Solved: Re: ACL to prevent InterVLAN Routing and enable access to Internet

Ranjita · ‎09-27-2023

Hi All,

I have multiple VLANs and OSPF running on a L3 Switch. I want to prevent VLAN's 1,2 and 3 communicating with each other but each of the VLAN's should reach an external network via OSPF.

I tried configuring an ACL to prevent inter-VLAN routing but in that case my connection to the external network is also lost.

ip access-list extended AAA

deny ip any <SVI of VLAN B>

permit ip any any

exi

int vlan A

ip access-group AAA in

exi

I have tried to block just one VLAN for now but not successful.

Could anyone please help me with it?

MHM Cisco World · ‎09-27-2023

deny ip 10.169.10.128 255.255.255.192

any (check @Richard Burts note about wildcard)

permit ip any any

int vlan 100

ip access-group VLAN_A OUT

View solution in original post

MHM Cisco World · ‎09-28-2023

Both.

View solution in original post

Richard Burts · ‎09-27-2023

From a high level your access list looks appropriate. But we do not have enough detailed information to identify the issue you are experiencing. Assuming that your vlans are using private addressing please tell us the IP addressing of the vlans (there is no need to disguise private addressing). And please post the exact syntax of your acl (

<SVI of VLAN B>

hides details that we need to know).

HTH

Rick

Ranjita · ‎09-27-2023

Hi,

Thanks for the response,let me add that in

ip access-list extended VLAN_A

deny ip any 10.169.10.128 255.255.255.192

permit ip any any

exit

int vlan 100

ip access-group VLAN_A in

exit

MHM Cisco World · ‎09-27-2023

Acl apply to SVI can not filter traffic toward SVI İp but it can filter traffic bypass SVI.

Here you can config acl in link toward aaa server not in SVI.

Ranjita · ‎09-27-2023

Hi ,

Thanks for the response,that was just a poor way of naming my ACL.
I have posted the exact config,please check above thread.

MHM Cisco World · ‎09-27-2023

10.169.10.128 <<- this for SVI vlan B?

If yes then only make acl direction OUT not IN

Ranjita · ‎09-27-2023

Yes it is the

SVI for VLAN B

,do we have to retain the

permit ip any any?

I can still communicate between VLANs even after I change acl to OUT

MHM Cisco World · ‎09-27-2023

Can I see last config and

IP of svi vlan a and b

Richard Burts · ‎09-27-2023

The biggest issue is the mask used

deny ip any 10.169.10.128 255.255.255.192

which is a subnet mask. ACL should use

mask 0.0.0.127.

The access-group could be applied either IN or OUT. Whether the vlan B subnet is the source address or the destination address will depend on whether it is applied IN or OUT. If applied IN then it examines traffic come from connected hosts into the switch and vlan B wold be destination. If applied OUT then it examines traffic going from switch out to connected hosts and vlan B source.

And yes you do need to keep the

permit ip any any

HTH

Rick

MHM Cisco World · ‎09-27-2023

deny ip 10.169.10.128 255.255.255.192

any (check @Richard Burts note about wildcard)

permit ip any any

int vlan 100

ip access-group VLAN_A OUT

Ranjita · ‎09-28-2023

Hi

Thanks for the help.
I tried the suggested solutions on Packet Tracer and it worked. However I missed a very important detail.
I am running HSRP on two L3 switches where I am applying the ACL. Should I use the HSRP VIP or the SVI of each VLAN in the ACL.

MHM Cisco World · ‎09-28-2023

Both.

Ranjita · ‎09-28-2023

Hi,

Thanks that worked.
But as I am running HSRP I believe the HSRP packets are getting filtered out as well.

%HSRP-5-STATECHANGE: Vlan10 Grp 2 state Standby -> Active
*Sep 28 11:25:44.902 UTC: %OSPF-5-ADJCHG: Process 3, Nbr 10.169.10.227 on Vlan410 from INIT to DOWN, Neighbor Down: Dead timer expired

I believe this is the reason my hosts cannot reach the network.

Could you please help me fix this?

MHM Cisco World · ‎09-28-2023

Instead of deny the

IP deny udp 1812/1813

the

udp port

use by

aaa radius server

Joseph W. Doherty · ‎09-28-2023

@MHM Cisco World wrote:

Acl apply to SVI can not filter traffic toward SVI İp but it can filter traffic bypass SVI.

Oh? Hmm, I didn't know that. I'll set up a lab to confirm that.