cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
10547
Views
0
Helpful
10
Replies

ACL on L3 Switch

avilt
Participant
Participant

I have a L3 Switch 3850 with 12 vlans namely vlan1, vlan2...vlan11, vlan12.

I want unrestricted access among first 10 vlans (vlan1 to vlan10). I will not define any ACL for these vlans.

Vlan 11 and vlan12 should communicate with each other but these two vlans should not communicate with vlan1 to vlan10 (10 vlans).

 

How can I define the ACL's to achieve the above objective?

10 Replies 10

Georg Pauwen
VIP Master VIP Master
VIP Master

Hello,

 

the below should work (additional lines in bold are added for Internet access, if you don't need Internet access, don't configure the lines in bold):

 

access-list 111 permit ip 192.168.11.0 0.0.0.255 192.168.12.0 0.0.0.255
access-list 111 permit ip 192.168.12.0 0.0.0.255 192.168.11.0 0.0.0.255
access-list 111 deny ip 192.168.11.0 0.0.0.255 192.168.0.0 0.255.255
access-list 111 deny ip 192.168.12.0 0.0.0.255 192.168.0.0 0.255.255
access-list 111 deny ip 192.168.0.0 0.0.255.255 192.168.11.0 0.0.255
access-list 111 deny ip 192.168.0.0 0.0.255.255 192.168.12.0 0.0.255
access-list 111 permit ip any any

 

interface Vlan 11

ip address 192.168.11.1 255.255.255.0
ip access-group 111 in

 

interface Vlan 12

ip address 192.168.12.1 255.255.255.0
ip access-group 111 in


Assuming 192.168.11.0 belong to vlan 11 and 192.168.12.0 belong to vlan 12, can I achieve using the following ACL?

access-list 111 permit ip 192.168.11.0 0.0.0.255 192.168.12.0 0.0.0.255
access-list 111 deny ip any any

access-list 112 permit ip 192.168.12.0 0.0.0.255 192.168.11.0 0.0.0.255
access-list 112 deny ip any any

interface Vlan 11
ip address 192.168.11.1 255.255.255.0
ip access-group 111 in

interface Vlan 12
ip address 192.168.12.1 255.255.255.0
ip access-group 112 in

Reza Sharifi
Hall of Fame Expert Hall of Fame Expert
Hall of Fame Expert

The SVIs for 11 and 12 need to have Inbound ACL to allow communication between them and deny communications to vlan 1-10.

 

 

HTH 

Joseph W. Doherty
Hall of Fame Master Hall of Fame Master
Hall of Fame Master
On VLAN 11; SVI, you block all ingress except with destination of VLAN 12's network, and you block all egress except with source of VLAN 12's network. On VLAN 12, the converse.

That means I need to define ACL in both ingress and egress direction?

Please share some example ACL for SVI on L3 switch

"That means I need to define ACL in both ingress and egress direction?"

Yes, if you want to insure there cannot be any communication. If you only block in or out, unidirectional communication is still possible.

"Please share some example ACL for SVI on L3 switch"

ip access-list extended AnExample
permit ip 192.168.11.0 0.0.0.255 192.168.12.0 0.0.0.255
permit ip 192.168.12.0 0.0.0.255 192.168.11.0 0.0.0.255

interface Vlan 11
ip address 192.168.11.1 255.255.255.0
ip access-group AnExample in
ip access-group AnExample out

interface Vlan 12
ip address 192.168.12.1 255.255.255.0
ip access-group AnExample in
ip access-group AnExample out

I need to make more restrictive ACL. Consider an example of host A in vlan 200 and host B in vlan 100 and I want to allow http from host A to host B. Is my following ACL setup right?

 

ip access-list extended VLAN-200-IN
permit tcp host A host B eq www
deny ip any any

 

ip access-list extended VLAN-200-OUT
permit tcp host B eq www host A gt 1024
deny ip any any

 

Interface vlan200

ip access-group VLAN-200-IN

ip access-group VLAN-200-OUT

Sure, you can further restrict access.

Understand, HTTP doesn't have to use port 80 and you could continue to use different ACLs for in and out or combine them.

Is my ACL correct if I have to allow http on port 80 as shown above?

"Is my ACL correct if I have to allow http on port 80 as shown above? "

If host B is the HTTP sever, using the port 80, yes, your ACL should block all but that traffic. However, if you're going to also place a port range ACL restriction for host A, you didn't do it for ingress, and I believe you could further restrict the port range. You also didn't implement any ACL for VLAN 100 leaving it wide open, which is contrary to your OP.

BTW, if you had a router, rather than a switch, you could use NBAR to truly restrict access to HTTP (i.e. not just port 80) and/or you might use reflective ACLs to restrict host A to just the port it's using.
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: