achieve is usually what side can initiate a TCP session.

UDP misses the concept of session.

With the proposed ACLs the return packets of traffic initiated from Vlan 1 or 2 to Vlan 3-6 could be blocked breaking the connectivity.

 

Hope to help

Giuseppe

 

Thank @Giuseppe Larosa :) That's a nice explanation. But i confused something, can you help to explain more?

 

You said: "I am afraid that reflexive ACLs may be not supported on a multilayer switch like yours." -> That means my switch don't support running reflexive ACL?

 

 

Hello @JasonOwen ,

I'm not sure that reflexive ACLs are not supported on C3560 but it is likely as it is a security feature that is typically configured on routers.

IF they create dynamic entries for return traffic this is likely not supported on the TCAM in switch hardware.

For this reason I have written my post.

 

Edit:

see

https://www.cisco.com/c/en/us/td/docs/switches/lan/catalyst3560/software/release/12-2_58_se/configuration/guide/3560scg/swacl.html?dtid=osscdc000283

 

only standard and extended ACLs can be applied to an SVI on a C3560.

Even if the link is about an old release I think this limitation is caused by HW limitation.

 

Hope to help

Giuseppe

 

@Giuseppe Larosa Ok, thank for your comment. What i need is only one way blocking . 

Vlan 1, 2 can access each other and all vlans

vlan 3,4,5,6 can access vlan 1 but cannot access each other

 

Can you help me with simple extended ACL ?

Thank you!

Hello,

 

if you want to Vlan 1 and Vlan 2 to be able to access each other, you need to add the lines marked in bold. I don't think you can achieve what you want with just one ACL (at least I could not).

 

ip dhcp excluded-address 192.168.1.1
ip dhcp excluded-address 192.168.2.1
ip dhcp excluded-address 192.168.3.1
ip dhcp excluded-address 192.168.4.1
ip dhcp excluded-address 192.168.5.1
ip dhcp excluded-address 192.168.6.1
!
ip dhcp pool VLAN1
network 192.168.1.0 255.255.255.0
default-router 192.168.1.1
!
ip dhcp pool VLAN2
network 192.168.2.0 255.255.255.0
default-router 192.168.2.1
!
ip dhcp pool VLAN3
network 192.168.3.0 255.255.255.0
default-router 192.168.3.1
!
ip dhcp pool VLAN4
network 192.168.4.0 255.255.255.0
default-router 192.168.4.1
!
ip dhcp pool VLAN5
network 192.168.5.0 255.255.255.0
default-router 192.168.5.1
!
ip dhcp pool VLAN6
network 192.168.6.0 255.255.255.0
default-router 192.168.6.1
!
interface Vlan1
ip address 192.168.1.1 255.255.255.0
ip access-group 101 in
!
interface Vlan2
ip address 192.168.2.1 255.255.255.0
ip access-group 102 in
!
interface Vlan3
ip address 192.168.3.1 255.255.255.0
ip access-group 103 in
!
interface Vlan4
ip address 192.168.4.1 255.255.255.0
ip access-group 104 in
!
interface Vlan5
ip address 192.168.5.1 255.255.255.0
ip access-group 105 in
!
interface Vlan6
ip address 192.168.6.1 255.255.255.0
ip access-group 106 in
!
access-list 101 permit ip 192.168.1.0 0.0.0.255 192.168.2.0 0.0.0.255
access-list 101 permit ip 192.168.1.0 0.0.0.255 192.168.3.0 0.0.0.255
access-list 101 permit ip 192.168.1.0 0.0.0.255 192.168.4.0 0.0.0.255
access-list 101 permit ip 192.168.1.0 0.0.0.255 192.168.5.0 0.0.0.255
access-list 101 permit ip 192.168.1.0 0.0.0.255 192.168.6.0 0.0.0.255
!
access-list 102 permit ip 192.168.2.0 0.0.0.255 192.168.1.0 0.0.0.255
access-list 102 permit ip 192.168.2.0 0.0.0.255 192.168.3.0 0.0.0.255
access-list 102 permit ip 192.168.2.0 0.0.0.255 192.168.4.0 0.0.0.255
access-list 102 permit ip 192.168.2.0 0.0.0.255 192.168.5.0 0.0.0.255
access-list 102 permit ip 192.168.2.0 0.0.0.255 192.168.6.0 0.0.0.255
!
access-list 103 permit ip 192.168.3.0 0.0.0.255 192.168.1.0 0.0.0.255
access-list 103 permit tcp 192.168.3.0 0.0.0.255 192.168.2.0 0.0.0.255 established
!
access-list 104 permit ip 192.168.4.0 0.0.0.255 192.168.1.0 0.0.0.255
access-list 104 permit tcp 192.168.4.0 0.0.0.255 192.168.2.0 0.0.0.255 established
!
access-list 105 permit ip 192.168.5.0 0.0.0.255 192.168.1.0 0.0.0.255
access-list 105 permit tcp 192.168.5.0 0.0.0.255 192.168.2.0 0.0.0.255 established
!
access-list 106 permit ip 192.168.6.0 0.0.0.255 192.168.1.0 0.0.0.255
access-list 106 permit tcp 192.168.6.0 0.0.0.255 192.168.2.0 0.0.0.255 established

Thank @Georg Pauwen  and @Giuseppe Larosa again for your helpful advice.

Please be noted that i just want to block interVLAN access.

I already had another policy to allow all vlans go to internet.

Let me try your advice and give feedback.

Thank all again.

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Innovations in Cisco Full Stack Observability - A new webinar from Cisco