Solved: Re: explicitly allow inter vlan routing

sandman2036 · ‎11-16-2019

I’m looking for a way to explicitly allow certain VLANS to be routable. In this example I would like VLAN 25&35 to talk but 25 cannot communicate with another vlans. I would like to apply the rule to VLAN 35 that way I don’t have to remember to do add the ACL if I create a new VLAN. I have been trying to use the BLOCK_ALL-25. When I apply this to the other VLANS I get the expected behavior but if I use it on VLAN 35 nothing matches the permit statement, and everything gets denied.

interface GigabitEthernet0/0

no ip address

duplex full

speed 1000

media-type sfp

negotiation auto

interface GigabitEthernet0/0.25

encapsulation dot1Q 25

ip address 10.10.25.254 255.255.255.0

ip nat inside

ip virtual-reassembly in

!

interface GigabitEthernet0/0.35

encapsulation dot1Q 35

ip address 10.10.35.30 255.255.255.224

interface GigabitEthernet0/0.45

encapsulation dot1Q 45

ip address 10.10.45.254 255.255.255.0

ip access-group BLOCK_ALL-25 out

interface GigabitEthernet0/0.65

encapsulation dot1Q 65

ip address 10.10.65.254 255.255.255.0

interface GigabitEthernet0/0.666

encapsulation dot1Q 666

ip address dhcp

ip nat outside

ip virtual-reassembly in

ip nat inside source list 1 interface GigabitEthernet0/0.666 overload

ip route 0.0.0.0 0.0.0.0 192.168.1.254

!

ip access-list extended BLOCK_ALL-25

permit ip 10.10.25.0 0.0.0.31 any

deny ip any any

!

access-list 2 permit 10.10.25.0 0.0.0.31

access-list 2 deny any

NOTE: Full config is available on my google drive. “working_config_CORE-R1_15NOV19_2328--REDACTED--.ios”

https://drive.google.com/drive/folders/1EdrAaIFYK1KN4rsMbuVMJ6S1G-mKq_Zu

Georg Pauwen · ‎11-16-2019

Hello,

in that case, use the access list below and apply it to the subinterface for Vlan 25:

access-list 101 deny 10.10.25.0 0.0.0.255 10.10.45.0 0.0.0.255
access-list 101 deny 10.10.45.0 0.0.0.255 10.10.25.0 0.0.0.255
access-list 101 deny 10.10.25.0 0.0.0.255 10.10.65.0 0.0.0.255
access-list 101 deny 10.10.65.0 0.0.0.255 10.10.25.0 0.0.0.255
access-list 101 permit ip any any
!
interface GigabitEthernet0/0.25
encapsulation dot1Q 25
ip address 10.10.25.254 255.255.255.0
ip access-gtoup 101 in
ip nat inside
ip virtual-reassembly in

View solution in original post

Georg Pauwen · ‎11-16-2019

Hello,

you can use the VACL below:

access-list 101 permit 10.10.25.0 0.0.0.255 10.10.45.0 0.0.0.255
access-list 101 permit 10.10.45.0 0.0.0.255 10.10.25.0 0.0.0.255
access-list 101 permit 10.10.25.0 0.0.0.255 10.10.65.0 0.0.0.255
access-list 101 permit 10.10.65.0 0.0.0.255 10.10.25.0 0.0.0.255

!

vlan access-map BLOCK_45_65 10
match ip address 101
action drop
vlan access-map BLOCK_45_65 20
action forward
!
vlan filter BLOCK_45_65 vlan-list 25

sandman2036 · ‎11-16-2019

I’m guessing that I cannot do this with a single statement and I would have to update the access map with the addition of additional VLANS. Currently I am attempting to do this on a 3845 trunked to a 2960s L2 switch. I cant seem to locate the VLAN ACCESS-MAP command. Form a cursory search I believe that this is a NP or IE level topic. I’m working on my CCNA but I will attempt to follow the logic.

#These two lines will permit traffic 25>45 & 25<45

access-list 101 permit 10.10.25.0 0.0.0.255 10.10.45.0 0.0.0.255
access-list 101 permit 10.10.45.0 0.0.0.255 10.10.25.0 0.0.0.255

#same as above but for 25&65
access-list 101 permit 10.10.25.0 0.0.0.255 10.10.65.0 0.0.0.255
access-list 101 permit 10.10.65.0 0.0.0.255 10.10.25.0 0.0.0.255

!

#This declares the access name of the access map

vlan access-map BLOCK_45_65 10

#I believe this would be the if statement
match ip address 101

# I believe this would be the then statement
action drop

#I don’t quite follow what’s happing here

{
vlan access-map BLOCK_45_65 20
action forward
!
vlan filter BLOCK_45_65 vlan-list 25

}

Georg Pauwen · ‎11-16-2019

Hello,

--> vlan access-map BLOCK_45_65 20
action forward
!
vlan filter BLOCK_45_65 vlan-list 25

This just allows everything else that is not matched by the first statement. You need that to allow Vlan 25 to access anything (including the Internet) except for Vlans 45 and 65.

The 'vlan access-map' should be on your 3850:

3850#conf t

3850(config)#vlan access-map

sandman2036 · ‎11-16-2019

This is on a 3845 ISR. I do have a 3945 on the way as well as a L3 module to go with it. But for the moment and the current challenge I’m trying to do everything in the router. I fully understand that there is a significant performance hit by doing this. My in current topology I have the ISR trunked to a 2960-S trunked again to a 3750. The only reason Im using the 3750 is because of POE as im using a pile of AP1231’s for testing. With some simple config changes and a 32 port async card they make the perfect hosts for testing. When I get all the parts for the new ISR I will be migrating to it and can simplify the physical implimitation.

Georg Pauwen · ‎11-16-2019

Hello,

in that case, use the access list below and apply it to the subinterface for Vlan 25:

access-list 101 deny 10.10.25.0 0.0.0.255 10.10.45.0 0.0.0.255
access-list 101 deny 10.10.45.0 0.0.0.255 10.10.25.0 0.0.0.255
access-list 101 deny 10.10.25.0 0.0.0.255 10.10.65.0 0.0.0.255
access-list 101 deny 10.10.65.0 0.0.0.255 10.10.25.0 0.0.0.255
access-list 101 permit ip any any
!
interface GigabitEthernet0/0.25
encapsulation dot1Q 25
ip address 10.10.25.254 255.255.255.0
ip access-gtoup 101 in
ip nat inside
ip virtual-reassembly in

sandman2036 · ‎11-16-2019

This is what I dropped on the router after cleaning up all the other acl mess I had. I did make a mistake in my initial post. VLAN 35 is supposed to be routable only to 25 but nowhere else. I applied that correction to the last suggestion and I can still ping to and from 35&65. is there a global option that I’m missing?

conf t

access-list 101 deny ip 10.10.35.0 0.0.0.255 10.10.45.0 0.0.0.255

access-list 101 deny ip 10.10.45.0 0.0.0.255 10.10.35.0 0.0.0.255

access-list 101 deny ip 10.10.35.0 0.0.0.255 10.10.65.0 0.0.0.255

access-list 101 deny ip 10.10.65.0 0.0.0.255 10.10.35.0 0.0.0.255

access-list 101 permit ip any any

interface GigabitEthernet0/0.35

ip access-group 101 in

exit

Georg Pauwen · ‎11-16-2019

Hello,

so you want Vlan 35 only be able to talk to Vlan 25 ?

Can you post your current running configuration (sh run) ?

sandman2036 · ‎11-16-2019

I believe I found the error. The ACL is in the incorrect order. As I am still learning what would the easiest way of fixing this. the complete config is on my google drive.

!

ip nat inside source list 1 interface GigabitEthernet0/0.666 overload

ip route 0.0.0.0 0.0.0.0 192.168.1.254

!

access-list 1 permit 10.10.25.0 0.0.0.255

access-list 101 permit ip any any

access-list 101 deny ip 10.10.35.0 0.0.0.255 10.10.45.0 0.0.0.255

access-list 101 deny ip 10.10.45.0 0.0.0.255 10.10.35.0 0.0.0.255

access-list 101 deny ip 10.10.35.0 0.0.0.255 10.10.65.0 0.0.0.255

access-list 101 deny ip 10.10.65.0 0.0.0.255 10.10.35.0 0.0.0.255

!

interface GigabitEthernet0/0.65

encapsulation dot1Q 65

ip address 10.10.65.254 255.255.255.0

!

interface Loopback0

ip address 10.254.254.254 255.255.255.0

!

interface GigabitEthernet0/0

no ip address

duplex full

speed 1000

media-type sfp

negotiation auto

!

interface GigabitEthernet0/0.25

encapsulation dot1Q 25

ip address 10.10.25.254 255.255.255.0

ip nat inside

ip virtual-reassembly in

!

interface GigabitEthernet0/0.35

encapsulation dot1Q 35

ip address 10.10.35.30 255.255.255.224

ip access-group 101 in

!

interface GigabitEthernet0/0.45

encapsulation dot1Q 45

ip address 10.10.45.254 255.255.255.0

!

Georg Pauwen · ‎11-16-2019

Hello,

I didn't see that Vlan 35 is not a /24, but a /27 network. Change the access list to:

access-list 101 deny ip 10.10.35.0 0.0.0.31 10.10.45.0 0.0.0.255
access-list 101 deny ip 10.10.45.0 0.0.0.255 10.10.35.0 0.0.0.31
access-list 101 deny ip 10.10.35.0 0.0.0.31 10.10.65.0 0.0.0.255
access-list 101 deny ip 10.10.65.0 0.0.0.255 10.10.35.0 0.0.0.31
access-list 101 permit ip any any

sandman2036 · ‎12-01-2019

Thank you for your help. I did correct the error with the wildcard masks. Would having those miss configured wildcards have any effect on efficacy of the ALC rules, since in this case I’m not using any of the other subnets of 10.10.35.x. Also I still don’t understand why the following rule wouldn’t work.

Access-l ist 101 permit ip 10.10.25.0 0.0.0.255 10.10.35.0 0.0.0.31

Access-l ist 101 deny ip any any

Doing something along these lines seem to be a more secure and scalable than having to revise the ALC list every time there is a change to the network.

paul driver · ‎11-16-2019

Hello

@sandman2036 wrote:

I’m looking for a way to explicitly allow certain VLANS to be routable. In this example I would like VLAN 25&35 to talk but 25 cannot communicate with another vlans. I would like to apply the rule to VLAN 35 that way I don’t have to remember to do add the ACL if I create a new VLAN.

You wont be able to apply an acl just on vlan 35 to deny other traffic on vlan 25 unless you also apply one on vlan 25, however you can just apply one access-list on vlan 25 tp accomodate your request.

access-list 100 deny ip 10.10.45.0 0.0.0.255 any
access-list 100 deny ip 10.10.65.0 0.0.0.255 any

access-list 100 permit ip any any

interface fa0/0.25
ip access-group 100 OUT

Please rate and mark as an accepted solution if you have found any of the information provided useful.
This then could assist others on these forums to find a valuable answer and broadens the community’s global network.

Kind Regards
Paul