04-11-2023 08:37 AM
Hi,
I'm building a packet tracer network (see attached image) and had a question on putting ACLs in place to control interVLAN access [noting HSRP is set up on both distribution switches for redundancy].
VLAN 21 10.20.21.0/24
VLAN 27 10.20.27.0/24
VLAN 88 10.20.88.0/25
VLAN 99 10.20.99.0/28
I want to block VLANs 21 and 27 from talking to each other - that's pretty easy, but I wanted to also block VLANs 21 and 27 from accessing VLANs 88 and 99, but not the other way around - i.e. I want VLANs 88 and 99 to access VLANs 21 and 27. Would anyone know how to do this?
I've tried quite a few times using ACLs, but I feel like I'm spinning my wheels now. I had considered putting an additional firewall in to protect VLANs 88 and 99, but not sure if that would be overkill and I'd kinda like to figure out how to do it with ACLs if it's possible
Solved! Go to Solution.
04-11-2023 03:32 PM
"I want to block VLANs 21 and 27 from talking to each other - that's pretty easy, but I wanted to also block VLANs 21 and 27 from accessing VLANs 88 and 99, but not the other way around - i.e. I want VLANs 88 and 99 to access VLANs 21 and 27. Would anyone know how to do this?"
Yes, generally you need to use reflexive ACLs; i.e. something that keeps "state".
The reason being, if you completely block one direction, it breaks two way communication. I.e. if "access" implies a response, you need to allow return traffic.
BTW, like a FW, reflexive ACLs work much the same, i.e. "in" is generally only allowed in response to a prior "out".
There's one other very simple ACL that supports TCP, which is to allow "in" for TCP with established bit set.
The next step up from reflexive ACLs is IOS FW features, like CBAC, or ZFW.
04-11-2023 09:26 AM
Hi attach the file here, zio it first.
But about the ACL, you should put the ACL on the vlan 21 and 27 blocking 88 and 99 and put as out.
You can also block 21 and 27 on vlans 88 and 99 and use IN instead. But the Best place to put an ACL is closer to the origin.
04-11-2023 02:42 PM - last edited on 04-11-2023 10:11 PM by Translator
Thanks Flavio - I've attached my zip file
I tried what you wrote, but when the PC states destination unavailable when pinging from the 10.20.88.0 255.255.255.128 subnet which is what I'd found before. I'm not sure, but I might have missed something?
ML-MLS-D1
access-list 121 deny ip 10.20.88.0 0.0.0.127 10.20.21.0 0.0.0.255
access-list 127 deny ip 10.20.99.0 0.0.0.15 10.20.21.0 0.0.0.255
access-list 121 permit ip any any
access-list 127 deny ip 10.20.88.0 0.0.0.127 10.20.27.0 0.0.0.255
access-list 127 deny ip 10.20.99.0 0.0.0.15 10.20.27.0 0.0.0.255
access-list 127 permit ip any any
interface vlan 21
ip access-group 121 out
interface vlan 27
ip access-group 127 out
04-11-2023 03:19 PM
I think ACL is correct, but you have to apply on Inbound direction.
04-11-2023 06:33 PM - last edited on 04-11-2023 10:15 PM by Translator
What you are trying to do is possible. Please, see the file attached.
Test from PC ML-SL-PC1 to ML-IT-PC1, result
C:\>ping 10.20.88.4
Pinging 10.20.88.4 with 32 bytes of data:
Reply from 10.20.21.2: Destination host unreachable.
Reply from 10.20.21.2: Destination host unreachable.
Reply from 10.20.21.2: Destination host unreachable.
Reply from 10.20.21.2: Destination host unreachable.
Ping statistics for 10.20.88.4:
Packets: Sent = 4, Received = 0, Lost = 4 (100% loss),
Test from ML-IT-PC1 to ML-SL-PC1
C:\>ping 10.20.21.4
Pinging 10.20.21.4 with 32 bytes of data:
Reply from 10.20.21.4: bytes=32 time<1ms TTL=127
Reply from 10.20.21.4: bytes=32 time=14ms TTL=127
Reply from 10.20.21.4: bytes=32 time<1ms TTL=127
Reply from 10.20.21.4: bytes=32 time<1ms TTL=127
Ping statistics for 10.20.21.4:
Packets: Sent = 4, Received = 4, Lost = 0 (0% loss),
Approximate round trip times in milli-seconds:
Minimum = 0ms, Maximum = 14ms, Average = 3ms
04-11-2023 11:05 AM
04-11-2023 03:32 PM
"I want to block VLANs 21 and 27 from talking to each other - that's pretty easy, but I wanted to also block VLANs 21 and 27 from accessing VLANs 88 and 99, but not the other way around - i.e. I want VLANs 88 and 99 to access VLANs 21 and 27. Would anyone know how to do this?"
Yes, generally you need to use reflexive ACLs; i.e. something that keeps "state".
The reason being, if you completely block one direction, it breaks two way communication. I.e. if "access" implies a response, you need to allow return traffic.
BTW, like a FW, reflexive ACLs work much the same, i.e. "in" is generally only allowed in response to a prior "out".
There's one other very simple ACL that supports TCP, which is to allow "in" for TCP with established bit set.
The next step up from reflexive ACLs is IOS FW features, like CBAC, or ZFW.
04-11-2023 01:39 PM - last edited on 04-11-2023 10:18 PM by Translator
We have two options.
Script for Option 1
ip access-list 21_out
deny ip 10.20.21.0 0.0.0.255 10.20.88.0 0.0.0.127
deny ip 10.20.21.0 0.0.0.255 10.20.99.0 0.0.0.127
permit ip any any
exit
!
Interface vlan 21
ip access-group 21_out out
exit
!
ip access-list 27_Out
deny ip 10.20.27.0 0.0.0.255 10.20.88.0 0.0.0.127
deny ip 10.20.27.0 0.0.0.255 10.20.99.0 0.0.0.127
permit ip any any
exit
!
Interface vlan 27
ip access-group 27_Out Out
exit
!
Script for Option 2
ip access-list 88_in
deny ip 10.20.21.0 0.0.0.255 10.20.88.0 0.0.0.127
deny ip 10.20.21.0 0.0.0.255 10.20.88.0 0.0.0.127
permit ip any any
exit
!
Interface vlan 88
ip access-group 88_in In
exit
!
ip access-list 99_in
deny ip 10.20.21.0 0.0.0.255 10.20.99.0 0.0.0.127
deny ip 10.20.27.0 0.0.0.255 10.20.99.0 0.0.0.127
permit ip any any
exit
!
Interface vlan 99
ip access-group 99_in In
exit
!
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide