Access list for interVLAN - Page 2

JasonOwen · ‎05-21-2020

Hi all,

I have a Cisco WS-C3560X-24 with 6 VLANs:

VLAN 1: 192.168.1.0/24

VLAN 2: 192.168.2.0/24

VLAN 3: 192.168.3.0/24

VLAN 4: 192.168.4.0/24

VLAN 5: 192.168.5.0/24

VLAN 6: 192.168.6.0/24

I want to configure ACL so that: All VLANs can access VLAN 1, only VLAN 1 and VLAN 2 can access other VLANs

My expected output is:

vlan 1,2 can each other and access 3,4,5,6
vlan 3 can access vlan 1, cannot access vlan 2,4,5,6
vlan 4 can access vlan 1, cannot access vlan 2,3,5,6
vlan 5 can access vlan 1, cannot access vlan 2,3,4,6
vlan 6 can access vlan 1, cannot access vlan 2,3,4,5

Can you please help me with the Cisco command ?

Thank for your help !

Giuseppe Larosa · ‎05-22-2020

Hello @JasonOwen ,

@Georg Pauwen has provided a good example of what you can configure.

First of all, you will need multiple ACLs applied inbound to each SVI interface Vlan.

Second factor to consider these IP ACLs even if extended are not stateful and you need to provide the return path.

So translating the one way connectivity to I would like TCP sessions started from hosts in Vlan 1,2 to hosts in vlans 3-6 to be able to be setup but not the opposite you can use something like

interface vlan 6

ip access-group 106 in

access-list 106 permit tcp 192.168.6.0 0.0.0.255 192.168.1.0 0.0.0.255 established

access-list 106 permit tcp 192.168.6.0 0.0.0.255 192.168.2.0 0.0.0.255 established

if no other networks should be accessed you can rely on the implicit deny any any at the end of the ACL.

However, if you need to allow internet access or access to other networks in general you would need to add

access-list 106 deny ip 192.168.6.0 0.0.0.255 192.168.0.0 0.0.7.255

access-list 106 permit ip 192.168.6.0 0.0.0.255 any

Actually you need to apply inbound ACLs only to the limited SVIs interface Vlan 3 to interface Vlan 6

The ACLs for SVI vlan 3 to vlan 5 would be similar to the one proposed here.

If hosts in Vlans 3 to 6 can access vlan 1 the first line should be like proposed by Georg a permit ip.

Here, I am proposing this alternate version to have only TCP sessions started from Vlan 1 to Vlans 3 to 6 to be able to be setup.

Interface Vlan1 and interface Vlan2 could stay without any ACL applied unless your network is a closed connectivity one and there is no need for internet access and so on.

Note:

in case you need to provide internet access to users in Vlans 3 to 6 you may need to enable the traffic for DNS queries and DNS replies that use UDP port 53.

It really depends where the DNS servers are located.

Hope to help

Giuseppe

Richard Burts · ‎05-22-2020

There have been several posts in this discussion that mention reflexive access lists. And this relates to a fundamental problem with what you want to achieve. As an example you want a device in vlan 1 (perhaps it is 192.168.1.11) to communicate with a device in vlan 3 (perhaps it is 192.168.3.33). Assuming that you will use an access list inbound on interface vlan 3 to filter the traffic it will receive an IP packet whose source address is 192.168.3.33 and destination is 192.168.1.11 - should the access list permit or deny this packet? The answer is deny if the packet is from 192.168.3.33 initiating some to vlan 1. But the answer is permit if this is 192.168.3.33 responding to something initiated from vlan 1. How does the access list determine whether this is a response or not?

To really achieve your requirements requires doing stateful inspection in which we would know who initiated the traffic. I dont believe that your switch supports doing stateful inspection.

HTH

Rick