12-30-2013 11:38 AM - edited 03-07-2019 05:18 PM
Hello,
Please see the attached diagram. The people who own our building have a few VLAN's on our switches. The vlans in the circles belong to them. I have setup some ACL's so that any devices in these VLAN's can communicate with each other. EG a device in VLAN 120 can communicate with a device in VLAN 121 but they cannot communicate with devices outside these 3 VLANS. They can't communicate with VLAN 110, devices in VLAN 110 cannot communicated with the circled VLANs. Basically separating the left (of the switch) and the right from talking with each other. These ACL's work a treat.
I would like it so any device in VLAN 110 can go to port 80 to 172.32.3.2 (VLAN 123). But the IP Access list called BMS-WEB to allow this doesn't seem work, but it is showing matches on the rule.
Below are my rules
Extended IP access list CCTV-SEC 10 permit ip 172.32.1.0 0.0.0.255 172.32.2.0 0.0.0.255 (12 match(es)) 20 permit ip 172.32.1.0 0.0.0.255 172.32.3.0 0.0.0.255 (12 match(es)) Extended IP access list ACC-CTRL 10 permit ip 172.32.2.0 0.0.0.255 172.32.1.0 0.0.0.255 (11 match(es)) 20 permit ip 172.32.2.0 0.0.0.255 172.32.3.0 0.0.0.255 (13 match(es)) Extended IP access list BMS-NEW 10 permit ip 172.32.3.0 0.0.0.255 172.32.1.0 0.0.0.255 (8 match(es)) 20 permit ip 172.32.3.0 0.0.0.255 172.32.2.0 0.0.0.255 (11 match(es)) Extended IP access list BMS-WEB 10 permit tcp 172.16.1.0 0.0.0.255 host 172.32.3.2 eq www (36 match(es))
Below is my VLAN config
interface Vlan110 ip address 172.16.1.254 255.255.255.0 ! interface Vlan120 description CCTV Security ip address 172.32.1.254 255.255.255.0 ip access-group CCTV-SEC in ! interface Vlan121 description Access CRTL ip address 172.32.2.254 255.255.255.0 ip access-group ACC-CTRL in ! interface Vlan123 description BMS ip address 172.32.3.254 255.255.255.0 ip access-group BMS-NEW in ip access-group BMS-WEB out
Thanks for the help.
Solved! Go to Solution.
12-30-2013 11:44 AM
Zak
You need to allow the return traffic from vlan 123. Add this line to your BMS-NEW acl -
Jon
12-30-2013 11:47 AM
Zak,
You'll need to allow the return traffic in your BMS-NEW acl:
Extended IP access list BMS-NEW 10 permit ip 172.32.3.0 0.0.0.255 172.32.1.0 0.0.0.255 (8 match(es)) 20 permit ip 172.32.3.0 0.0.0.255 172.32.2.0 0.0.0.255 (11 match(e
30 permit tcp host 172.32.3.2 eq www 172.16.1.0 0.0.0.255
HTH,
John
*** Please rate all useful posts ***
12-30-2013 11:44 AM
Zak
You need to allow the return traffic from vlan 123. Add this line to your BMS-NEW acl -
Jon
12-30-2013 11:47 AM
Zak,
You'll need to allow the return traffic in your BMS-NEW acl:
Extended IP access list BMS-NEW 10 permit ip 172.32.3.0 0.0.0.255 172.32.1.0 0.0.0.255 (8 match(es)) 20 permit ip 172.32.3.0 0.0.0.255 172.32.2.0 0.0.0.255 (11 match(e
30 permit tcp host 172.32.3.2 eq www 172.16.1.0 0.0.0.255
HTH,
John
*** Please rate all useful posts ***
12-30-2013 12:56 PM
Thanks Jon & John, i should have known that, much appreciated!
In production we have a pair of 4500X switches, am i right in thinking that these bigger switches have a special type of ACL function that will allow the traffic one way? What i mean is in my example with the ACL, devices in VLAN 123 can access port 80 on devices in VLAN 110. Is there a special ACL that will only allow the return traffic to flow to VLAN 110 from 123, but now allow the traffic to be initiated from VLAN 123?
I read about this a while back, is there something like this please?
Thanks
12-30-2013 12:57 PM
Yes, reflexive acls will do it:
http://www.cisco.com/en/US/docs/ios/12_2/security/configuration/guide/scfreflx.html
HTH,
John
*** Please rate all useful posts ***
12-30-2013 01:05 PM
Thanks for that, shame i don't have anything to test this on.
1 last question. On the ACL you posted why is the eq www not at the end please? On my test i can't get port 80 to the posts in VLAN 110 from 123. So its acting like a 1 way mirror. I assume these are linked?
Thanks for the help.
12-30-2013 01:11 PM
Zak
On the ACL you posted why is the eq www not at the end please?
Because it is return traffic. So the traffic to the web server has a random src port and a dst port of 80. But when the web server sends the traffic back the src port is now 80 and the dst port is the random src port.
By the way, i don't think reflexive acls are supported on the 4500X although John may know otherwise. I believe they are only supported on the 6500 (and maybe the new 6800 - i haven't checked).
If they are not supported the best you can do is use the "established" keyword in your acl which works with TCP connections. I'm assuming that is supported but like you i don't have a switch to test with.
Jon
12-30-2013 01:17 PM
Jon,
You're 100% correct, and I didn't think to look at the supported feature for the switch. It's not supported for the 4500-X series.
HTH,
John
*** Please rate all useful posts ***
12-30-2013 01:21 PM
Thanks chaps.
Im not worries too much, i have a firewall that can handle the DMZ.
For my scenario, its working like a reflective ACL. Its only working 1 way, thats great. If i have understood it, its the random src port that is doing that?
Thanks for the help, its much appreciated.
01-07-2014 02:47 AM
Hi guys,
Just put this in, i can't ping the degault gateway (IP of VLAN) for machines that belong to that same VLAN. For example the devices in the CCTV Security vlan cannot pint the CCTV Security DG.
why is this please?
Thanks
01-07-2014 03:02 AM
Zak
If the acl is applied inbound on the SVI for that vlan then if you want to ping the SVI IP address from devices in that vlan you need to explicitly allow it in your acl.
Note that it will not stop traffic goign between vlans because the destination IP is never the SVI IP address unless you are actually trying to ping it as you are.
Jon
01-07-2014 03:14 AM
ok so what rule do i put in please?
Thanks
01-07-2014 03:21 AM
Zak
the above just allows ICMP echo requests to the SVI IP.
Jon
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide