cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
1611
Views
5
Helpful
13
Replies

Access List

Mohamed.Ashraf
Level 1
Level 1

i have two nexus 9k and access layer switches 9300 , and i need to make access list between vlan as below:

First: Make vlan 102 and vlan 103 can not see each other.

Second :Make vlan 105 see vlan 102 and vlan 103 but Vlan 102 & Vlan 103 can not see vlan 105.

 

I made First request as below :

 

Core(Config)#ip access-list 102

 Core(Config)#deny ip  10.1.102.0 0.0.0.255 10.1.103.0 0.0.0.255

Core(Config)#permit ip any any

Core(Config)#int vlan 102

Core(Config)#ip access-group 102 in

 

 

and Same for vlan 103

 

Core(Config)#ip access-list 103

 Core(Config)#deny ip  10.1.103.0 0.0.0.255 10.1.102.0 0.0.0.255

Core(Config)#permit ip any any

Core(Config)#int vlan 103

Core(Config)#ip access-group 103 in

 

How Can i make Second Request !!!!!

2 Accepted Solutions

Accepted Solutions

Hello


@Mohamed.Ashraf wrote:
 still ping Vlan 105 from Vlan 102 and Vlan 103

Just realised what you are saying, ICMP isnt being denied ONLY tcp traffic is so apologies for that!

You need to amend that acl to include echo-reply only

permit icmp 10.1.10.X.0 0.0.0.255 any echo-reply
deny icmp 10.1.10.X.0 0.0.0.255 any echo


Please rate and mark as an accepted solution if you have found any of the information provided useful.
This then could assist others on these forums to find a valuable answer and broadens the community’s global network.

Kind Regards
Paul

View solution in original post

FYI -

Just for clarification acl to negate icmp also:
access-list 105 permit tcp 10.1.102.0 0.0.0.255 any established
access-list 105 deny tcp 10.1.102.0 0.0.0.255 any
access-list 105 permit icmp 10.1.102.0 0.0.0.255 any echo-reply
access-list 105 deny icmp 10.1.102.0 0.0.0.255 any echo
access-list 105 permit tcp 10.1.103.0 0.0.0.255 any established
access-list 105 deny tcp 10.1.103.0 0.0.0.255 any
access-list 105 permit icmp 10.1.103.0 0.0.0.255 any echo-reply
access-list 105 deny icmp 10.1.103.0 0.0.0.255 any echo
access-list 105 permit ip any any


Please rate and mark as an accepted solution if you have found any of the information provided useful.
This then could assist others on these forums to find a valuable answer and broadens the community’s global network.

Kind Regards
Paul

View solution in original post

13 Replies 13

Hello,

 

it is unclear wether Vlan 105 is supposed to only see Vlan 102 and Vlan 103. If that is the case, the below should accomplish all your requirements:

 

interface Vlan 101
ip address 10.1.101.1 255.255.255.0
!
interface Vlan 102
ip address 10.1.102.1 255.255.255.0
ip access-group 102 in
!
interface Vlan 103
ip address 10.1.103.1 255.255.255.0
ip access-group 103 in
!
interface Vlan 105
ip address 10.1.105.1 255.255.255.0
ip access-group 105 in
!
access-list 102 deny ip 10.1.102.0 0.0.0.255 10.1.101.0 0.0.0.255
access-list 102 deny ip 10.1.101.0 0.0.0.255 10.1.102.0 0.0.0.255
access-list 102 deny ip 10.1.102.0 0.0.0.255 10.1.103.0 0.0.0.255
access-list 102 deny ip 10.1.103.0 0.0.0.255 10.1.102.0 0.0.0.255
access-list 102 permit ip any any
!
access-list 103 deny ip 10.1.103.0 0.0.0.255 10.1.101.0 0.0.0.255
access-list 103 deny ip 10.1.101.0 0.0.0.255 10.1.103.0 0.0.0.255
access-list 103 deny ip 10.1.103.0 0.0.0.255 10.1.102.0 0.0.0.255
access-list 103 deny ip 10.1.102.0 0.0.0.255 10.1.103.0 0.0.0.255
access-list 103 permit ip any any
!
access-list 105 permit ip 10.1.105.0 0.0.0.255 10.1.102.0 0.0.0.255
access-list 105 permit ip 10.1.102.0 0.0.0.255 10.1.105.0 0.0.0.255
access-list 105 permit ip 10.1.105.0 0.0.0.255 10.1.103.0 0.0.0.255
access-list 105 permit ip 10.1.103.0 0.0.0.255 10.1.105.0 0.0.0.255
access-list 105 deny ip 10.1.105.0 0.0.0.255 10.1.101.0 0.0.0.255
access-list 105 deny ip 10.1.101.0 0.0.0.255 10.1.105.0 0.0.0.255
access-list 105 permit ip any any

 

Hello georg

Appreciate your feedback,

I want Vlan 102 and Vlan 103 cann't see vlan 105. But vlan 105 can see all vlans.

 

Thank you

Hello


@Mohamed.Ashraf wrote:
First: Make vlan 102 and vlan 103 can not see each other

ip access-list extended V102-V103
deny ip any 10.1.103.0 0.0.0.255
permit ip any any

int vlan 102
ip access-group V102-V103 IN

 

ip access-list extended V103-V102
deny ip any 10.1.102.0 0.0.0.255
permit ip any any

int vlan 103
ip access-group V103-V102 IN

 

 


@Mohamed.Ashraf wrote:

Second :Make vlan 105 see vlan 102 and vlan 103 but Vlan 102 & Vlan 103 can not see vlan 105.


Here you need to only allow established TCP sessions to be able to respond from V105 initated tcp traffic just denying the subnet wont accomplish what you are requiring, However note this will only work for TCP,  UDP is classless which wont be matched with the vl105 acl

ip access-list extended V105-V102-V103
permit tcp 10.1.102.0 0.0.0.255 any established
deny tcp 10.1.102.0 0.0.0.255 any
permit tcp 10.1.103.0 0.0.0.255 any established
deny tcp 10.1.103.0 0.0.0.255 any
permit ip any any

int vlan 105
ip access-group V105-V102-V103 out


Please rate and mark as an accepted solution if you have found any of the information provided useful.
This then could assist others on these forums to find a valuable answer and broadens the community’s global network.

Kind Regards
Paul

Hi Paul

I still ping Vlan 105 from Vlan 102 and Vlan 103

 

Appreciate your feedback.

Thank you

Hello


@Mohamed.Ashraf wrote:

Hi Paul

I still access Vlan 105 from Vlan 102 and Vlan 103

 


Do you have the acl appended in the correct direction?

 

 


Please rate and mark as an accepted solution if you have found any of the information provided useful.
This then could assist others on these forums to find a valuable answer and broadens the community’s global network.

Kind Regards
Paul

Hi Paul

yes , I done .

 

Same your answer,  But i still ping V105 from V102 and V103

 

Regars,

Ashraf

Hello

post the configuration you have at present relating to those vlans and access-lists please


Please rate and mark as an accepted solution if you have found any of the information provided useful.
This then could assist others on these forums to find a valuable answer and broadens the community’s global network.

Kind Regards
Paul

Hi Paul

Here are the  Configuration:

 

access-list 105 permit tcp 10.1.102.0 0.0.0.255 any established
access-list 105 deny tcp 10.1.102.0 0.0.0.255 any
access-list 105 permit tcp 10.1.103.0 0.0.0.255 any established
access-list 105 deny tcp 10.1.103.0 0.0.0.255 any
access-list 105 permit ip any any
access-list 102 deny ip any 10.1.103.0 0.0.0.255
access-list 102 permit ip any any
access-list 103 deny ip any 10.1.102.0 0.0.0.255
access-list 103 permit ip any any

 

interface Vlan105
ip address 10.1.105.1 255.255.255.0
ip access-group 105 out
!
interface Vlan102
ip address 10.1.102.1 255.255.255.0
ip access-group 102 in
!
interface Vlan103
ip address 10.1.103.1 255.255.255.0
ip access-group 103 in
!
interface Vlan100
ip address 10.1.100.1 255.255.255.0

Hello


@Mohamed.Ashraf wrote:
 still ping Vlan 105 from Vlan 102 and Vlan 103

Just realised what you are saying, ICMP isnt being denied ONLY tcp traffic is so apologies for that!

You need to amend that acl to include echo-reply only

permit icmp 10.1.10.X.0 0.0.0.255 any echo-reply
deny icmp 10.1.10.X.0 0.0.0.255 any echo


Please rate and mark as an accepted solution if you have found any of the information provided useful.
This then could assist others on these forums to find a valuable answer and broadens the community’s global network.

