Access list for interVLAN

JasonOwen · ‎05-21-2020

Hi all,

I have a Cisco WS-C3560X-24 with 6 VLANs:

VLAN 1: 192.168.1.0/24

VLAN 2: 192.168.2.0/24

VLAN 3: 192.168.3.0/24

VLAN 4: 192.168.4.0/24

VLAN 5: 192.168.5.0/24

VLAN 6: 192.168.6.0/24

I want to configure ACL so that: All VLANs can access VLAN 1, only VLAN 1 and VLAN 2 can access other VLANs

My expected output is:

vlan 1,2 can each other and access 3,4,5,6
vlan 3 can access vlan 1, cannot access vlan 2,4,5,6
vlan 4 can access vlan 1, cannot access vlan 2,3,5,6
vlan 5 can access vlan 1, cannot access vlan 2,3,4,6
vlan 6 can access vlan 1, cannot access vlan 2,3,4,5

Can you please help me with the Cisco command ?

Thank for your help !

JasonOwen · ‎05-21-2020

Can anyone help me, please?

Thank you very much :)

Naresh Murali · ‎05-21-2020

Hi JasonOwen,

Please see the below ACL as per your request.

The first 8 commands allows vlan 1 and 2 to communicate only to 3,4,5,6

The next 4 commands allows vlan 3,4,5,6 to communicate only to vlan 1

ip access-list extended test
permit ip 192.168.1.0 0.0.0.255 192.168.3.0 0.0.0.255
permit ip 192.168.1.0 0.0.0.255 192.168.4.0 0.0.0.255
permit ip 192.168.1.0 0.0.0.255 192.168.5.0 0.0.0.255
permit ip 192.168.1.0 0.0.0.255 192.168.6.0 0.0.0.255
permit ip 192.168.2.0 0.0.0.255 192.168.3.0 0.0.0.255
permit ip 192.168.2.0 0.0.0.255 192.168.4.0 0.0.0.255
permit ip 192.168.2.0 0.0.0.255 192.168.5.0 0.0.0.255
permit ip 192.168.2.0 0.0.0.255 192.168.6.0 0.0.0.255
permit ip 192.168.3.0 0.0.0.255 192.168.1.0 0.0.0.255
permit ip 192.168.4.0 0.0.0.255 192.168.1.0 0.0.0.255
permit ip 192.168.5.0 0.0.0.255 192.168.1.0 0.0.0.255
permit ip 192.168.6.0 0.0.0.255 192.168.1.0 0.0.0.255

Hope this helps. Additionally if you had a proper range we can still restrict the ACL commands. Currently the range will not work as it will allow the other networks as well.

Regards

Naresh M

JasonOwen · ‎05-21-2020

Thank @Naresh Murali so much for your advice!

Sorry for my missing expectation:

regarding vlan 1,2: they can access each other and access all the rest vlans.

So i have to add 1 more line as below, right?

permit ip 192.168.1.0 0.0.0.255 192.168.2.0 0.0.0.255

Then the commands should be:

ip access-list extended test

permit ip 192.168.1.0 0.0.0.255 192.168.2.0 0.0.0.255
permit ip 192.168.1.0 0.0.0.255 192.168.3.0 0.0.0.255
permit ip 192.168.1.0 0.0.0.255 192.168.4.0 0.0.0.255
permit ip 192.168.1.0 0.0.0.255 192.168.5.0 0.0.0.255
permit ip 192.168.1.0 0.0.0.255 192.168.6.0 0.0.0.255
permit ip 192.168.2.0 0.0.0.255 192.168.3.0 0.0.0.255
permit ip 192.168.2.0 0.0.0.255 192.168.4.0 0.0.0.255
permit ip 192.168.2.0 0.0.0.255 192.168.5.0 0.0.0.255
permit ip 192.168.2.0 0.0.0.255 192.168.6.0 0.0.0.255
permit ip 192.168.3.0 0.0.0.255 192.168.1.0 0.0.0.255
permit ip 192.168.4.0 0.0.0.255 192.168.1.0 0.0.0.255
permit ip 192.168.5.0 0.0.0.255 192.168.1.0 0.0.0.255
permit ip 192.168.6.0 0.0.0.255 192.168.1.0 0.0.0.255

then configure all vlans access this ACL

int range vlan 1-6

ip access-group test in

Otherwise, please advise.

Thank you!

Naresh Murali · ‎05-22-2020

Hi JasonOwen,

It will be two more line then.

permit ip 192.168.1.0 0.0.0.255 192.168.2.0 0.0.0.255

permit ip 192.168.2.0 0.0.0.255 192.168.1.0 0.0.0.255

Regards

Naresh M

Georg Pauwen · ‎05-21-2020

Hello,

just for clarifification:

vlan 1,2 can access 3,4,5,6
vlan 3 can access vlan 1, cannot access vlan 2,4,5,6
vlan 4 can access vlan 1, cannot access vlan 2,3,5,6
vlan 5 can access vlan 1, cannot access vlan 2,3,4,6
vlan 6 can access vlan 1, cannot access vlan 2,3,4,5

You want Vlan 2 to access Vlan 3,4,5,6, but not vice versa, that is, you don't want Vlan 3,4,5,6 to access Vlan 2 ? If that is the case (one way traffic only), you need something like a reflexive access list...

JasonOwen · ‎05-22-2020

Exactly @Georg Pauwen That's is my expectation, Just one way ! Can you help me?

Georg Pauwen · ‎05-22-2020

Hello,

thanks for the clarification. I'll work something out and get back with you...

Georg Pauwen · ‎05-22-2020

Hello,

sorry, it took a while, I had to test this first. Below is the config I have come up with. For the sake of simplicity, I have added a DHCP pool for each Vlan, you might or might not need this:

ip dhcp excluded-address 192.168.1.1
ip dhcp excluded-address 192.168.2.1
ip dhcp excluded-address 192.168.3.1
ip dhcp excluded-address 192.168.4.1
ip dhcp excluded-address 192.168.5.1
ip dhcp excluded-address 192.168.6.1
!
ip dhcp pool VLAN1
network 192.168.1.0 255.255.255.0
default-router 192.168.1.1
!
ip dhcp pool VLAN2
network 192.168.2.0 255.255.255.0
default-router 192.168.2.1
!
ip dhcp pool VLAN3
network 192.168.3.0 255.255.255.0
default-router 192.168.3.1
!
ip dhcp pool VLAN4
network 192.168.4.0 255.255.255.0
default-router 192.168.4.1
!
ip dhcp pool VLAN5
network 192.168.5.0 255.255.255.0
default-router 192.168.5.1
!
ip dhcp pool VLAN6
network 192.168.6.0 255.255.255.0
default-router 192.168.6.1
!
interface Vlan1
ip address 192.168.1.1 255.255.255.0
ip access-group 101 in
!
interface Vlan2
ip address 192.168.2.1 255.255.255.0
ip access-group 102 in
!
interface Vlan3
ip address 192.168.3.1 255.255.255.0
ip access-group 103 in
!
interface Vlan4
ip address 192.168.4.1 255.255.255.0
ip access-group 104 in
!
interface Vlan5
ip address 192.168.5.1 255.255.255.0
ip access-group 105 in
!
interface Vlan6
ip address 192.168.6.1 255.255.255.0
ip access-group 106 in
!
access-list 101 permit ip 192.168.1.0 0.0.0.255 192.168.3.0 0.0.0.255
access-list 101 permit ip 192.168.1.0 0.0.0.255 192.168.4.0 0.0.0.255
access-list 101 permit ip 192.168.1.0 0.0.0.255 192.168.5.0 0.0.0.255
access-list 101 permit ip 192.168.1.0 0.0.0.255 192.168.6.0 0.0.0.255
!
access-list 102 permit ip 192.168.2.0 0.0.0.255 192.168.3.0 0.0.0.255
access-list 102 permit ip 192.168.2.0 0.0.0.255 192.168.4.0 0.0.0.255
access-list 102 permit ip 192.168.2.0 0.0.0.255 192.168.5.0 0.0.0.255
access-list 102 permit ip 192.168.2.0 0.0.0.255 192.168.6.0 0.0.0.255
!
access-list 103 permit ip 192.168.3.0 0.0.0.255 192.168.1.0 0.0.0.255
access-list 103 permit tcp 192.168.3.0 0.0.0.255 192.168.2.0 0.0.0.255 established
!
access-list 104 permit ip 192.168.4.0 0.0.0.255 192.168.1.0 0.0.0.255
access-list 104 permit tcp 192.168.4.0 0.0.0.255 192.168.2.0 0.0.0.255 established
!
access-list 105 permit ip 192.168.5.0 0.0.0.255 192.168.1.0 0.0.0.255
access-list 105 permit tcp 192.168.5.0 0.0.0.255 192.168.2.0 0.0.0.255 established
!
access-list 106 permit ip 192.168.6.0 0.0.0.255 192.168.1.0 0.0.0.255
access-list 106 permit tcp 192.168.6.0 0.0.0.255 192.168.2.0 0.0.0.255 established

Giuseppe Larosa · ‎05-22-2020

Hello @JasonOwen ,

I am afraid that reflexive ACLs may be not supported on a multilayer switch like yours.

However you can achieve an approximate solution using extended IP ACLs if all you need is that TCP connections can be started from hosts in Vlan 1,2 to vlans 3,4,5,6 and not viceversa.

The key command is to permit tcp between for example Vlan3 Ip subnet and Vlan1 subnet adding the keyword established at the end.

In this way all TCP sessions starting from Vlan3 to Vlan1 would be denied as the initial packet has the TCP flag SYN set and established keyword check for this to be not set.

A similar reasoning could be done for ICMP allowing ICMP echo-reply but not ICMP echo-.request.

A true one way connectivity is useless what we would like to achieve is usually what side can initiate a TCP session.

UDP misses the concept of session.

With the proposed ACLs the return packets of traffic initiated from Vlan 1 or 2 to Vlan 3-6 could be blocked breaking the connectivity.

Hope to help

Giuseppe

JasonOwen · ‎05-22-2020

Thank @Giuseppe Larosa :) That's a nice explanation. But i confused something, can you help to explain more?

You said: "I am afraid that reflexive ACLs may be not supported on a multilayer switch like yours." -> That means my switch don't support running reflexive ACL?

Giuseppe Larosa · ‎05-22-2020

Hello @JasonOwen ,

I'm not sure that reflexive ACLs are not supported on C3560 but it is likely as it is a security feature that is typically configured on routers.

IF they create dynamic entries for return traffic this is likely not supported on the TCAM in switch hardware.

For this reason I have written my post.

Edit:

see

https://www.cisco.com/c/en/us/td/docs/switches/lan/catalyst3560/software/release/12-2_58_se/configuration/guide/3560scg/swacl.html?dtid=osscdc000283

only standard and extended ACLs can be applied to an SVI on a C3560.

Even if the link is about an old release I think this limitation is caused by HW limitation.

Hope to help

Giuseppe

JasonOwen · ‎05-22-2020

@Giuseppe Larosa Ok, thank for your comment. What i need is only one way blocking .

Vlan 1, 2 can access each other and all vlans

vlan 3,4,5,6 can access vlan 1 but cannot access each other

Can you help me with simple extended ACL ?

Thank you!

Georg Pauwen · ‎05-22-2020

Hello,

if you want to Vlan 1 and Vlan 2 to be able to access each other, you need to add the lines marked in bold. I don't think you can achieve what you want with just one ACL (at least I could not).

ip dhcp excluded-address 192.168.1.1
ip dhcp excluded-address 192.168.2.1
ip dhcp excluded-address 192.168.3.1
ip dhcp excluded-address 192.168.4.1
ip dhcp excluded-address 192.168.5.1
ip dhcp excluded-address 192.168.6.1
!
ip dhcp pool VLAN1
network 192.168.1.0 255.255.255.0
default-router 192.168.1.1
!
ip dhcp pool VLAN2
network 192.168.2.0 255.255.255.0
default-router 192.168.2.1
!
ip dhcp pool VLAN3
network 192.168.3.0 255.255.255.0
default-router 192.168.3.1
!
ip dhcp pool VLAN4
network 192.168.4.0 255.255.255.0
default-router 192.168.4.1
!
ip dhcp pool VLAN5
network 192.168.5.0 255.255.255.0
default-router 192.168.5.1
!
ip dhcp pool VLAN6
network 192.168.6.0 255.255.255.0
default-router 192.168.6.1
!
interface Vlan1
ip address 192.168.1.1 255.255.255.0
ip access-group 101 in
!
interface Vlan2
ip address 192.168.2.1 255.255.255.0
ip access-group 102 in
!
interface Vlan3
ip address 192.168.3.1 255.255.255.0
ip access-group 103 in
!
interface Vlan4
ip address 192.168.4.1 255.255.255.0
ip access-group 104 in
!
interface Vlan5
ip address 192.168.5.1 255.255.255.0
ip access-group 105 in
!
interface Vlan6
ip address 192.168.6.1 255.255.255.0
ip access-group 106 in
!
access-list 101 permit ip 192.168.1.0 0.0.0.255 192.168.2.0 0.0.0.255
access-list 101 permit ip 192.168.1.0 0.0.0.255 192.168.3.0 0.0.0.255
access-list 101 permit ip 192.168.1.0 0.0.0.255 192.168.4.0 0.0.0.255
access-list 101 permit ip 192.168.1.0 0.0.0.255 192.168.5.0 0.0.0.255
access-list 101 permit ip 192.168.1.0 0.0.0.255 192.168.6.0 0.0.0.255
!
access-list 102 permit ip 192.168.2.0 0.0.0.255 192.168.1.0 0.0.0.255
access-list 102 permit ip 192.168.2.0 0.0.0.255 192.168.3.0 0.0.0.255
access-list 102 permit ip 192.168.2.0 0.0.0.255 192.168.4.0 0.0.0.255
access-list 102 permit ip 192.168.2.0 0.0.0.255 192.168.5.0 0.0.0.255
access-list 102 permit ip 192.168.2.0 0.0.0.255 192.168.6.0 0.0.0.255
!
access-list 103 permit ip 192.168.3.0 0.0.0.255 192.168.1.0 0.0.0.255
access-list 103 permit tcp 192.168.3.0 0.0.0.255 192.168.2.0 0.0.0.255 established
!
access-list 104 permit ip 192.168.4.0 0.0.0.255 192.168.1.0 0.0.0.255
access-list 104 permit tcp 192.168.4.0 0.0.0.255 192.168.2.0 0.0.0.255 established
!
access-list 105 permit ip 192.168.5.0 0.0.0.255 192.168.1.0 0.0.0.255
access-list 105 permit tcp 192.168.5.0 0.0.0.255 192.168.2.0 0.0.0.255 established
!
access-list 106 permit ip 192.168.6.0 0.0.0.255 192.168.1.0 0.0.0.255
access-list 106 permit tcp 192.168.6.0 0.0.0.255 192.168.2.0 0.0.0.255 established

JasonOwen · ‎05-24-2020

Thank @Georg Pauwen and @Giuseppe Larosa again for your helpful advice.

Please be noted that i just want to block interVLAN access.

I already had another policy to allow all vlans go to internet.

Let me try your advice and give feedback.

Thank all again.