3750 - access lists on vlan interface

Cpartner1 · ‎01-06-2011

Hi,

I have a small question concerning in and out traffic direction on vlan interfaces, in combination with access lists

We have an 3845 integrated services router that has a network module installed

Specs of the network module

NME-XD-48ES-2S-P 12.2(35)SE5 C3750-IPBASE-M

On the network module I have created two vlans with a vlan interface for each vlan

vlan 500
name DEMO
!
vlan 516
name EDUCATION

interface Vlan500
ip address 10.5.0.1 255.255.240.0
!
interface Vlan516
ip address 10.5.16.1 255.255.240.0

I want to permit traffic from demo to education (and returning traffic) but i want to deny traffic originating from education to demo

What is the best way to implement this ?

----------------------

Second question is regarding traffic direction

Suppose traffic is coming from education and going to demo

Once the traffic has been routed on the switch from the eduction vlan interface and arrives at the demo vlan interface

Is this traffic going out of the demo interface or coming in on the demo interface (with access lists in mind)

Do I need to define this to apply an access list to that traffic ?

SW01(config)#interface vlan500
SW01(config-if)#ip acc
SW01(config-if)#ip acces
SW01(config-if)#ip access-group MYLIST out

Or do I need to define this to apply an access list to that traffic ?

BEVILro02-SW01(config)#interface vlan500
BEVILro02-SW01(config-if)#ip acc
BEVILro02-SW01(config-if)#ip acces
BEVILro02-SW01(config-if)#ip access-group MYLIST in

Or maybe both or possible ?

Thanks in advance !

Kind Regards

Stijn

gaysunda · ‎01-09-2011

Hi Stijn,

interface Vlan500
ip address 10.5.0.1 255.255.240.0
!
interface Vlan516
ip address 10.5.16.1 255.255.240.0

To allow traffic from demo to education (and returning traffic) but deny traffic originating from education to demo

we carete an Access-list and add the established keyword at the end of the permit statement. This would allow only traffic orignated from demo back and forth but deny any other traffic, but this would work for TCP protocol only. It indicates an established connection. A match occurs if the TCP datagram has the ACK or RST bit set. The nonmatching case is that of the initial TCP datagram to form a connection.

ip access-list ext 123

permit tcp any any established

we apply this in the inbound direction on the Education Vlan. So all traffic from demo would come to education , but return traffic only with ACK or RST bit set is allowed. So no new connections from Education would be allowed.

------------------------------------------

For the Second question:-

With respect to the access-list it would matter how we are defining the ACL to the flow of traffic.

An ACL may be applied in either direction as long as we define the traffic and its flow correctly.

for eg:-

if we want a certain host x.x.x.x from education vlan 516 to be blocked from being reached by a host y.y.y.y on demo vlan 500, then we can have the acl in two ways, applied on that Vlan 500 interface

x.x.x.x-- 516---switch---500---y.y.y.y

ip access-list ext 123

deny ip host y.y.y.y host x.x.x.x

this would have to be applied in the inbound direction as the traffic hitting vlan 500 would have source ip of y.y.y.y and dest ip of x.x.x.x

if we were to configure it this way

ip access-list ext 123

deny ip host x.x.x.x host y.y.y.y

then it would have to be applied in the out bound direction as it would be leaving the router with a source ip of x.x.x.x to reach y.y.y.y on vlan 500

hope this helps

Gayathri

Please rate if this answered your question