Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
23897
Views
34
Helpful
19
Replies

Block Traffic under two VLAN's : Unidirectional OR Bidirectional ???

Go to solution
Kuldeep singh
Level 1
Level 1

‎08-22-2012 03:17 AM - edited ‎03-04-2019 05:20 PM

I have a Ciso L3 switch with 4 VLANs and all host computer connected to rest of 8 cisco 2960 switch's:

VLAN 1  : 192.168.1.0/24

VLAN 10: 192.168.10.0/24

VLAN 20: 192.168.20.0/24

VLAN 50: 192.168.30.0/24

There are list of my some Questions about Extended ACL serialwise :

1. For Restrict traffic from VLAN 10 to VLAN 20, I am using  only one ACL is : Access-list 100 deny ip 192.168.10.0 0.0.0.255 192.168.20.0 0.0.0.255.

    What will happen in this scenerio if we talk about traffic from VLAN 20 to VLAN 10. Will it communicate or not ???

2.   How to Block the traffic from VLAN 10  to  VLAN 20 but allow the traffic from VLAN 20  to  VLAN 10 ? Plz tell access list command for this.

      Question # 2 Depends on Question# 1...................

Plz find here My cisco 3560 switch configuration in Blog below :

Regards

Kuldeep

2 people had this problem
Labels:
0 Helpful
19 Replies 19

Go to solution
Kuldeep singh
Level 1
Level 1
In response to Alessio Andreoli

‎08-22-2012 05:57 AM

Hi Alessio,

That was mistake of typing ..................it was 101

You want to say that i will put 2 access list as you told me earlier :

access-list 100 deny ip 192.168.10.0 0.0.0.255 192.168.20.0 0.0.0.255

access-list 100 deny ip 192.168.20.0 0.0.0.255 192.168.10.0 0.0.0.255

Am i right ???

0 Helpful

Go to solution
valter.popeskic
Level 1
Level 1

‎11-04-2012 01:59 AM

Actually there is a simple solution. I needed a lot of time to get to this so it's worth sharing.

There is a special type of Access list called reflexive.

This kind of access list will allow traffic from one VLAN to another only if the communication is established in other direction before that.

It can't be used for IP traffic but only for every protocol separatelly so you will need to use more rows in ACL to allow TCp, ICPM etc, but it will solve your problem.

Here is how is done:

Let's say that you have two VLANs: VLAN 10 and VLAN 20.

VLAN 10 INTERFACE = 10.10.10.1 /24

VLAN 20 INTERFACE = 10.10.20.1 /24


VLAN 10 can access VLAN 20 but,

VLAN 20 can't access VLAN 10. (That was the whole problem, to allow access only in one direction).

To be able to do so, you need to let the traffic from VLAN 10 go to VLAn 20 but you need also to let this communication to go back to VLAn 10 in order to close the communication bidirectional functionality.

Almost every communication needs to get back to source in order to make the circle functional.


But, if you allow this communicaton to go back to VLAN 10, you will alow all the communication in both ways, and this is the problem that we can solve using reflexise ACLs.

We will make extended named ACL with name EASYONE:

ip access-list extended EASYONE

permit tcp 10.10.20.0 0.0.0.255 10.10.10.0 0.0.0.255 established

(The work established at end of this ACL row means that this TCP traffic from VLAN 20 to VLAN 10 will only be allowed when it's from some communication that was started from VLAN 10, a going back traffic)

permit icmp 10.10.20.0 0.0.0.255 10.10.10.0 0.0.0.255 echo-reply

(This echo-reply row will allow VLAN 20 to reply to ping and other ICMP requests)

deny ip 10.10.20.0 0.0.0.255 10.10.10.0 0.0.0.255

permit ip any any

(This row will deny all other traffic from VLAN 20 directed to VLAN 10 but with permit ip any any it will allow VLAN 20 to go let say to gatway and further to internet and other VLANs)

Finally, we will put the ACL EASYONE to VLAN 20 L3 interface

interface vlan 20

ip access-group EASYONE in

To conclude the config without comments, indeed easy now when is done:

ip access-list extended EASYONE
     permit tcp 10.10.20.0 0.0.0.255 10.10.10.0 0.0.0.255 established 
     permit icmp 10.10.20.0 0.0.0.255 10.10.10.0 0.0.0.255 echo-reply 
     deny ip 10.10.20.0 0.0.0.255 10.10.10.0 0.0.0.255 
     permit ip any any 
     exit
interface vlan 20
ip access-group EASYONE in

The credit for the solution goes to my mentor and friend Sandra who did the configuration and lab for it but more than that she came out with the established word at end of the ACL and whole reflexive ACL solution.

For this detailed article and more about Cisco, Juniper, etc configurations from real life please visit blog howdoesinternetwork.com and enjoy networking as we do.

Valter Popeskic

Go to solution
mohammed aslam
Level 1
Level 1
In response to valter.popeskic

‎05-13-2013 04:17 AM

Will reflexive work on 4500 series layer 3 switch...

i have tried the above scenerio in packet tracer but it doesnt work and block both ways..

I  have heard that reflexive access list is something related with inbound  and outbond concept, and put evaluate command...can you clear my  concept?

Is there any other option for allow one way access ?please help me

0 Helpful

Go to solution
paul driver
VIP
VIP
In response to mohammed aslam

‎11-02-2021 12:07 AM

Hello

As stated -Using a routed acl for tcp traffic you can allow established traffic to return from a blocked vlan unfortunately the following cannot be performed from udp

 

https://community.cisco.com/t5/switching/communication-between-vlans/td-p/4495558

 


Please rate and mark as an accepted solution if you have found any of the information provided useful.
This then could assist others on these forums to find a valuable answer and broadens the community’s global network.

Kind Regards
Paul
0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking for a $25 gift card