ACL on L3 vlan

Zeeshan Siddiqui · ‎03-02-2012

Can you please advise on the following

We plan to implement ACL on L3 vlan on 6509 switches I have set up a lab on a 3750 with the output below

interface Vlan361

ip address 192.168.1.10 255.255.255.0

ip access-group test in

interface Vlan362

ip address 192.168.2.10 255.255.255.0

end

Extended IP access list test

10 permit ip host 192.168.1.3 host 192.168.2.1 (3 matches)

50 deny ip any any (143 matches)

After implementing the ACL 192.168.1.3 can speak to 192.168.2.1 on the other hand connection initiated from 192.168.2.1 directed to 192.168.1.3 are also working Is there a way we can implement only one way traffic using ACL on L3 vlans

cadet alain · ‎03-02-2012

Hi,

as L3 communication is bidirectional it won't be possible with a regular ACL.

you'll have to use reflexive ACL for this or ZBF but I don't think the latter is supported on the 6500 serie.

Regards.

Alain

Don't forget to rate helpful posts.

John Blakley · ‎03-02-2012

What are you trying to do? Here's what I see from your acl:

Permit communication from 192.168.1.3 to 192.168.2.1. Deny to everything else, but on the vlan for 192.168.2.0/24 you don't have an access list. If you ping from 192.168.2.1 to 192.168.1.3, you'll still get a response because 192.168.1.3 is allowed to talk to that box. On the other hand, if you were to try to ping from another host, 192.168.2.50, you should get dropped packets from the acl on your vlan361 svi.

HTH, John *** Please rate all useful posts ***

Zeeshan Siddiqui · ‎03-03-2012

Many Thanks for your reply

Considering the configs below communication between 192.168.1.3 and 192.168.2.1 are blocked both ways ping from 192.168.2.1 are blocked as well.

interface Vlan361

ip address 192.168.1.10 255.255.255.0

ip access-group test in

interface Vlan362

ip address 192.168.2.10 255.255.255.0

end

Extended IP access list test

10 permit ip host 192.168.1.3 host 192.168.2.1 (3 matches)

50 deny ip any any (143 matches)

cadet alain · ‎03-03-2012

Hi,

as I told you before use a reflexive ACL so reply traffic will be permitted but not initial traffic from .2.0 to .1.0

These are supported on the 6500 serie.

Regards.

Alain

Don't forget to rate helpful posts.

Zeeshan Siddiqui · ‎03-06-2012

Hi Cadet,

Many Thanks for your update will test and let you know how it goes.

Many Thanks again and Appoligies for not listineing before ,

Zee

Zeeshan Siddiqui · ‎03-08-2012

Hi,

I have tried using the extended command only works with TCP. (tested works and allows one way traffic)

Do we have an example for Reflexive ACL applied on L3 VLAN that allows traffic originated from 192.168.1.3 to speak to 192.168.2.1

I can not test in my lab as I only have 3750 in the LAB and reflexive ACL are not supported on 3750.

interface Vlan361

ip address 192.168.1.10 255.255.255.0

ip access-group test in

interface Vlan362

ip address 192.168.2.10 255.255.255.0.

end

Extended IP access list test

10 permit ip host 192.168.1.3 host 192.168.2.1 (3 matches)

50 deny ip any any (143 matches)

Any help is much appreciated