Buy or Renew
Buy or Renew
Cisco + Splunk: It’s a new day for your data. Learn more.
 
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
694
Views
0
Helpful
8
Replies

ACL in VLAN

Soumik Mondal
Level 1
Level 1

‎09-04-2013 12:14 AM - edited ‎03-04-2019 08:56 PM

Hi All

I have to configure some new VLAN in our office

VLAN-1 --Server                 192.168.0.0/24

VLAN-2 --Systems              192.168.1.0/24

VLAN-3 Project-1                 192.168.2.0/24

VLAN-4 project-2                  192.168.3.0.24

I want Project-1 and Project-2 have access to server VLAN only.

Accees list extented Project 1

deny IP 192.168.2.0 0.0.0.255 192.168.1.0 0.0.0.255------------- Deny System VLAN

deny IP 192.168.2.0 0.0.0.255 192.168.3.0 0.0.255---------------Deny project 2 VLAN

permit IP any any

But problem is that system VLAN should access to all VLAN,but no VLAN should access system VLAN.With this access list the access of system VLAn to other Vlan is blocked.Can any body suggest me something.We are using 4500 as L3 switch and 2960 as L2.............

Labels:
0 Helpful
8 Replies 8

Seb Rupik
VIP Alumni
VIP Alumni

‎09-04-2013 01:07 AM

Hi Soumik,

If I've read your requiremnt correclty, you'll want the following config on your 4500. Obviously change the SVI numbers as required:

interface vlan 1

desc server vlan

!

interface vlan 2

desc systems vlan

ip access-group 102 in

!

interface vlan 3

desc project1 vlan

ip access-group 103 in

!

interface vlan 4

desc project2 vlan

ip access-group 104 in

!

access-list ext 102 deny 192.168.0.0 0.0.0.255 192.168.1.0 0.0.0.255 remark deny server

access-list ext 102 deny 192.168.2.0 0.0.0.255 192.168.1.0 0.0.0.255 remark deny project1

access-list ext 102 deny 192.168.3.0 0.0.0.255 192.168.1.0 0.0.0.255 remark deny project2

!

access-list ext 103 deny 192.168.0.0 0.0.0.255 192.168.2.0 0.0.0.255 remark deny server

access-list ext 103 deny 192.168.3.0 0.0.0.255 192.168.2.0 0.0.0.255 remark deny project2

!

access-list ext 104 deny 192.168.0.0 0.0.0.255 192.168.3.0 0.0.0.255 remark deny server

access-list ext 104 deny 192.168.2.0 0.0.0.255 192.168.3.0 0.0.0.255 remark deny project1

!

cheers,

Seb.

0 Helpful

Soumik Mondal
Level 1
Level 1
In response to Seb Rupik

‎09-04-2013 01:43 AM

Hi Seb

I think I am unable to describe my requirement properly.

VLAN-1 --Server                 192.168.0.0/24

VLAN-2 --Systems              192.168.1.0/24

VLAN-3 Project-1                 192.168.2.0/24

VLAN-4 project-2                  192.168.3.0.24

VLAN -1        All access

VLAN- 2        All access

VLAN-3         Only Server VLan.No other VLAN

VLAN-4        Only Server VLan.No other VLAN

interface vlan 2

desc systems vlan

ip access-group 102 in

access-list ext 102 deny 192.168.2.0 0.0.0.255 192.168.1.0 0.0.0.255 remark deny project1

access-list ext 102 deny 192.168.3.0 0.0.0.255 192.168.1.0 0.0.0.255 remark deny project2

This will deny project 1 and project 2 to access  system Vlan and vice versa .But system Vlan needs access to Project1 and Project 2 Vlan.This is my requirements.

0 Helpful

Markus Thun
Level 1
Level 1
In response to Soumik Mondal

‎09-04-2013 02:00 AM

All ACL´s have a standard entry at the end (deny any any) you cannot see it, you must write minimum one permit entry.

Like: access-list ext 102 permit 192.168.1.0 0.0.0.255 192.168.3.0 0.0.0.255

or like: permit any any

0 Helpful

Seb Rupik
VIP Alumni
VIP Alumni
In response to Soumik Mondal

‎09-04-2013 02:28 AM

Hi Soumik,

As Markus mentioned, I forgot you need to add:

permit ip any any

...at the end of each of the ACL, to overirde the implied 'deny any any'.

As the access-group statement is inbound, then the suggested ACLs should work. ACL 102, will deny VLANs 1 and 2 in. Likewise, ACLs 103 and 104 do not deny the systems VLAN, so the suggested 'permit any any' will let that traffic in.

So use the following:

access-list ext 102 deny ip 192.168.0.0 0.0.0.255 192.168.1.0 0.0.0.255 remark deny server

access-list ext 102 deny ip 192.168.2.0 0.0.0.255 192.168.1.0 0.0.0.255 remark deny project1

access-list ext 102 deny ip 192.168.3.0 0.0.0.255 192.168.1.0 0.0.0.255 remark deny project2#

access-list ext 102 permit ip any any

!

access-list ext 103 deny ip 192.168.0.0 0.0.0.255 192.168.2.0 0.0.0.255 remark deny server

access-list ext 103 deny ip 192.168.3.0 0.0.0.255 192.168.2.0 0.0.0.255 remark deny project2

access-list ext 103 permit ip any any

!

access-list ext 104 deny ip 192.168.0.0 0.0.0.255 192.168.3.0 0.0.0.255 remark deny server

access-list ext 104 deny ip 192.168.2.0 0.0.0.255 192.168.3.0 0.0.0.255 remark deny project1

access-list ext 104 permit ip any any

!

cheers,

Seb.

0 Helpful

Soumik Mondal
Level 1
Level 1
In response to Seb Rupik

‎09-05-2013 12:06 AM

How to configure one way traffic.

Vlan 2 can access Vlan 3 and Vlan 4

But Vlan 3 and Vlan 4 cann't access Vlan 2

0 Helpful

cadet alain
VIP Alumni
VIP Alumni
In response to Soumik Mondal

‎09-05-2013 12:19 AM

Hi,

ACLs are stateless and communication is bidirectional in IP so you'll need to permit return traffic from VLAN3 and VLAN4 for VLAN2 to access them and deny traffic originated in VLAN 3 and VLAN 4.

For return TCP traffic you have the established keyword, for ICMP you'll need to permit the echo-replies and time-exceeded and port-unreachable at least and for UDP you'll have to permit the possible UDP services reply( like DNS 53,DHCP 67).

Regards

Alain

Don't forget to rate helpful posts.

Don't forget to rate helpful posts.
0 Helpful

Soumik Mondal
Level 1
Level 1
In response to cadet alain

‎09-05-2013 12:24 AM

Hi cadet

Yes , this is the right approch to configure this.Can you help me with some configuration example or link.....

0 Helpful

cadet alain
VIP Alumni
VIP Alumni
In response to Soumik Mondal

‎09-05-2013 12:51 AM

Hi,

some example:

vlan2:192.168.2.0/24

vlan3: 192.168.3.0/24

vlan4:192.168.4.0/24

vlan2 can access vlan 3 and vlan 4 but none of these can access vlan 2.vlan 3 can access vlan 4 and vlan 4 can access vlan 3.

ip access-list extended vlan2-34

permit ip 192.168.2.0 0.0.0.255 192.168.3.0 0.0.0.255

permit ip 192.168.2.0 0.0.0.255 192.168.4.0 0.0.0.255

ip access-list extended vlan3-42

permit ip 192.168.3.0 0.0.0.255 192.168.4.0 0.0.0.255

permit icmp 192.168.3.0 0.0.0.255 192.168.2.0 0.0.0.255 echo-reply

permit icmp 192.168.3.0 0.0.0.255 192.168.2.0 0.0.0.255 time-exceeded

permit icmp 192.168.3.0 0.0.0.255 192.168.2.0 0.0.0.255 port-unreachable

permit tcp 192.168.3.0 0.0.0.255 192.168.2.0 0.0.0.255 established

permit udp 192.168.3.0 0.0.0.255 eq 53 192.168.2.0 0.0.0.255

permit udp 192.168.3.0 0.0.0.255 eq 67 192.168.2.0 0.0.0.255

ip access-list extended vlan4-32

permit ip 192.168.4.0 0.0.0.255 192.168.3.0 0.0.0.255

permit icmp 192.168.4.0 0.0.0.255 192.168.2.0 0.0.0.255 echo-reply

permit icmp 192.168.4.0 0.0.0.255 192.168.2.0 0.0.0.255 time-exceeded

permit icmp 192.168.4.0 0.0.0.255 192.168.2.0 0.0.0.255 port-unreachable

permit tcp 192.168.4.0 0.0.0.255 192.168.2.0 0.0.0.255 established

permit udp 192.168.4.0 0.0.0.255 eq 53 192.168.2.0 0.0.0.255

permit udp 192.168.4.0 0.0.0.255 eq 67 192.168.2.0 0.0.0.255

int vlan 2

ip access-group vlan2-34 in

int vlan 3

ip access-group vlan3-42 in

int vlan 4

ip access-group vlan4-32 in

Regards

Alain

Don't forget to rate helpful posts.

Don't forget to rate helpful posts.
0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card