Kind Regards
Paul

Thank you Paul

 

Regars,

Ashraf

FYI -

Just for clarification acl to negate icmp also:
access-list 105 permit tcp 10.1.102.0 0.0.0.255 any established
access-list 105 deny tcp 10.1.102.0 0.0.0.255 any
access-list 105 permit icmp 10.1.102.0 0.0.0.255 any echo-reply
access-list 105 deny icmp 10.1.102.0 0.0.0.255 any echo
access-list 105 permit tcp 10.1.103.0 0.0.0.255 any established
access-list 105 deny tcp 10.1.103.0 0.0.0.255 any
access-list 105 permit icmp 10.1.103.0 0.0.0.255 any echo-reply
access-list 105 deny icmp 10.1.103.0 0.0.0.255 any echo
access-list 105 permit ip any any


Please rate and mark as an accepted solution if you have found any of the information provided useful.
This then could assist others on these forums to find a valuable answer and broadens the community’s global network.

Kind Regards
Paul

Hello,

 

I just finished labbing this up in GNS3, so I might as well post my config. Paul's solution works perfectly, the only difference is that I have come up with one access list less. You edited your original post, which included a mention of Vlan 101, which apparently is not used, so my original answer is not valid anyway.

 

That said, unfortunately indeed the 'established' only accounts for TCP packets. I think the problem of allowing one way traffic was first 'solved' by this, then followed by CBAC and Zone Based Firewalls (the Nexus doesn't support ZBF as ar as I can see, otherwise that would be a great alternative).

 

interface Vlan102
ip address 10.1.102.1 255.255.255.0
ip access-group 102 in
!
interface Vlan103
ip address 10.1.103.1 255.255.255.0
ip access-group 103 in
!
interface Vlan105
ip address 10.1.105.1 255.255.255.0
!
access-list 102 deny ip 10.1.102.0 0.0.0.255 10.1.103.0 0.0.0.255
access-list 102 deny ip 10.1.103.0 0.0.0.255 10.1.102.0 0.0.0.255
access-list 102 permit tcp 10.1.102.0 0.0.0.255 10.1.105.0 0.0.0.255 established
access-list 102 permit icmp 10.1.102.0 0.0.0.255 10.1.105.0 0.0.0.255
access-list 102 deny ip 10.1.102.0 0.0.0.255 10.1.105.0 0.0.0.255
access-list 102 permit ip any any
!
access-list 103 deny ip 10.1.103.0 0.0.0.255 10.1.102.0 0.0.0.255
access-list 103 deny ip 10.1.102.0 0.0.0.255 10.1.103.0 0.0.0.255
access-list 103 permit tcp 10.1.103.0 0.0.0.255 10.1.105.0 0.0.0.255 established
access-list 103 permit icmp 10.1.103.0 0.0.0.255 10.1.105.0 0.0.0.255
access-list 103 deny ip 10.1.103.0 0.0.0.255 10.1.105.0 0.0.0.255
access-list 103 permit ip any any

Hello

comments below I guess would be applicable to both acl 102-103

 


@Georg Pauwen wrote:

Hello,

 

I just finished labbing this up in GNS3, so I might as well post my config. Paul's solution works perfectly, the only difference is that I have come up with one access list less. You edited your original post, which included a mention of Vlan 101, which apparently is not used, so my original answer is not valid anyway.

 

That said, unfortunately indeed the 'established' only accounts for TCP packets. I think the problem of allowing one way traffic was first 'solved' by this, then followed by CBAC and Zone Based Firewalls (the Nexus doesn't support ZBF as ar as I can see, otherwise that would be a great alternative).

 

interface Vlan102
ip address 10.1.102.1 255.255.255.0
ip access-group 102 in < orignating from vlan 102
!
interface Vlan103
ip address 10.1.103.1 255.255.255.0
ip access-group 103 in in < orignating from vlan 103
!
interface Vlan105
ip address 10.1.105.1 255.255.255.0

access-list 102 deny ip 10.1.102.0 0.0.0.255 10.1.103.0 0.0.0.255
access-list 102 deny ip 10.1.103.0 0.0.0.255 10.1.102.0 0.0.0.255 < wont be match doesnt orignate from vlan 102
access-list 102 permit tcp 10.1.102.0 0.0.0.255 10.1.105.0 0.0.0.255 established
access-list 102 permit icmp 10.1.102.0 0.0.0.255 10.1.105.0 0.0.0.255 <this will allow V102  tointiate icmp to vl105
access-list 102 deny ip 10.1.102.0 0.0.0.255 10.1.105.0 0.0.0.255 < wont be matched above ace will take precdence
access-list 102 permit ip any any


Please rate and mark as an accepted solution if you have found any of the information provided useful.
This then could assist others on these forums to find a valuable answer and broadens the community’s global network.

Kind Regards
Paul
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: