Solved: Re: InterVLAN ACLs (with HSRP) - permit interVLAN traffic in one direc

Lukejd83 · ‎04-11-2023

Hi,

I'm building a packet tracer network (see attached image) and had a question on putting ACLs in place to control interVLAN access [noting HSRP is set up on both distribution switches for redundancy].

VLAN 21 10.20.21.0/24

VLAN 27 10.20.27.0/24

VLAN 88 10.20.88.0/25

VLAN 99 10.20.99.0/28

I want to block VLANs 21 and 27 from talking to each other - that's pretty easy, but I wanted to also block VLANs 21 and 27 from accessing VLANs 88 and 99, but not the other way around - i.e. I want VLANs 88 and 99 to access VLANs 21 and 27. Would anyone know how to do this?

I've tried quite a few times using ACLs, but I feel like I'm spinning my wheels now. I had considered putting an additional firewall in to protect VLANs 88 and 99, but not sure if that would be overkill and I'd kinda like to figure out how to do it with ACLs if it's possible

Joseph W. Doherty · ‎04-11-2023

"I want to block VLANs 21 and 27 from talking to each other - that's pretty easy, but I wanted to also block VLANs 21 and 27 from accessing VLANs 88 and 99, but not the other way around - i.e. I want VLANs 88 and 99 to access VLANs 21 and 27. Would anyone know how to do this?"

Yes, generally you need to use reflexive ACLs; i.e. something that keeps "state".

The reason being, if you completely block one direction, it breaks two way communication. I.e. if "access" implies a response, you need to allow return traffic.

BTW, like a FW, reflexive ACLs work much the same, i.e. "in" is generally only allowed in response to a prior "out".

There's one other very simple ACL that supports TCP, which is to allow "in" for TCP with established bit set.

The next step up from reflexive ACLs is IOS FW features, like CBAC, or ZFW.

View solution in original post

Flavio Miranda · ‎04-11-2023

Hi attach the file here, zio it first.

But about the ACL, you should put the ACL on the vlan 21 and 27 blocking 88 and 99 and put as out.

You can also block 21 and 27 on vlans 88 and 99 and use IN instead. But the Best place to put an ACL is closer to the origin.

Lukejd83 · ‎04-11-2023

Thanks Flavio - I've attached my zip file

I tried what you wrote, but when the PC states destination unavailable when pinging from the 10.20.88.0 255.255.255.128 subnet which is what I'd found before. I'm not sure, but I might have missed something?

ML-MLS-D1

access-list 121 deny ip 10.20.88.0 0.0.0.127 10.20.21.0 0.0.0.255

access-list 127 deny ip 10.20.99.0 0.0.0.15 10.20.21.0 0.0.0.255

access-list 121 permit ip any any




access-list 127 deny ip 10.20.88.0 0.0.0.127 10.20.27.0 0.0.0.255

access-list 127 deny ip 10.20.99.0 0.0.0.15 10.20.27.0 0.0.0.255

access-list 127 permit ip any any




interface vlan 21

ip access-group 121 out




interface vlan 27

ip access-group 127 out

STD_NetWorld · ‎04-11-2023

I think ACL is correct, but you have to apply on Inbound direction.

Flavio Miranda · ‎04-11-2023

What you are trying to do is possible. Please, see the file attached.

Test from PC ML-SL-PC1 to  ML-IT-PC1, result



C:\>ping 10.20.88.4




Pinging 10.20.88.4 with 32 bytes of data:




Reply from 10.20.21.2: Destination host unreachable.

Reply from 10.20.21.2: Destination host unreachable.

Reply from 10.20.21.2: Destination host unreachable.

Reply from 10.20.21.2: Destination host unreachable.




Ping statistics for 10.20.88.4:

Packets: Sent = 4, Received = 0, Lost = 4 (100% loss),






Test from ML-IT-PC1 to ML-SL-PC1 

C:\>ping 10.20.21.4




Pinging 10.20.21.4 with 32 bytes of data:




Reply from 10.20.21.4: bytes=32 time<1ms TTL=127

Reply from 10.20.21.4: bytes=32 time=14ms TTL=127

Reply from 10.20.21.4: bytes=32 time<1ms TTL=127

Reply from 10.20.21.4: bytes=32 time<1ms TTL=127




Ping statistics for 10.20.21.4:

Packets: Sent = 4, Received = 4, Lost = 0 (0% loss),

Approximate round trip times in milli-seconds:

Minimum = 0ms, Maximum = 14ms, Average = 3ms

Joseph W. Doherty · ‎04-11-2023

https://www.cisco.com/en/US/docs/ios-xml/ios/sec_data_acl/configuration/15-1mt/Configuring_IP_Session_Filtering_-_Reflexive_Access_Lists.html

Joseph W. Doherty · ‎04-11-2023

"I want to block VLANs 21 and 27 from talking to each other - that's pretty easy, but I wanted to also block VLANs 21 and 27 from accessing VLANs 88 and 99, but not the other way around - i.e. I want VLANs 88 and 99 to access VLANs 21 and 27. Would anyone know how to do this?"

Yes, generally you need to use reflexive ACLs; i.e. something that keeps "state".

The reason being, if you completely block one direction, it breaks two way communication. I.e. if "access" implies a response, you need to allow return traffic.

BTW, like a FW, reflexive ACLs work much the same, i.e. "in" is generally only allowed in response to a prior "out".

There's one other very simple ACL that supports TCP, which is to allow "in" for TCP with established bit set.

The next step up from reflexive ACLs is IOS FW features, like CBAC, or ZFW.

STD_NetWorld · ‎04-11-2023

@Lukejd83

We have two options.

Apply ACL in SVI of VLAN 21 & 27 Outbound (Best Practice) or
Apply ACL in SVI of VLAN 88 & 99 Inbound

Script for Option 1


ip access-list 21_out
deny ip 10.20.21.0 0.0.0.255 10.20.88.0 0.0.0.127
deny ip 10.20.21.0 0.0.0.255 10.20.99.0 0.0.0.127 
permit ip any any
exit
!
Interface vlan 21
ip access-group 21_out out
exit
!
ip access-list 27_Out
deny ip 10.20.27.0 0.0.0.255 10.20.88.0 0.0.0.127
deny ip 10.20.27.0 0.0.0.255 10.20.99.0 0.0.0.127 
permit ip any any
exit
!
Interface vlan 27
ip access-group 27_Out Out
exit
!

Script for Option 2


ip access-list 88_in
deny ip 10.20.21.0 0.0.0.255 10.20.88.0 0.0.0.127
deny ip 10.20.21.0 0.0.0.255 10.20.88.0 0.0.0.127
permit ip any any
exit
!
Interface vlan 88
ip access-group 88_in In
exit
!
ip access-list 99_in
deny ip 10.20.21.0 0.0.0.255 10.20.99.0 0.0.0.127
deny ip 10.20.27.0 0.0.0.255 10.20.99.0 0.0.0.127 
permit ip any any
exit
!
Interface vlan 99
ip access-group 99_in In
exit
!

InterVLAN ACLs (with HSRP) - permit interVLAN traffic in one direction