Solved: Use ACL to restrict inter-valn routing

hc2995 · ‎12-30-2018

Hello Everyone,

I have a 2951 router with 5 VLANs, 10, 20, 30, 40, 50. Im trying to prevent VLAN 50 from talking to the other VLANs (VLAN 50 will be used for home automation) but im not having any luck.

Here is an excerpt of what i have configured:

Sub interface 0/1.10:

!
interface GigabitEthernet0/1.10
description Management
encapsulation dot1Q 10
ip address 172.16.10.1 255.255.255.0
ip access-group VLAN-RESTRICTIONS in
ip helper-address 172.16.20.2
ip helper-address 172.16.20.5
ip nat inside
ip virtual-reassembly in
!

Access List "VLAN-RESTRICTIONS":

!
ip access-list extended VLAN-RESTRICTIONS
deny ip 172.16.50.0 0.0.0.255 any
permit ip any any
!

I believe that applying that access list should block traffic from 172.16.50.X to the subinterface for VLAN 10, but im still able to ping hosts in VLAN 10 while im connected to VLAN 50.

Any tips or assistance is appreciated!

jalejand · ‎12-30-2018

By placing the ACL on the subinterface for VLAN10 you are telling the router:
Any traffic with source IP address of 172.16.50.x to any destination should be blocked at inside direction.

When you send a PING from VLAN 50 to VLAN 10, subinterface for vlan 50 will receive an ICMP request with source IP 172.16.50.x destination 172.16.10.x - Not blocked
VLAN 10 user will reply with an ICMP reply with source of 172.16.10.x to 172.16.50.x and it will be received on interface for vlan 10- Not blocked, source IP is not within the 172.16.50.x range.

Try changing the VLAN statement of each subinterface from 10 to 40 to "out" direction to block the ICMP request
or
Use only one ACL at inbound direction in VLAN 50 matching any traffic from VLAN 50 to any destination of 172.16.10,20,30,40.

ip access-list extended VLAN-RESTRICTIONS
deny ip 172.16.50.0 0.0.0.255 172.16.10.0 0.0.0.255
deny ip 172.16.50.0 0.0.0.255 172.16.20.0 0.0.0.255
deny ip 172.16.50.0 0.0.0.255 172.16.30.0 0.0.0.255
deny ip 172.16.50.0 0.0.0.255 172.16.40.0 0.0.0.255

deny ip 172.16.10.0 0.0.0.255 172.16.50.0 0.0.0.255
deny ip 172.16.20.0 0.0.0.255 172.16.50.0 0.0.0.255
deny ip 172.16.30.0 0.0.0.255 172.16.50.0 0.0.0.255
deny ip 172.16.40.0 0.0.0.255 172.16.50.0 0.0.0.255
permit ip any any

int gi0/0.50
ip access-group VLAN-RESTRICTIONS in

ip access-group VLAN-RESTRICTIONS out

View solution in original post

Georg Pauwen · ‎12-30-2018

Hello,

the below should block access from Vlan 50 to Vlan 10:

ip access-list extended VLAN-RESTRICTIONS
deny ip 172.16.50.0 0.0.0.255 172.16.10.0 0.0.0.255
deny ip 172.16.10.0 0.0.0.255 172.16.50.0 0.0.0.255
permit ip any any

jalejand · ‎12-30-2018

By placing the ACL on the subinterface for VLAN10 you are telling the router:
Any traffic with source IP address of 172.16.50.x to any destination should be blocked at inside direction.

When you send a PING from VLAN 50 to VLAN 10, subinterface for vlan 50 will receive an ICMP request with source IP 172.16.50.x destination 172.16.10.x - Not blocked
VLAN 10 user will reply with an ICMP reply with source of 172.16.10.x to 172.16.50.x and it will be received on interface for vlan 10- Not blocked, source IP is not within the 172.16.50.x range.

Try changing the VLAN statement of each subinterface from 10 to 40 to "out" direction to block the ICMP request
or
Use only one ACL at inbound direction in VLAN 50 matching any traffic from VLAN 50 to any destination of 172.16.10,20,30,40.

ip access-list extended VLAN-RESTRICTIONS
deny ip 172.16.50.0 0.0.0.255 172.16.10.0 0.0.0.255
deny ip 172.16.50.0 0.0.0.255 172.16.20.0 0.0.0.255
deny ip 172.16.50.0 0.0.0.255 172.16.30.0 0.0.0.255
deny ip 172.16.50.0 0.0.0.255 172.16.40.0 0.0.0.255

deny ip 172.16.10.0 0.0.0.255 172.16.50.0 0.0.0.255
deny ip 172.16.20.0 0.0.0.255 172.16.50.0 0.0.0.255
deny ip 172.16.30.0 0.0.0.255 172.16.50.0 0.0.0.255
deny ip 172.16.40.0 0.0.0.255 172.16.50.0 0.0.0.255
permit ip any any

int gi0/0.50
ip access-group VLAN-RESTRICTIONS in

ip access-group VLAN-RESTRICTIONS out

hc2995 · ‎12-31-2018

Hey Jalejand,

Thanks for the detailed explanation, that helps a lot. I updated the access list to match your suggestion, and I removed the access group on 0/1.10 and added it to 0/1.50 however, im still able to access clients in the other VLANs (i tried ping and RDP, both were successful).

I do have 1 other access list, im wondering if its conflicting with this one. Its a standard access list that reads

"access-list 1 permit 172.16.0.0 0.0.255.255"

This list is used with my NAT statement to allow clients out to the internet, I dont believe that it could be causing the conflict but im kind of new to access lists. I cant post the full config now but once i get home this evening i can post it for review if that would help?

Georg Pauwen · ‎12-31-2018

Hello,

post what you have configured. You need to deny access in both ways...

Georg Pauwen · ‎12-31-2018

Hello,

better yet, post the full running configuration of your router...

hc2995 · ‎12-31-2018

So im actually a fool here. I applied the access group to the wrong interface. Once i applied it to the correct interface the VLAN was restricted as expect.

Thanks everyone for the assistance on this!

hc2995 · ‎12-31-2018

Will do, appreciate the assistance.