Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
Bookmark
|
Subscribe
|
1281
Views
0
Helpful
11
Replies

ACL - Restrict Specific Network

CMack6
Level 1
Level 1

‎11-08-2022 03:44 AM

Hello Everyone,

I'm new to ACLs and I need some assistance please.  I have attached a simple topology with what I am working with. 

Basically, I have 3 networks, 192.168.1.0/24, 192.168.2.0/24, and 192.168.3.0/24.  The two locations are connected via a VPN with a Vlan (Vlan 100) serving as the link between the two L3 switches.  I need to restrict traffic going to Vlan 1 to only be from Vlan 2.  Vlan 3 is not allowed to connect to any devices on Vlan 1. 

I've tried to create an ACL on Switch #1 to restrict the traffic on the outbound interface, but I can't seem to get it right.  Can anyone please advise how I would go about creating this?  

Thank you!!!

Labels:
Basic Topology.pdf
Preview file
58 KB
0 Helpful
11 Replies 11

MHM Cisco World
VIP
VIP

‎11-08-2022 03:54 AM

if your VPN is IPsec you can use access-group under ipsec map 
check below example

https://popravak.wordpress.com/2011/11/07/cisco-ios-vpn-filter/

 

0 Helpful

CMack6
Level 1
Level 1
In response to MHM Cisco World

‎11-08-2022 04:24 AM

My apologies, it's an E-Line that is provided by a third party, not a VPN.  So, no IPsec running on my switches.  

0 Helpful

balaji.bandi
Hall of Fame
Hall of Fame
In response to CMack6

‎11-08-2022 04:44 AM

if this only ACL look at the below example :

https://howdoesinternetwork.com/2012/allow-vlan-access-but-no-back

BB

***** Rate All Helpful Responses *****

How to Ask The Cisco Community for Help

0 Helpful

MHM Cisco World
VIP
VIP
In response to CMack6

‎11-08-2022 04:49 AM - edited ‎11-08-2022 08:52 AM

one way ACL 

https://www.geeksforgeeks.org/reflexive-access-list/

 

0 Helpful

Georg Pauwen
VIP
VIP

‎11-08-2022 04:59 AM

Hello,

post the configuration you are using, and that is not working.

You could use PBR and route the desired traffic towards a Null interface:

access-list 101 permit ip 192.168.3.0 0.0.0.255 192.168.1.0 0.0.0.255
!
route-map PBR_RM permit 10
match ip address 101
set set interface null0
!
route-map PBR_RM permit 20
!
interface Vlan 100
ip policy route-map PBR_RM

0 Helpful

CMack6
Level 1
Level 1
In response to Georg Pauwen

‎11-09-2022 02:46 AM - edited ‎11-09-2022 02:54 AM

Hello!

Thanks for the reply!  Below is the configuration that I was attempting to use.

 

access-list 101 permit ip 192.168.2.0 0.0.0.255 192.168.1.0 0.0.0.255

 

interface TenGig 1/1/4

switchport mode trunk

switchport trunk allowed vlan 100

switchport native vlan 999

 

I applied the access list to the interface on Switch 1 for outbound traffic. 

 

I also attempted the following which I applied in the same fashion to the outbound interface:

 

ip access-list extended Only-Vlan-2

            permit 192.168.2.0

            deny any any

0 Helpful

Georg Pauwen
VIP
VIP
In response to CMack6

‎11-09-2022 02:55 AM

Hello,

--> I applied the access list to the interface on Switch 1 for outbound traffic.

Which interface is that ? Post the configuration of that interface.

0 Helpful

CMack6
Level 1
Level 1
In response to Georg Pauwen

‎11-09-2022 02:56 AM

Sorry, the outbound interface is this one.

 

interface TenGig 1/1/4

switchport mode trunk

switchport trunk allowed vlan 100

switchport native vlan 999

0 Helpful

balaji.bandi
Hall of Fame
Hall of Fame
In response to CMack6

‎11-09-2022 03:36 AM - edited ‎11-09-2022 03:38 AM

IPv4 ACL Network Interfaces

The following restrictions apply to IPv4 ACLs to network interfaces:

  • When controlling access to an interface, you can use a named or numbered ACL.

     

  • If you apply an ACL to a Layer 2 interface that is a member of a VLAN, the Layer 2 (port) ACL takes precedence over an input Layer 3 ACL applied to the VLAN interface or a VLAN map applied to the VLAN.

     

  • If you apply an ACL to a Layer 3 interface and routing is not enabled on the switch, the ACL only filters packets that are intended for the CPU, such as SNMP, Telnet, or web traffic.

     

  • If the preauth_ipv4_acl ACL is configured to filter packets, the ACL is removed after authentication.

  • You do not have to enable routing to apply ACLs to Layer 2 interfaces.

                                                                              

You need to apply this on Layer 3 interface example :

config t

(config )# interface vlan X

(config) #ip access-group Only-Vlan-2 outbound or inbound depends on requirement

BB

***** Rate All Helpful Responses *****

How to Ask The Cisco Community for Help

0 Helpful

CMack6
Level 1
Level 1
In response to balaji.bandi

‎11-09-2022 03:38 AM

Ah okay!  I'll give that a shot today.  Thanks much!

0 Helpful

CMack6
Level 1
Level 1
In response to balaji.bandi

‎11-10-2022 03:41 AM

Okay, I got this working.  Below is the configuration that I did.

access-list 101 permit ip 192.168.2.0 0.0.0.255 192.168.1.0 0.0.0.255

!

int vlan 100

ip address 10.10.10.5 255.255.255.252

ip access-group 101 out

 

Thanks for the help everyone!  Greatly appreciate it!

0 Helpful
Top