Buy or Renew
Buy or Renew
Cisco + Splunk: It’s a new day for your data. Learn more.
 
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
701
Views
0
Helpful
0
Replies

Cisco CBS350-24P-4G ACLs for VLANs

vdmcorp
Level 1
Level 1

‎01-02-2022 11:10 AM - edited ‎01-02-2022 11:17 AM

Hello everybody,

 

I want to configure some ACLs to filter traffic between VLANs.

Especially I want to allow traffic from one VLAN to others, but not the other way around.

Example: VLAN 10 (192.168.10.0) can access to VLAN 1 (192.168.1.0), to VLAN 30 (192.168.30.0) and to VLAN 40 (192.168.40.0) and go to internet; everybody in VLAN 30 can see each other in the same VLAN and can go to internet but cannot see other VLANs.

Other useful infos: VLAN 1 is in the same segment that directly goes to Internet (directly connected to router); Port GE1 in in trunk mode (connected to the router) and the switch operates as DHCP server for each VLAN except VLAN1 where each device takes ip address directly from the router's DHCP server (ip addresses of the switch are 192.168.1.20, 192.168.10.20, 192.168.20.20 and so on; the router's ip address is the canonical 192.168.1.1).

 

I have set up these rules, but something doesn't work:

ACL for VLAN 10

deny ip 192.168.10.0 0.0.0.255 192.168.1.1 0.0.0.0 ace-priority 10 (I don't want permit access to the router)
permit ip 192.168.10.0 0.0.0.255 192.168.1.0 0.0.0.255 ace-priority 20 (I want consent access to VLAN1)
permit ip 192.168.10.0 0.0.0.255 192.168.10.0 0.0.0.255 ace-priority 30 (I want consent access in the same VLAN)
deny ip 192.168.10.0 0.0.0.255 192.168.30.20 0.0.0.0 ace-priority 40 (I don't want permit access to the switch)
permit ip 192.168.10.0 0.0.0.255 192.168.30.0 0.0.0.255 ace-priority 50 (I want consent access to VLAN 30)
deny ip 192.168.10.0 0.0.0.255 192.168.40.20 0.0.0.0 ace-priority 60 (I don't want permit access to the switch)
permit ip 192.168.10.0 0.0.0.255 192.168.40.0 0.0.0.255 ace-priority 70 (I want consent access to VLAN 40)
deny ip 192.168.10.0 0.0.0.255 192.168.0.0 0.0.255.255 ace-priority 80 (I want block access to other VLANs)
permit ip 192.168.10.0 0.0.0.255 any ace-priority 90 (I want permit access to the internet)

These statements are not working fine because the access to all VLANs is blocked, including VLAN1, 30 and 40. But if I remove ace 80, then works. It seems that ace 80 is much stronger than ace 50 and 70, even if I have placed them first in the flow of rules. If I create specific deny aces for each VLAN I want to filter (example VLAN20, VLAN50 and so on) instead of the generic 192.168.0.0 0.0.255.255, it works.

How can I solve this problem without writing specific deny rule for each VLAN I want to block the access?

 

ACL for VLAN 30

permit udp 192.168.30.0 0.0.0.255 bootpc any bootps ace-priority 10 (for DHCP)
permit udp 192.168.30.20 0.0.0.0 bootps 192.168.30.0 0.0.0.255 bootpc ace-priority 15 (for DHCP)

deny ip 192.168.30.0 0.0.0.255 192.168.30.20 0.0.0.0 ace-priority 20 (I don't want permit access to the switch)

permit ip 192.168.30.0 0.0.0.255 192.168.30.0 0.0.0.255 ace-priority 30 (I want consent access in the same VLAN)

deny ip 192.168.30.0 0.0.0.255 192.168.0.0 0.0.255.255 ace-priority 40 (I want block access to other VLANs)
permit ip 192.168.30.0 0.0.0.255 any ace-priority 50 (I want permit access to the internet)

These statements are not working fine because the access in the same VLAN is blocked, so each device can access to the internet but cannot see other devices in the same subnet. How can I solve this problem? (if I modify ace 40 with specific deny rules for each VLAN I want to filter, then works... but I want to use a generic rule if possible, because I have large number of VLANs)

Thank you for the support.

Labels:
0 Helpful
0 Replies 0
Customers Also Viewed These Support Documents