03-21-2015 11:33 PM
Is it possible to deny only incoming traffic to certain VLAN using IP ACL? For e.g. I want to deny all incoming traffic to management VLAN from other VLANs but want to allow managment VLAN to access all other VLANs. Is it possible?
03-23-2015 03:48 PM
Hi Anitket01
> I want to deny all incoming traffic to management VLAN from other VLANs but want to allow managment VLAN to access all other VLANs.
this request looks easy, but it is not trivial to implement. I assuming you wanted to use VLAN ACL and not port-based ACLs due administrative comfort or design purposes. because of limitation of ACL functionality and stateful filtering, you can fulfill your request only for TCP and ICMP protocol, why? because you have to think about responding (opposite direction) communication. i.e. if you simply do following:
Create ACL to block traffic to management network (172.30.0.0/24):
ip access-list extended blockManagVLAN deny ip any 172.30.0.0 0.0.0.255 permit ip any any
and apply it to all non management VLAN,
and create second second ACL
ip access-list extended AllowManagVLAN permit ip any any
and apply it to all management VLAN only.
then:
Now what can we do?
we can play with ACL protocol parameters in order to achieve requirement.
Protocol TCP:
we know, that for having TCP session established, client needs to sent TCP SYN segment in order to start with three way handshake. so for TCP, we can disallow sending TCP SYN only to managment VLAN and nobody from outside of management VLAN will be able to create TCP connection into manag VLAN. ACL:
ip access-list extended blockManagVLAN deny tcp any any 172.30.0.0 0.0.0.255 any match-all +syn -ack permit ip any any
with this nonManagVLAN ACL, we are denying only TCP SYN packets, but allow any other else, which results, that now TCP communication can be successfully established from Management VLAN toward non-manag VLANs.
Protocol ICMP:
for ICMP we can also adjust some parameters for example to PING working from Manag VLAN to outside, but block it from outside to Manag VLAN:
into blockManagVLAN access-list:
deny icmp any 172.30.0.0 0.0.0.255 echo-request
this entry will ensure, that only Echo requests will be denied toward management VLAN. this will also ensures that if someone from management VLAN pings device located in another VLAN, it's echo-reply will not be blocked.
Protocol UDP:
same magic like with TCP or ICMP cannot be achieved easily for UDP, as we cant distinguish between same UDP traffic in opposite directions - only with source/destination port numbers. Standard UDP like services are running on ports lower than 1024, so I would recommend you to block all UDP traffic toward management subnet with destination port lower than 1024:
deny udp any any 172.30.0.0 0.0.0.255 1-1023
In summary, here is what you can tune up most possible to meet your request:
Create ACL for all non-management VLAN with following content:
ip access-list extended blockManagVLAN deny tcp any any 172.30.0.0 0.0.0.255 any match-all +syn -ack deny icmp any 172.30.0.0 0.0.0.255 echo-request deny udp any any 172.30.0.0 0.0.0.255 1-1023 permit ip any any
03-23-2015 11:51 PM
Wow...Excellent! I will try this on weekend and let you know the result.
01-10-2017 01:43 AM
i will try this commands , but it doesn't arrive to purpose problem ,
you are need to resolve your solution please
thx
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide