06-16-2014 06:27 AM - edited 03-07-2019 07:44 PM
Hi, I have 2 layer vlans created on my core switch. These vlans are advertised on eigrp protocol running on the core switch and subsequently advertised on bgp in the routers connected to the core switch.
The 2 Vlans are Vlan 12 and Vlan 13. Vlan 12 is a static Vlan which is to provide IP addresses to all the servers and Vlan 13 is a static Vlan which is to provide IP addresses to the device which is communicating with the server Vlan.
My requirement is Vlan 13 should be totally isolated from all other Vlans and traffic except Vlan 13.
i.e. Vlan 13 should be reachable via Vlan 12 and Vlan 13 should be not be reachable to any other traffic or any other Vlan. Vlan 13 should be totally isolated in and out traffic both.
I have an access-list on Vlan 13 which is a standard access list permitting only Vlan 12 traffic in the outbound direction
E.g
int Vlan 13
ip address 10.10.10.1 255.255.255.224
ip access-group 13 out
!
!
int Vlan 12
ip address 20.20.20.1 255.255.255.224
!
!
access-list 13 permit 20.20.20.0 0.0.0.31
!
!
!
But the problem is I can ping Vlan 13 from other Vlans as source from core switch . i.e.
ping ip 10.10.10.3 source Vlan 4 gives me 100% success and I can ping Vlan 4 using Vlan13 as source.
If i try to ping it from outside the network, I can ping Vlan 13 interface but not the Ip addresses in that range.
Is the goal achieved in this case, since the access list is applied in outbound direction, I was wondering what about inbound traffic- which in a way will be achieved since outbound traffic wont be allowed to other Vlans for any inbound request.like echo will be allowed but not echo-reply to other Vlan.Just wondering if i am making sense or talking rubbish here. DO i need to make any changes to accomplish the goal to totally isolate Vlan13?
06-16-2014 06:52 AM
Hello
Not sure i understand this:
"My requirement is Vlan 13 should be totally isolated from all other Vlans and traffic except Vlan 13.
i.e. Vlan 13 should be reachable via Vlan 12 and Vlan 13 should be not be reachable to any other traffic or any other Vlan. Vlan 13 should be totally isolated in and out traffic both"
can you be a bit clearer?
res
Paul
06-16-2014 07:14 AM
sorry that was a typo
Vlan 13 should be totally isolated from all other Vlans except Vlan 12
06-16-2014 07:43 AM
Hello
try this
ip access-list extended VLAN13in-out
permit ip any 20.20.20.0 0.0.0.31
deny ip any any log
ip access-list extended VLAN13out-in
permit ip 20.20.20.0 0.0.0.31 any
deny ip any any log
int Vlan 13
ip access-group VLAN13in-out IN
ip access-group VLAN13out-in OUT
res
Paul
06-17-2014 12:57 AM
I have suggested vlan acccess map....please review it..
Regards.
06-17-2014 07:57 AM
What is the operational advantage of doing this?
06-17-2014 10:43 PM
Well...it is handled by l2 engine which definitely makes the process faster...compared to l3 engine...
Regards.
06-18-2014 01:22 AM
Hello
VACLS are ONLY applicable within their own vlan not between vlans
hence why I suggested an SVI ACL
res
Paul
06-18-2014 10:50 PM
Hi,
I would like 2 differ on dis wid u...VACL are used to filter the traffic between different vlans.
We are using VACL in our network to large extent and facin no issues at all.
U can use traditional acl and apply them under SVI on l3 switch as well.
So basically its a matter of choice according to ur company network policy.
Regards.
06-19-2014 06:29 AM
Hello
I didn't mean to suggest that vacls are not applicable in this case, as traffic needs to prohibited in/out of one vlan.
Maybe I should have explained myself a little better , what I meant was, when filtering within between different subnets RACLS are primarily used on routers or L3 switches,
However if I wanted to deny a certain host to host communication in the same vlan, then I could use a VACL to accomplish this.
RACL (L3) -can be applied on any routed interface.In this case the svi of vlan 30 defining in/out traffic)
ip access-list extended VLAN13in-out
permit ip any 20.20.20.0 0.0.0.31 any
deny ip any any log
ip access-list extended VLAN13out-in
permit ip 20.20.20.0 0.0.0.31 any
deny ip any any log
int Vlan 13
ip access-group VLAN13in-out IN
ip access-group VLAN13out-in OUT
VACL - Isn't applied to any interface)
ip access-list extended AllowV20
permit ip 30.30.30.0 0.0.0.255 30.30.30.0 0.0.0.255 (allows communication between vlan 30)
permit ip 30.30.30.0 0.0.0.255 20.20.20.0 0.0.0.255
permit ip 20.20.20.0 0.0.0.255 30.30.30.0 0.0.0.255
vlan access-map vlan30-20 10
action forward
match ip address AllowV20
vlan access-map vlan30-20 99
action drop
vlan filter vlan30-20 vlan-list 30
if I wanted to deny telnet on all vlans the again VACL would be applicable, as a RACL would be need to be applied on each SVI or routed interface.
Ip access-list extended notelnet_acl
permit tcp any any eq telnet
vlan access-map notelnet 10
action drop
match ip address notelnet_acl
vlan access-map notelnet 99
action forward
vlan filter notelnet vlan-list 20 30
I hope I have made my explanation a bit clearer!
res
Paul
06-17-2014 12:55 AM
Hi...
Paul has suggested one way of doing this..i will use VACL..on L3 switch
It goes like this:
say vlan 12 subnet is x.x.x.x/24 and vlan 13 subnet is y.y.y.y/24
ip access-list standard Allow12To13
permit ip x.x.x.x 0.0.0.255
permit ip y.y.y.y 0.0.0.255
ip access-list standard DenyAllTo13
permit ip any
vlan access-map Allow12To13Only
match ip address Allow12To13
action forward
vlan access-map Allow12To13Only
match ip address DenyAllTo13
action drop
vlan filter Allow12To13Only vlan-list 13
Now traffic coming on vlan 13 will be filtered and matched against the access map and allow only subnet belonging to vlan 12.
Please feel free to post any queries about this.
Regards.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide