Solved: Re: Block Traffic between two VLAN : Confuse Technically

Kuldeep singh · ‎08-22-2012

I have a Ciso L3 switch with 4 VLANs and all host computer connected to rest of 8 cisco 2960 switch's:

VLAN 1 : 192.168.1.0/24

VLAN 10: 192.168.10.0/24

VLAN 20: 192.168.20.0/24

VLAN 50: 192.168.30.0/24

There are list of my some Questions about Extended ACL serialwise :

1. For Restrict traffic from VLAN 10 to VLAN 20, I am using only one ACL is : Access-list 100 deny ip 192.168.10.0 0.0.0.255 192.168.20.0 0.0.0.255.

What will happen in this scenerio if we talk about traffic from VLAN 20 to VLAN 10. Will it communicate or not ???

2. How to Block the traffic from VLAN 10 to VLAN 20 but allow the traffic from VLAN 20 to VLAN 10 ? Plz tell access list command for this.

Question # 2 Depends on Question# 1...................

Plz find here My cisco 3560 switch configuration in Blog below :

Regards

Kuldeep

Richard Burts · ‎08-22-2012

With your #1 there will be no communication between 20 and 10. Packets from 20 would be able to get to 10 but no response will get back. And with no response there is no communication.

HTH

Rick

Sent from Cisco Technical Support iPad App

HTH

Rick

View solution in original post

Alessio Andreoli · ‎08-22-2012

Hi there,

blocking both ways:

access-list 100 deny ip 192.168.10.0 0.0.0.255 192.168.20.0 0.0.0.255

access-list 100 deny ip 192.168.20.0 0.0.0.255 192.168.10.0 0.0.0.255

Will it communicate?

access-list 100 deny ip 192.168.10.0 0.0.0.255 192.168.20.0 0.0.0.255

With only this acl you will have no full communication between vlan 10 and vlan 20 but the packets/frames from vlan 20 will be allowed. If you do not desire this better to block both ways...

3. Block Traffic from Both side , mean to say, no communication between VLAN 10 to VLAN 20 and VLAN 20 to VLAN 10. what we need to do ??

In all this scenarion i did not get if you implemented inter-vlan routin or not but i guess that the first set of access lists i wrote down will do the job.

Take Care

Alessio

PS: you can use other filters too.. it depends all from your purposes

Kuldeep singh · ‎08-22-2012

Hi Alessio.

I have configured intervlan Routing on Cisco 3560 L3 switch.... by Using " ip routing" command

You mean to say, If we will block only traffic from VLAN 10 to VLAN 20 then it will block only VLAN 10 to VLAN 20 but not from VLAN 20 to VLAN 10. i can access all hosts of VLAN 10 from VLAN 20 Hosts.........

Am i right ????

Plz give answer of Question Serial No.1 in Yes or No.............

Sandeep Choudhary · ‎08-22-2012

Hi Kuldeep,

1. For Restrict traffic from VLAN 10 to VLAN 20, I am using this : access-list 100 deny ip 192.168.10.0 0.0.0.255 192.168.20.0 0.0.0.255.

Then under the layer3 vlan apply the ACL:

ip access-group 100 in

Solution: It will block both side packet transfer 10<--------->20

2. block the traffic from VLAN 10 to VLAN 20 but allow the traffic from VLAN 20 to VLAN 10 ? how many access-list command required, one or two ?

Solution:i hav to find it

3.same as first solution

Regards

please rate if it helps.

Richard Burts · ‎08-22-2012

Blocking all communication between the vlans is easy. Permitting 20 to talk to 10 but not permitting 10 to talk to 20 is tricky. The problem is how to know if a packet from 10 to 20 is a response that should be permitted or originating from 10 which should be denied. With top traffic you use the established parameter to achieve this. With icmp you can do things like permit echo reply but deny echo request. With udp there is not an easy solution. Perhaps you can identify some source port/destination port combinations to permit.

HTH

Rick

Sent from Cisco Technical Support iPad App

HTH

Rick

Najeeb Stanikzai · ‎03-03-2015

Hello All,

i have a question. how can i block printing on subnet or vlan on Cisco switch

i would like to block 172.16.20.1 0.0.3.255 subnet to not print.

the printers ips are 172.16.12.20

172.16.12.21

172.16.12.22

Thanks

Kuldeep singh · ‎08-22-2012

Hi Sandeep,

Plz find my cisco 3560 switch configuration for Correct understanding

Sandeep Choudhary · ‎08-22-2012

HI Kuldeep .

IP communication is bidirectional

except for TCP where you could do an ACL looking for SYN flag, there is no way to accomplish this with a simple ACL.

You'll have to use a stateful firewall( either a router with CBAC or ZBF or an ASA) .

Regards.

please rate if it helps.

Kuldeep singh · ‎08-22-2012

Hi Sandeep,

You want to say that if we apply ACL to one side then it will be affectable for both side..........

Either it be Deny or Permit ?????

Am i right ???

Sandeep Choudhary · ‎08-22-2012

As per my knowledge, yes it will affect both side.

Regards

Please rate if it helps.

ap7395 · ‎11-01-2021

Sir any solution for problem number 2

block the traffic from VLAN 10 to VLAN 20 but allow the traffic from VLAN 20 to VLAN 10 ? how many access-list command required, one or two ?

Richard Burts · ‎08-22-2012

With your #1 there will be no communication between 20 and 10. Packets from 20 would be able to get to 10 but no response will get back. And with no response there is no communication.

HTH

Rick

Sent from Cisco Technical Support iPad App

HTH

Rick

Kuldeep singh · ‎08-22-2012

Hi Richard,

See this cisco 3560 switch Configuration, and tell me answers accordingly:

CORE_3560#sh run

Building configuration...

Current configuration : 5299 bytes

!

version 12.2

no service pad

service timestamps debug uptime

service timestamps log uptime

no service password-encryption

!

hostname CORE_3560

!

enable secret 5 $1$d6GO$No/vGsChZP5O.5ANOYI2m/

!

no aaa new-model

ip subnet-zero

ip routing

!

no file verify auto

spanning-tree mode pvst

spanning-tree extend system-id

!

vlan internal allocation policy ascending

!

interface Port-channel1

description *** CONNECTING TO CISCO-2960 SWITCH-1 ***

switchport trunk encapsulation dot1q

switchport mode trunk

!

interface Port-channel2

description *** CONNECTING TO CISCO-2960 SWITCH-2 ***

switchport trunk encapsulation dot1q

switchport mode trunk

!

interface GigabitEthernet0/1

description *** CONNECTING TO CISCO-2960 SWITCH-1 ***

switchport trunk encapsulation dot1q

switchport mode trunk

channel-group 1 mode on

!

interface GigabitEthernet0/2

description *** CONNECTING TO CISCO-2960 SWITCH-1 ***

switchport trunk encapsulation dot1q

switchport mode trunk

channel-group 1 mode on

!

interface GigabitEthernet0/3

description *** CONNECTING TO CISCO-2960 SWITCH-2 ***

switchport trunk encapsulation dot1q

switchport mode trunk

channel-group 2 mode on

!

interface GigabitEthernet0/4

description *** CONNECTING TO CISCO-2960 SWITCH-2 ***

switchport trunk encapsulation dot1q

switchport mode trunk

channel-group 2 mode on

!

interface GigabitEthernet0/5

description *** CONNECTING TO CISCO-2960 SWITCH-3 ***

switchport trunk encapsulation dot1q

switchport mode trunk

!

interface GigabitEthernet0/6

!

interface GigabitEthernet0/7

description *** CONNECTING TO CISCO-2960 SWITCH-4 ***

switchport trunk encapsulation dot1q

switchport mode trunk

!

interface GigabitEthernet0/8

!

interface GigabitEthernet0/9

description *** CONNECTING TO CISCO-2960 SWITCH-5 ***

switchport trunk encapsulation dot1q

switchport mode trunk

!

interface GigabitEthernet0/10

!

interface GigabitEthernet0/11

description *** CONNECTING TO CISCO-2960 SWITCH-6 ***

switchport trunk encapsulation dot1q

switchport mode trunk

!

interface GigabitEthernet0/12

!

interface GigabitEthernet0/13

description *** CONNECTING TO CISCO-2960 SWITCH-7 ***

switchport trunk encapsulation dot1q

switchport mode trunk

!

interface GigabitEthernet0/14

description *** CONNECTING TO CISCO-2960 SWITCH-8 ***

switchport trunk encapsulation dot1q

switchport mode trunk

!

interface GigabitEthernet0/15

switchport trunk encapsulation dot1q

switchport mode trunk

!

interface GigabitEthernet0/16

!

interface GigabitEthernet0/17

!

interface GigabitEthernet0/18

!

interface GigabitEthernet0/19

!

interface GigabitEthernet0/20

!

interface GigabitEthernet0/21

!

interface GigabitEthernet0/22

!

interface GigabitEthernet0/23

!

interface GigabitEthernet0/24

description Connecting to Cisco-1800 Router

switchport access vlan 50

switchport mode access

!

interface GigabitEthernet0/25

!

interface GigabitEthernet0/26

!

interface GigabitEthernet0/27

!

interface GigabitEthernet0/28

!

interface Vlan1 ***** L2 switch's Vlans

ip address 192.168.1.1 255.255.255.0

!

interface Vlan10

ip address 192.168.10.1 255.255.255.0

ip access-group 101 in

!

interface Vlan20

ip address 192.168.20.1 255.255.255.0

ip access-group 101 in

!

interface Vlan50

ip address 192.168.30.1 255.255.255.0

!

ip classless

ip route 0.0.0.0 0.0.0.0 192.168.30.10

ip http server

!

access-list 101 deny ip 192.168.10.0 0.0.0.255 192.168.20.0 0.0.0.255

access-list 101 permit ip any any

access-list 101 permit icmp any any

!

control-plane

!

line con 0

line vty 0 4

password cisco

no login

line vty 5 15

no login

!

end

Kuldeep singh · ‎08-22-2012

Hi Richard,

According to you, there will be no communication between VLAN 10 to VLAN 20 and VLAN 20 to VLAN10.

So plz tell me how to block the traffic from VLAN 10 to VLAN 20 but allow the traffic from VLAN 20 to

VLAN 10 ?

Plz send me Access list command for That

I am waiting for your Reply

Alessio Andreoli · ‎08-22-2012

Hi Kuldeep,

as Richard just stated above no bidirectional communication would happen and therefore no connectivity between the hosts in the vlans 10 and 20. I still reccomend to use the bst practises ... that means that should you desire NO communication between these vlans, just type filters in both the directions.

Take Care

Alessio

Block Traffic under two VLAN's : Unidirectional OR Bidirectional ???