Solved: ACL Help, one way access.

perpaal · ‎08-04-2011

Hi

I want to do this with an ACL.

Devices on VLAN15 shuld be able to contact devices on VLAN10.

But devices on VLAN10 shuld not be able to contact devices on VLAN15.

VLAN10 192.168.1.0 /24

VLAN15 10.1.32.0 /24

What would this access list look like?

Jon Marshall · ‎08-04-2011

Unfortunately no because of the reason described.

Jon

View solution in original post

Calin C. · ‎08-04-2011

Devices on VLAN15 shuld be able to contact devices on VLAN10.

But devices on VLAN10 shuld not be able to contact devices on VLAN15.

This will result in a broken communication. If VLAN15 can send packet toward VLAN10, but not viceversa, there is no communication.

Skipping this, I might figure it out what you want. You need that if the connection is originated from VLAN15 towards VLAN10, then the device in the middle open communication and allow packets to and from VLAN10. If the communication is originated in VLAN10 towards VLAN15, the device in the middle deny communication.Somehow like firewall hardware perform operation.

If you don't have a firewall, I think you can achive this using Reflexive ACL or CBAC:

http://www.firstdigest.com/2009/03/cisco-how-to-use-reflexive-access-list-and-why-they-are-useful/

http://www.firstdigest.com/2009/01/cisco-use-cbac-to-achieve-firewall-functionality-on-router-device/

HTH,

Calin

perpaal · ‎08-04-2011

Thank you.

The routers are Cisco 3560s, can they do this.

And I did not quite understand how to use this...

Just add this ACL ...

ip access-list extended OUTBOUND_VLAN15

permit tcp any any reflect TO_REFLECT

permit udp any any reflect TO_REFLECT

ip access-list extended INBOUND_VLAN15

evaluate TO_REFLECT

And then add it to the VLAN ...

interface VLAN15

ip access-group OUTBOUND_VLAN15 out

ip access-group INBOUND_VLAN15 in

Thats it?

Jon Marshall · ‎08-04-2011

Unfortunately no the 3560 switches do not support either a stateful firewall or reflexive acls. So you cannot do what you want to do on this switch.

Calin has outlined the problem. And this is a limitation of using L3 acls ie. they are not stateful because they treat each packet individually. So if you apply an acl inbound on vlan 10 denying traffic to vlan 15 this will have the following effects -

1) it will stop any client in vlan from initiating a connection to a client in vlan 15. This is part of you what you want so there is no problem with this bit

2) but, if a client in vlan 15 initiates a connection to a client in vlan the packet will get to the client in vlan 10 but when it replies your acl will drop the packet. That is what i meant by an acl is not stateful ie. it does not know that that original packet came from vlan 15.

You may be able to use the keyword "established" in your acls which would allow TCP connections only to work but i'm not even sure that is supported on the 3560.

Jon

perpaal · ‎08-04-2011

Seems like I only have these options: dscp, fragments, log, log-input, precedence, time-range, tos

Now way to achieve this on a 3560 then?

Jon Marshall · ‎08-04-2011

Unfortunately no because of the reason described.

Jon

perpaal · ‎08-04-2011

Ok, thank you both for helping me.

Then I will have to find another solution.

I have some 3750s (WS-C3750G-12S-E) also.

Do you know if it will work on these?

Jon Marshall · ‎08-04-2011

Again, unfortunately not. Reflexive acls are usually supported on routers and some of the higher end switches eg. 6500s i believe.

If you really needed to achieve this options would be -

1) migrate the vlan interfaces to a L3 device that supports reflexive acls

2) migrate the vlan interfaces to a firewall such as the ASA. Note routers can also be firewalls.

Jon