Buy or Renew
Buy or Renew
Cisco + Splunk: It’s a new day for your data. Learn more.
 
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
395
Views
0
Helpful
1
Replies

ACL Inter-vlan Help Please

flchris352
Level 1
Level 1

‎01-20-2013 03:13 PM - edited ‎03-07-2019 11:11 AM

Hello All!
I'm coming here as I'm not having much luck on the Dell forums and hoping the Cisco community could oblige.

I have a powerconncet 6224 with routing enabled with several VLANs setup.
VLAN Database: 6,8,10,90-254
VLAN 6 is our management vlan
10 is for our core network services (DNS, Domain, Exchange etc)
90-254 are isolated vlans.


What I need to accomplish is to prevent vlans 90-254 from communicating with each other and only allow communication to VLAN 10 and the internet. All internet firewall work will be handled by our Sonicwall.

VLAN 10 is assigned 10.10.10.0/24

VLAN 90-254 each have their own /24 following an IP scheme like so.

VLAN 90 = 10.10.90.0/24

VLAN 91 = 10.10.91.0/24

VLAN 92 = 10.10.92.0/24

etc etc.

What I have below blocks intervlan traffic from VLANs 90-254 and allows traffic to VLAN 10 however there is no other traffic allowed. IE: Internet access.

I'm not familiar with ACL's so I'm not certain of the cure.

The next hop from the switch is to the inside "LAN" interface of our Sonicwall (10.0.0.1)

Current ACL

Rule Number: 1
Action......................................... permit
Match All...................................... FALSE
Protocol....................................... 255(ip)
Source IP Address.............................. any
Destination IP Address......................... 10.10.10.0
Destination IP Mask............................ 0.0.0.255


Rule Number: 2
Action......................................... permit
Match All...................................... FALSE
Protocol....................................... 255(ip)
Source IP Address.............................. 10.10.10.0
Source IP Mask................................. 0.0.0.255
Destination IP Address......................... any

Current route output. (omitted the serveral other VLAN routes as they were noted above)

console#show ip route

Route Codes: R - RIP Derived, O - OSPF Derived, C - Connected, S - Static
       B - BGP Derived, IA - OSPF Inter Area
       E1 - OSPF External Type 1, E2 - OSPF External Type 2
       N1 - OSPF NSSA External Type 1, N2 - OSPF NSSA External Type 2

S      0.0.0.0/0 [1/0] via 10.10.0.1,   vlan 1
C      10.10.0.0/24 [0/1] directly connected,   vlan 1

Thanks so much for taking the time to have a look.

Labels:
0 Helpful
1 Reply 1

siddhartham
Level 4
Level 4

‎01-21-2013 08:42 PM

Can you post the whole config on your switch.....that helps to give you a better solution

you can use something like below.

Rule1 and Rule2- permits traffic to fro from 10.10.10 network

Rule3- Blocks traffic initiating from 10.10.96.0-10.10.127.0 networks to 10.10.0.0 network(all your networks)--

Rule4- Blocks traffic initiatting from 10.10.128.0-10.10.256.0 networks to 10.10.0.0 network (all your networks)

Rule5- Blocks traffic initiating from 10.10.0.0 network to 10.10.96.0-10.10.127.0 networks

Rule6- Blocks traffic initiating from 10.10.0.0 network to10.10.128.0-10.10.256.0 networks

Rule7- Permits traffic from any to any--- This allows your internet traffic

Order of the access-list entries is important since they will be executed from top to bottom

Rule Number: 1

Action......................................... permit

Match All...................................... FALSE

Protocol....................................... 255(ip)

Source IP Address.............................. any

Destination IP Address......................... 10.10.10.0

Destination IP Mask............................ 0.0.0.255

Rule Number: 2

Action......................................... permit

Match All...................................... FALSE

Protocol....................................... 255(ip)

Source IP Address.............................. 10.10.10.0

Source IP Mask................................. 0.0.0.255

Destination IP Address......................... any

RUle Number-3

Action---Deny

Match all- False

protocol- IP

source IP--    10.10.96.0

source ip mask-0.0.31.255

dst IP-- 10.10.0.0

dst mask-0.0.255.255

Rule Number-4

Action---Deny

Match all- False

protocol- IP

source IP--    10.10.0.0

source ip mask-0.0.255.255

dst IP-- 10.10.0.0

dst mask-0.0.127.255

RUle Number-5

Action---Deny

Match all- False

protocol- IP

source IP--   10.10.0.0

source ip mask-0.0.255.255

dst IP-- 10.10.96.0

dst mask-0.0.31.255

Rule Number-6

Action---Deny

Match all- False

protocol- IP

source IP--    10.10.128.0

source ip mask-0.0.127.255

dst IP-- 10.10.0.0

dst mask-0.0.255.255

Rule Number- 7

Action---Permit

Match all- False

protocol- IP

source IP--    any

dst IP-- any

Siddhartha

Siddhartha
0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card