12-02-2019 01:07 AM - edited 12-02-2019 01:09 AM
i have two nexus 9k and access layer switches 9300 , and i need to make access list between vlan as below:
First: Make vlan 102 and vlan 103 can not see each other.
Second :Make vlan 105 see vlan 102 and vlan 103 but Vlan 102 & Vlan 103 can not see vlan 105.
I made First request as below :
Core(Config)#ip access-list 102
Core(Config)#deny ip 10.1.102.0 0.0.0.255 10.1.103.0 0.0.0.255
Core(Config)#permit ip any any
Core(Config)#int vlan 102
Core(Config)#ip access-group 102 in
and Same for vlan 103
Core(Config)#ip access-list 103
Core(Config)#deny ip 10.1.103.0 0.0.0.255 10.1.102.0 0.0.0.255
Core(Config)#permit ip any any
Core(Config)#int vlan 103
Core(Config)#ip access-group 103 in
How Can i make Second Request !!!!!
Solved! Go to Solution.
12-02-2019 02:51 AM - edited 12-02-2019 03:20 AM
Hello
@Mohamed.Ashraf wrote:
still ping Vlan 105 from Vlan 102 and Vlan 103
Just realised what you are saying, ICMP isnt being denied ONLY tcp traffic is so apologies for that!
You need to amend that acl to include echo-reply only
permit icmp 10.1.10.X.0 0.0.0.255 any echo-reply
deny icmp 10.1.10.X.0 0.0.0.255 any echo
12-02-2019 03:15 AM
FYI -
Just for clarification acl to negate icmp also:
access-list 105 permit tcp 10.1.102.0 0.0.0.255 any established
access-list 105 deny tcp 10.1.102.0 0.0.0.255 any
access-list 105 permit icmp 10.1.102.0 0.0.0.255 any echo-reply
access-list 105 deny icmp 10.1.102.0 0.0.0.255 any echo
access-list 105 permit tcp 10.1.103.0 0.0.0.255 any established
access-list 105 deny tcp 10.1.103.0 0.0.0.255 any
access-list 105 permit icmp 10.1.103.0 0.0.0.255 any echo-reply
access-list 105 deny icmp 10.1.103.0 0.0.0.255 any echo
access-list 105 permit ip any any
12-02-2019 01:27 AM
Hello,
it is unclear wether Vlan 105 is supposed to only see Vlan 102 and Vlan 103. If that is the case, the below should accomplish all your requirements:
interface Vlan 101
ip address 10.1.101.1 255.255.255.0
!
interface Vlan 102
ip address 10.1.102.1 255.255.255.0
ip access-group 102 in
!
interface Vlan 103
ip address 10.1.103.1 255.255.255.0
ip access-group 103 in
!
interface Vlan 105
ip address 10.1.105.1 255.255.255.0
ip access-group 105 in
!
access-list 102 deny ip 10.1.102.0 0.0.0.255 10.1.101.0 0.0.0.255
access-list 102 deny ip 10.1.101.0 0.0.0.255 10.1.102.0 0.0.0.255
access-list 102 deny ip 10.1.102.0 0.0.0.255 10.1.103.0 0.0.0.255
access-list 102 deny ip 10.1.103.0 0.0.0.255 10.1.102.0 0.0.0.255
access-list 102 permit ip any any
!
access-list 103 deny ip 10.1.103.0 0.0.0.255 10.1.101.0 0.0.0.255
access-list 103 deny ip 10.1.101.0 0.0.0.255 10.1.103.0 0.0.0.255
access-list 103 deny ip 10.1.103.0 0.0.0.255 10.1.102.0 0.0.0.255
access-list 103 deny ip 10.1.102.0 0.0.0.255 10.1.103.0 0.0.0.255
access-list 103 permit ip any any
!
access-list 105 permit ip 10.1.105.0 0.0.0.255 10.1.102.0 0.0.0.255
access-list 105 permit ip 10.1.102.0 0.0.0.255 10.1.105.0 0.0.0.255
access-list 105 permit ip 10.1.105.0 0.0.0.255 10.1.103.0 0.0.0.255
access-list 105 permit ip 10.1.103.0 0.0.0.255 10.1.105.0 0.0.0.255
access-list 105 deny ip 10.1.105.0 0.0.0.255 10.1.101.0 0.0.0.255
access-list 105 deny ip 10.1.101.0 0.0.0.255 10.1.105.0 0.0.0.255
access-list 105 permit ip any any
12-02-2019 01:39 AM - edited 12-02-2019 01:40 AM
Hello georg
Appreciate your feedback,
I want Vlan 102 and Vlan 103 cann't see vlan 105. But vlan 105 can see all vlans.
Thank you
12-02-2019 01:57 AM - edited 12-02-2019 02:06 AM
Hello
@Mohamed.Ashraf wrote:
First: Make vlan 102 and vlan 103 can not see each other
ip access-list extended V102-V103
deny ip any 10.1.103.0 0.0.0.255
permit ip any any
int vlan 102
ip access-group V102-V103 IN
ip access-list extended V103-V102
deny ip any 10.1.102.0 0.0.0.255
permit ip any any
int vlan 103
ip access-group V103-V102 IN
@Mohamed.Ashraf wrote:
Second :Make vlan 105 see vlan 102 and vlan 103 but Vlan 102 & Vlan 103 can not see vlan 105.
Here you need to only allow established TCP sessions to be able to respond from V105 initated tcp traffic just denying the subnet wont accomplish what you are requiring, However note this will only work for TCP, UDP is classless which wont be matched with the vl105 acl
ip access-list extended V105-V102-V103
permit tcp 10.1.102.0 0.0.0.255 any established
deny tcp 10.1.102.0 0.0.0.255 any
permit tcp 10.1.103.0 0.0.0.255 any established
deny tcp 10.1.103.0 0.0.0.255 any
permit ip any any
int vlan 105
ip access-group V105-V102-V103 out
12-02-2019 02:16 AM - edited 12-02-2019 02:23 AM
Hi Paul
I still ping Vlan 105 from Vlan 102 and Vlan 103
Appreciate your feedback.
Thank you
12-02-2019 02:24 AM
Hello
@Mohamed.Ashraf wrote:
Hi Paul
I still access Vlan 105 from Vlan 102 and Vlan 103
Do you have the acl appended in the correct direction?
12-02-2019 02:30 AM
Hi Paul
yes , I done .
Same your answer, But i still ping V105 from V102 and V103
Regars,
Ashraf
12-02-2019 02:31 AM
Hello
post the configuration you have at present relating to those vlans and access-lists please
12-02-2019 02:42 AM
Hi Paul
Here are the Configuration:
access-list 105 permit tcp 10.1.102.0 0.0.0.255 any established
access-list 105 deny tcp 10.1.102.0 0.0.0.255 any
access-list 105 permit tcp 10.1.103.0 0.0.0.255 any established
access-list 105 deny tcp 10.1.103.0 0.0.0.255 any
access-list 105 permit ip any any
access-list 102 deny ip any 10.1.103.0 0.0.0.255
access-list 102 permit ip any any
access-list 103 deny ip any 10.1.102.0 0.0.0.255
access-list 103 permit ip any any
interface Vlan105
ip address 10.1.105.1 255.255.255.0
ip access-group 105 out
!
interface Vlan102
ip address 10.1.102.1 255.255.255.0
ip access-group 102 in
!
interface Vlan103
ip address 10.1.103.1 255.255.255.0
ip access-group 103 in
!
interface Vlan100
ip address 10.1.100.1 255.255.255.0
12-02-2019 02:51 AM - edited 12-02-2019 03:20 AM
Hello
@Mohamed.Ashraf wrote:
still ping Vlan 105 from Vlan 102 and Vlan 103
Just realised what you are saying, ICMP isnt being denied ONLY tcp traffic is so apologies for that!
You need to amend that acl to include echo-reply only
permit icmp 10.1.10.X.0 0.0.0.255 any echo-reply
deny icmp 10.1.10.X.0 0.0.0.255 any echo
12-02-2019 03:03 AM
Thank you Paul
Regars,
Ashraf
12-02-2019 03:15 AM
FYI -
Just for clarification acl to negate icmp also:
access-list 105 permit tcp 10.1.102.0 0.0.0.255 any established
access-list 105 deny tcp 10.1.102.0 0.0.0.255 any
access-list 105 permit icmp 10.1.102.0 0.0.0.255 any echo-reply
access-list 105 deny icmp 10.1.102.0 0.0.0.255 any echo
access-list 105 permit tcp 10.1.103.0 0.0.0.255 any established
access-list 105 deny tcp 10.1.103.0 0.0.0.255 any
access-list 105 permit icmp 10.1.103.0 0.0.0.255 any echo-reply
access-list 105 deny icmp 10.1.103.0 0.0.0.255 any echo
access-list 105 permit ip any any
12-02-2019 05:10 AM
Hello,
I just finished labbing this up in GNS3, so I might as well post my config. Paul's solution works perfectly, the only difference is that I have come up with one access list less. You edited your original post, which included a mention of Vlan 101, which apparently is not used, so my original answer is not valid anyway.
That said, unfortunately indeed the 'established' only accounts for TCP packets. I think the problem of allowing one way traffic was first 'solved' by this, then followed by CBAC and Zone Based Firewalls (the Nexus doesn't support ZBF as ar as I can see, otherwise that would be a great alternative).
interface Vlan102
ip address 10.1.102.1 255.255.255.0
ip access-group 102 in
!
interface Vlan103
ip address 10.1.103.1 255.255.255.0
ip access-group 103 in
!
interface Vlan105
ip address 10.1.105.1 255.255.255.0
!
access-list 102 deny ip 10.1.102.0 0.0.0.255 10.1.103.0 0.0.0.255
access-list 102 deny ip 10.1.103.0 0.0.0.255 10.1.102.0 0.0.0.255
access-list 102 permit tcp 10.1.102.0 0.0.0.255 10.1.105.0 0.0.0.255 established
access-list 102 permit icmp 10.1.102.0 0.0.0.255 10.1.105.0 0.0.0.255
access-list 102 deny ip 10.1.102.0 0.0.0.255 10.1.105.0 0.0.0.255
access-list 102 permit ip any any
!
access-list 103 deny ip 10.1.103.0 0.0.0.255 10.1.102.0 0.0.0.255
access-list 103 deny ip 10.1.102.0 0.0.0.255 10.1.103.0 0.0.0.255
access-list 103 permit tcp 10.1.103.0 0.0.0.255 10.1.105.0 0.0.0.255 established
access-list 103 permit icmp 10.1.103.0 0.0.0.255 10.1.105.0 0.0.0.255
access-list 103 deny ip 10.1.103.0 0.0.0.255 10.1.105.0 0.0.0.255
access-list 103 permit ip any any
12-02-2019 05:44 AM - edited 12-02-2019 05:47 AM
Hello
comments below I guess would be applicable to both acl 102-103
@Georg Pauwen wrote:
Hello,
I just finished labbing this up in GNS3, so I might as well post my config. Paul's solution works perfectly, the only difference is that I have come up with one access list less. You edited your original post, which included a mention of Vlan 101, which apparently is not used, so my original answer is not valid anyway.
That said, unfortunately indeed the 'established' only accounts for TCP packets. I think the problem of allowing one way traffic was first 'solved' by this, then followed by CBAC and Zone Based Firewalls (the Nexus doesn't support ZBF as ar as I can see, otherwise that would be a great alternative).
interface Vlan102
ip address 10.1.102.1 255.255.255.0
ip access-group 102 in < orignating from vlan 102
!
interface Vlan103
ip address 10.1.103.1 255.255.255.0
ip access-group 103 in in < orignating from vlan 103
!
interface Vlan105
ip address 10.1.105.1 255.255.255.0
!
access-list 102 deny ip 10.1.102.0 0.0.0.255 10.1.103.0 0.0.0.255
access-list 102 deny ip 10.1.103.0 0.0.0.255 10.1.102.0 0.0.0.255 < wont be match doesnt orignate from vlan 102
access-list 102 permit tcp 10.1.102.0 0.0.0.255 10.1.105.0 0.0.0.255 established
access-list 102 permit icmp 10.1.102.0 0.0.0.255 10.1.105.0 0.0.0.255 <this will allow V102 tointiate icmp to vl105
access-list 102 deny ip 10.1.102.0 0.0.0.255 10.1.105.0 0.0.0.255 < wont be matched above ace will take precdence
access-list 102 permit ip any any
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide