Re: ACL - Restrict Specific Network

CMack6 · ‎11-08-2022

Hello Everyone,

I'm new to ACLs and I need some assistance please. I have attached a simple topology with what I am working with.

Basically, I have 3 networks, 192.168.1.0/24, 192.168.2.0/24, and 192.168.3.0/24. The two locations are connected via a VPN with a Vlan (Vlan 100) serving as the link between the two L3 switches. I need to restrict traffic going to Vlan 1 to only be from Vlan 2. Vlan 3 is not allowed to connect to any devices on Vlan 1.

I've tried to create an ACL on Switch #1 to restrict the traffic on the outbound interface, but I can't seem to get it right. Can anyone please advise how I would go about creating this?

Thank you!!!

MHM Cisco World · ‎11-08-2022

if your VPN is IPsec you can use access-group under ipsec map
check below example

https://popravak.wordpress.com/2011/11/07/cisco-ios-vpn-filter/

CMack6 · ‎11-08-2022

My apologies, it's an E-Line that is provided by a third party, not a VPN. So, no IPsec running on my switches.

balaji.bandi · ‎11-08-2022

if this only ACL look at the below example :

https://howdoesinternetwork.com/2012/allow-vlan-access-but-no-back

BB

=====Preenayamo Vasudevam=====

***** Rate All Helpful Responses *****

How to Ask The Cisco Community for Help

MHM Cisco World · ‎11-08-2022

one way ACL

https://www.geeksforgeeks.org/reflexive-access-list/

Georg Pauwen · ‎11-08-2022

Hello,

post the configuration you are using, and that is not working.

You could use PBR and route the desired traffic towards a Null interface:

access-list 101 permit ip 192.168.3.0 0.0.0.255 192.168.1.0 0.0.0.255
!
route-map PBR_RM permit 10
match ip address 101
set set interface null0
!
route-map PBR_RM permit 20
!
interface Vlan 100
ip policy route-map PBR_RM

CMack6 · ‎11-09-2022

Hello!

Thanks for the reply! Below is the configuration that I was attempting to use.

access-list 101 permit ip 192.168.2.0 0.0.0.255 192.168.1.0 0.0.0.255

interface TenGig 1/1/4

switchport mode trunk

switchport trunk allowed vlan 100

switchport native vlan 999

I applied the access list to the interface on Switch 1 for outbound traffic.

I also attempted the following which I applied in the same fashion to the outbound interface:

ip access-list extended Only-Vlan-2

permit 192.168.2.0

deny any any

Georg Pauwen · ‎11-09-2022

Hello,

--> I applied the access list to the interface on Switch 1 for outbound traffic.

Which interface is that ? Post the configuration of that interface.

CMack6 · ‎11-09-2022

Sorry, the outbound interface is this one.

interface TenGig 1/1/4

switchport mode trunk

switchport trunk allowed vlan 100

switchport native vlan 999

balaji.bandi · ‎11-09-2022

IPv4 ACL Network Interfaces

The following restrictions apply to IPv4 ACLs to network interfaces:

When controlling access to an interface, you can use a named or numbered ACL.
If you apply an ACL to a Layer 2 interface that is a member of a VLAN, the Layer 2 (port) ACL takes precedence over an input Layer 3 ACL applied to the VLAN interface or a VLAN map applied to the VLAN.
If you apply an ACL to a Layer 3 interface and routing is not enabled on the switch, the ACL only filters packets that are intended for the CPU, such as SNMP, Telnet, or web traffic.
If the preauth_ipv4_acl ACL is configured to filter packets, the ACL is removed after authentication.
You do not have to enable routing to apply ACLs to Layer 2 interfaces.

You need to apply this on Layer 3 interface example :

config t

(config )# interface vlan X

(config) #ip access-group Only-Vlan-2 outbound or inbound depends on requirement

BB

=====Preenayamo Vasudevam=====

***** Rate All Helpful Responses *****

How to Ask The Cisco Community for Help

CMack6 · ‎11-09-2022

Ah okay! I'll give that a shot today. Thanks much!

CMack6 · ‎11-10-2022

Okay, I got this working. Below is the configuration that I did.

access-list 101 permit ip 192.168.2.0 0.0.0.255 192.168.1.0 0.0.0.255

!

int vlan 100

ip address 10.10.10.5 255.255.255.252

ip access-group 101 out

Thanks for the help everyone! Greatly appreciate it!