Buy or Renew
Buy or Renew
Cisco + Splunk: It’s a new day for your data. Learn more.
 
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
15578
Views
0
Helpful
10
Replies

ACL on L3 Switch

avilt
Level 3
Level 3

‎04-08-2018 07:05 AM - edited ‎03-08-2019 02:34 PM

I have a L3 Switch 3850 with 12 vlans namely vlan1, vlan2...vlan11, vlan12.

I want unrestricted access among first 10 vlans (vlan1 to vlan10). I will not define any ACL for these vlans.

Vlan 11 and vlan12 should communicate with each other but these two vlans should not communicate with vlan1 to vlan10 (10 vlans).

 

How can I define the ACL's to achieve the above objective?

1 person had this problem
Labels:
0 Helpful
10 Replies 10

Georg Pauwen
VIP
VIP

‎04-08-2018 09:00 AM

Hello,

 

the below should work (additional lines in bold are added for Internet access, if you don't need Internet access, don't configure the lines in bold):

 

access-list 111 permit ip 192.168.11.0 0.0.0.255 192.168.12.0 0.0.0.255
access-list 111 permit ip 192.168.12.0 0.0.0.255 192.168.11.0 0.0.0.255
access-list 111 deny ip 192.168.11.0 0.0.0.255 192.168.0.0 0.255.255
access-list 111 deny ip 192.168.12.0 0.0.0.255 192.168.0.0 0.255.255
access-list 111 deny ip 192.168.0.0 0.0.255.255 192.168.11.0 0.0.255
access-list 111 deny ip 192.168.0.0 0.0.255.255 192.168.12.0 0.0.255
access-list 111 permit ip any any

 

interface Vlan 11

ip address 192.168.11.1 255.255.255.0
ip access-group 111 in

 

interface Vlan 12

ip address 192.168.12.1 255.255.255.0
ip access-group 111 in

0 Helpful

avilt
Level 3
Level 3
In response to Georg Pauwen

‎04-11-2018 07:01 AM


Assuming 192.168.11.0 belong to vlan 11 and 192.168.12.0 belong to vlan 12, can I achieve using the following ACL?

access-list 111 permit ip 192.168.11.0 0.0.0.255 192.168.12.0 0.0.0.255
access-list 111 deny ip any any

access-list 112 permit ip 192.168.12.0 0.0.0.255 192.168.11.0 0.0.0.255
access-list 112 deny ip any any

interface Vlan 11
ip address 192.168.11.1 255.255.255.0
ip access-group 111 in

interface Vlan 12
ip address 192.168.12.1 255.255.255.0
ip access-group 112 in

0 Helpful

Reza Sharifi
Hall of Fame
Hall of Fame

‎04-08-2018 09:02 AM

The SVIs for 11 and 12 need to have Inbound ACL to allow communication between them and deny communications to vlan 1-10.

 

 

HTH 

0 Helpful

Joseph W. Doherty
Hall of Fame
Hall of Fame

‎04-11-2018 07:37 AM

On VLAN 11; SVI, you block all ingress except with destination of VLAN 12's network, and you block all egress except with source of VLAN 12's network. On VLAN 12, the converse.
0 Helpful

avilt
Level 3
Level 3
In response to Joseph W. Doherty

‎04-14-2018 02:24 AM

That means I need to define ACL in both ingress and egress direction?

Please share some example ACL for SVI on L3 switch

0 Helpful

Joseph W. Doherty
Hall of Fame
Hall of Fame
In response to avilt

‎04-16-2018 05:41 AM

"That means I need to define ACL in both ingress and egress direction?"

Yes, if you want to insure there cannot be any communication. If you only block in or out, unidirectional communication is still possible.

"Please share some example ACL for SVI on L3 switch"

ip access-list extended AnExample
permit ip 192.168.11.0 0.0.0.255 192.168.12.0 0.0.0.255
permit ip 192.168.12.0 0.0.0.255 192.168.11.0 0.0.0.255

interface Vlan 11
ip address 192.168.11.1 255.255.255.0
ip access-group AnExample in
ip access-group AnExample out

interface Vlan 12
ip address 192.168.12.1 255.255.255.0
ip access-group AnExample in
ip access-group AnExample out
0 Helpful

avilt
Level 3
Level 3
In response to Joseph W. Doherty

‎04-16-2018 06:12 AM

I need to make more restrictive ACL. Consider an example of host A in vlan 200 and host B in vlan 100 and I want to allow http from host A to host B. Is my following ACL setup right?

 

ip access-list extended VLAN-200-IN
permit tcp host A host B eq www
deny ip any any

 

ip access-list extended VLAN-200-OUT
permit tcp host B eq www host A gt 1024
deny ip any any

 

Interface vlan200

ip access-group VLAN-200-IN

ip access-group VLAN-200-OUT

0 Helpful

Joseph W. Doherty
Hall of Fame
Hall of Fame
In response to avilt

‎04-16-2018 06:56 AM

Sure, you can further restrict access.

Understand, HTTP doesn't have to use port 80 and you could continue to use different ACLs for in and out or combine them.
0 Helpful

avilt
Level 3
Level 3
In response to Joseph W. Doherty

‎04-17-2018 02:27 AM

Is my ACL correct if I have to allow http on port 80 as shown above?
0 Helpful

Joseph W. Doherty
Hall of Fame
Hall of Fame
In response to avilt

‎04-17-2018 07:43 AM

"Is my ACL correct if I have to allow http on port 80 as shown above? "

If host B is the HTTP sever, using the port 80, yes, your ACL should block all but that traffic. However, if you're going to also place a port range ACL restriction for host A, you didn't do it for ingress, and I believe you could further restrict the port range. You also didn't implement any ACL for VLAN 100 leaving it wide open, which is contrary to your OP.

BTW, if you had a router, rather than a switch, you could use NBAR to truly restrict access to HTTP (i.e. not just port 80) and/or you might use reflective ACLs to restrict host A to just the port it's using.
0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card