Solved: Cisco ISR Inter-VLAN ACL's

dc12132 · ‎10-16-2019

Hello,

Having serious issues trying to get ACLs to function on my Cisco ISR. I have no experience with this so any help/input is appreciated. Using a router on a stick setup here.

Essentially my goal is allow 2 VLANs (229 & 230) to talk to eachother, but deny traffic to/from all other VLANs:

These are the interfaces for these VLANs on my router:

interface GigabitEthernet0/0/0.229
encapsulation dot1Q 229
ip address 10.69.116.1 255.255.254.0

interface GigabitEthernet0/0/0.230
encapsulation dot1Q 230
ip address 10.69.118.1 255.255.254.0

I want to create/apply ACLs to allow these 2 subnets to communicate with each other, but disallow communication to everything else. I attempted to do this in Packet Tracer but failed, my ACLs would never deny any traffic.

The ACLs I tried:

ip access-list extended VLAN229_ACL
permit ip 10.69.118.0 0.0.1.255 any
permit ip 10.69.116.0 0.0.1.255 any
deny ip any any
ip access-list extended VLAN230_ACL
permit ip 10.163.116.0 0.0.1.255 any
permit ip 10.163.118.0 0.0.1.255 any
deny ip any any

I then applied the "VLAN229_ACL" to the .229 interface and the "VLAN230_ACL" to the .230 interface, both inbound.

I was still able to ping devices on both subnets from a device on a 10.18.20.x subnet.

Any help is appreciated.

Deepak Kumar · ‎10-16-2019

Hi,

Change your ACL as:

ip access-list extended VLAN229_ACL
permit ip 10.69.118.0 0.0.1.255 10.69.116.0 0.0.1.255
permit ip 10.69.116.0 0.0.1.255 10.69.118.0 0.0.1.255
deny ip any any

!

ip access-list extended VLAN230_ACL
permit ip 10.163.116.0 0.0.1.255 10.163.118.0 0.0.1.255
permit ip 10.163.118.0 0.0.1.255 10.163.116.0 0.0.1.255
deny ip any any

Regards,
Deepak Kumar,
Don't forget to vote and accept the solution if this comment will help you!

View solution in original post

paul driver · ‎10-16-2019

Hello

@dc12132 wrote:

I want to create/apply ACLs to allow these 2 subnets to communicate with each other, but disallow communication to everything else

Try the following:
no ip access-list extended VLAN229_ACL
no ip access-list extended VLAN230_ACL

ip access-list extended VLAN229_230_ACL
permit ip any 10.69.116 0 0.0.1.255
permit ip any 10.69.118 0 0.0.1.255

interface GigabitEthernet0/0/0.229
ip access-group VLAN229_230_ACL in

interface GigabitEthernet0/0/0.230
ip access-group VLAN229_230_ACL in

Please rate and mark as an accepted solution if you have found any of the information provided useful.
This then could assist others on these forums to find a valuable answer and broadens the community’s global network.

Kind Regards
Paul

Deepak Kumar · ‎10-16-2019

Hi,

Change your ACL as:

ip access-list extended VLAN229_ACL
permit ip 10.69.118.0 0.0.1.255 10.69.116.0 0.0.1.255
permit ip 10.69.116.0 0.0.1.255 10.69.118.0 0.0.1.255
deny ip any any

!

ip access-list extended VLAN230_ACL
permit ip 10.163.116.0 0.0.1.255 10.163.118.0 0.0.1.255
permit ip 10.163.118.0 0.0.1.255 10.163.116.0 0.0.1.255
deny ip any any

Regards,
Deepak Kumar,
Don't forget to vote and accept the solution if this comment will help you!

dc12132 · ‎10-17-2019

This worked, thank you!

Georg Pauwen · ‎10-17-2019

Hello,

on a side note. in addition to the other posts, typically you would want your users to allow Internet access, even if you want to restrict inter-Vlan traffic. IF that is required, add the lines in bold to your access lists:

ip access-list extended VLAN229_ACL
permit ip 10.69.116.0 0.0.1.255 10.69.118.0 0.0.1.255
permit ip 10.69.118.0 0.0.1.255 10.69.116.0 0.0.1.255
deny ip 10.69.0.0 0.0.255.255 10.69.0.0 0.0.255.255
permit ip 10.69.116.0 0.0.1.255 any
!
ip access-list extended VLAN230_ACL
permit ip 10.69.118.0 0.0.1.255 10.69.116.0 0.0.1.255
permit ip 10.69.116.0 0.0.1.255 10.69.118.0 0.0.1.255
deny ip 10.69.0.0 0.0.255.255 10.69.0.0 0.0.255.255
permit ip 10.69.118.0 0.0.1.255 any
!
interface GigabitEthernet0/0/0.229
encapsulation dot1Q 229
ip address 10.69.116.1 255.255.254.0
ip access-group VLAN229_ACL in
!
interface GigabitEthernet0/0/0.230
encapsulation dot1Q 230
ip address 10.69.118.1 255.255.254.0
ip access-group VLAN230_ACL in