Re: ACL to deny subnet

Fadi Najjar · ‎02-14-2018

Hi

i have to subsets

192.168.1.0/24 (VLAN1)

192.168.100.0/24 (VLAN100)

i want to deny VLAN1 from accessing VLAN100

VLAN100 should NOT have any restriction

how to acheive this through ACL?

also where to apply it?

on VLAN100 interface only?

or all interfaces tagged with VLAN100?

johnd2310 · ‎02-14-2018

Hi,

Create an extended access-list. The first line denies traffic from vlan 1 to vlan 100. The second line allows vlan 1 to talk to everything else.

Apply the access to vlan 1 interface in the inbound direction. We drop the traffic near the source so that we do not waste bandwidth.

e.g.

access-list 100 deny ip 192.168.1.0 0.0.0.255 192.168.100.0 0.0.0.255
access-list 100 permit ip 192.168.1.0 0.0.0.255 any

int vlan 1
ip access-group 100 in

Thanks

John

**Please rate posts you find helpful**

Fadi Najjar · ‎02-14-2018

it doesn't work

vlan1 can still ping vlan100

also tried to change 'in' to 'out'. same thing

is there any missing setting i need to add other than this?

johnd2310 · ‎02-14-2018

Hi,

Add protocol icmp to the access-list:

access-list 100 deny ip 192.168.1.0 0.0.0.255 192.168.100.0 0.0.0.255
access-list 100 deny icmp 192.168.1.0 0.0.0.255 192.168.100.0 0.0.0.255
access-list 100 permit ip 192.168.1.0 0.0.0.255 any

**Please rate posts you find helpful**

Fadi Najjar · ‎02-14-2018

still not working

i can still ping and browse files from VLAN1 to VLAN100

johnd2310 · ‎02-14-2018

Hi,

Can you post your config

Thanks

**Please rate posts you find helpful**

Fadi Najjar · ‎02-14-2018

here it is

i removed unrelated interfaces config to make it easy for you

version 15.2
no service pad
service timestamps debug datetime msec
service timestamps log datetime msec
service password-encryption
!
hostname IDF_SW01
!
boot-start-marker
boot-end-marker
!
enable secret 5 $1$.b1c$nF/WbOa5zwCsUiqHZpLy8/
enable password 7 1116161E0B1223
!
username john privilege 15 secret 5 $1$s4Y9$mIqqahxjzcrsOxf9bz5uR0
aaa new-model
!
!
aaa group server radius NSS
 server-private 192.168.1.30 auth-port 1812 acct-port 1813 key 7 03055F0A15061E594F0A26181212190910
!
aaa authentication dot1x default group NSS
aaa authorization network default group NSS
!
!
!
!
!
!
aaa session-id common
clock timezone UTC 4 0
switch 1 provision ws-c2960x-48fps-l
!
!
!
!
!
!
!
!
mls qos map policed-dscp  24 26 46 to 0
mls qos map cos-dscp 0 8 16 24 32 46 48 56
mls qos srr-queue output cos-map queue 1 threshold 3 5
mls qos srr-queue output cos-map queue 2 threshold 3 3 6 7
mls qos srr-queue output cos-map queue 3 threshold 3 2 4
mls qos srr-queue output cos-map queue 4 threshold 2 1
mls qos srr-queue output cos-map queue 4 threshold 3 0
mls qos srr-queue output dscp-map queue 1 threshold 3 40 41 42 43 44 45 46 47
mls qos srr-queue output dscp-map queue 2 threshold 3 24 25 26 27 28 29 30 31
mls qos srr-queue output dscp-map queue 2 threshold 3 48 49 50 51 52 53 54 55
mls qos srr-queue output dscp-map queue 2 threshold 3 56 57 58 59 60 61 62 63
mls qos srr-queue output dscp-map queue 3 threshold 3 16 17 18 19 20 21 22 23
mls qos srr-queue output dscp-map queue 3 threshold 3 32 33 34 35 36 37 38 39
mls qos srr-queue output dscp-map queue 4 threshold 1 8
mls qos srr-queue output dscp-map queue 4 threshold 2 9 10 11 12 13 14 15
mls qos srr-queue output dscp-map queue 4 threshold 3 0 1 2 3 4 5 6 7
mls qos queue-set output 1 threshold 1 138 138 92 138
mls qos queue-set output 1 threshold 2 138 138 92 400
mls qos queue-set output 1 threshold 3 36 77 100 318
mls qos queue-set output 1 threshold 4 20 50 67 400
mls qos queue-set output 2 threshold 1 149 149 100 149
mls qos queue-set output 2 threshold 2 118 118 100 235
mls qos queue-set output 2 threshold 3 41 68 100 272
mls qos queue-set output 2 threshold 4 42 72 100 242
mls qos queue-set output 1 buffers 10 10 26 54
mls qos queue-set output 2 buffers 16 6 17 61
mls qos
!
crypto pki trustpoint TP-self-signed-2496250880
 enrollment selfsigned
 subject-name cn=IOS-Self-Signed-Certificate-2496250880
 revocation-check none
 rsakeypair TP-self-signed-2496250880
!
!
crypto pki certificate chain TP-self-signed-2496250880
 certificate self-signed 01
  3082022B 30820194 A0030201 02020101 300D0609 2A864886 F70D0101 05050030
  31312F30 2D060355 04031326 494F532D 53656C66 2D536967 6E65642D 43657274
  69666963 6174652D 32343936 32353038 3830301E 170D3136 30333137 31353336
  32315A17 0D323030 31303130 30303030 305A3031 312F302D 06035504 03132649
  4F532D53 656C662D 5369676E 65642D43 65727469 66696361 74652D32 34393632
  35303838 3030819F 300D0609 2A864886 F70D0101 01050003 818D0030 81890281
  8100B082 ACE12853 D9BA62DC A6BABDA7 6472C406 B1D64515 53A90C13 8EB6E43C
  25C5AD22 EE28516C 9451FBF0 AD1F6348 EA541409 73210A86 97D3CC74 06CBB603
  DEF83E05 8F8D8319 A076D3E5 6563AC9B A05B14B0 C4DE3574 99C657C7 BB74FD7D
  B29E52FF 9DD8971A D19CA698 035AFFCC 7D0E8ABC 54D33047 056D3786 0F7CF111
  53B30203 010001A3 53305130 0F060355 1D130101 FF040530 030101FF 301F0603
  551D2304 18301680 1410B983 614E1C55 A07F3E26 A71A1846 9868E527 D2301D06
  03551D0E 04160414 10B98361 4E1C55A0 7F3E26A7 1A184698 68E527D2 300D0609
  2A864886 F70D0101 05050003 818100A7 41F3B969 99EEEAFD 738F3E23 72DB6BC2
  9D6F1BA7 5765603C 6018D3A5 98C6C064 02B22FCC B1122EB6 A4DE3C36 9D1DADA6
  53DD4BD6 6539403E E673C573 68F98D2B B06E5037 103BF443 58DAE06D 8042BF85
  62353C17 A66AB51E B2931355 6EB7D8C4 913032E5 95953901 D2F1F6DF F858248C
  E70D2129 2257A213 A58369B7 5AF3F1
        quit
dot1x system-auth-control
!
spanning-tree mode rapid-pvst
spanning-tree loopguard default
spanning-tree portfast bpduguard default
spanning-tree extend system-id
spanning-tree uplinkfast
!
!
!
!
vlan internal allocation policy ascending
!
!
class-map match-all AutoQoS-VoIP-RTP-Trust
 match ip dscp ef
class-map match-all AutoQoS-VoIP-Control-Trust
 match ip dscp cs3  af31
!
policy-map AutoQoS-Police-CiscoPhone
 class AutoQoS-VoIP-RTP-Trust
  set dscp ef
  police 320000 8000 exceed-action policed-dscp-transmit
 class AutoQoS-VoIP-Control-Trust
  set dscp cs3
  police 32000 8000 exceed-action policed-dscp-transmit
!
!
!
!
!
!
!
!
!
!
!
interface FastEthernet0
 no ip address
 shutdown
!
interface GigabitEthernet1/0/1
 switchport access vlan 1
 switchport mode access
 switchport voice vlan 2
 srr-queue bandwidth share 1 30 35 5
 priority-queue out
 authentication event server dead action authorize vlan 1
 authentication host-mode multi-host
 authentication port-control auto
 authentication periodic
 authentication timer reauthenticate server
 authentication violation protect
 mls qos trust device cisco-phone
 mls qos trust cos
 dot1x pae authenticator
 dot1x timeout tx-period 20
 auto qos voip cisco-phone
 spanning-tree portfast
 service-policy input AutoQoS-Police-CiscoPhone
!

interface GigabitEthernet1/0/42
 switchport access vlan 100
 switchport mode access
 switchport voice vlan 2
 srr-queue bandwidth share 10 10 60 20
 queue-set 2
 priority-queue out
 mls qos trust device cisco-phone
 mls qos trust cos
 auto qos voip cisco-phone
 spanning-tree portfast
 service-policy input AutoQoS-Police-CiscoPhone

interface GigabitEthernet1/0/49
 switchport mode trunk
!
interface GigabitEthernet1/0/50
 switchport mode trunk
!
interface GigabitEthernet1/0/51
!
interface GigabitEthernet1/0/52
!
interface Vlan1
 no ip address
 ip access-group 105 in
!
interface Vlan50
 ip address 192.168.50.216 255.255.255.0
 no ip route-cache
!
interface Vlan100
 no ip address
!
ip default-gateway 192.168.1.1
ip http server
ip http secure-server
!
!
access-list 100 deny   ip 192.168.1.0 0.0.0.255 192.168.100.0 0.0.0.255
access-list 100 deny   icmp 192.168.1.0 0.0.0.255 192.168.100.0 0.0.0.255
access-list 100 permit ip 192.168.1.0 0.0.0.255 any
!
tftp-server flash:L
tftp-server flash:c2960x-universalk9-mz.150-2.EX3.bin
snmp-server community C.5dd! RO
!
radius-server dead-criteria tries 3
radius-server retransmit 0
radius-server timeout 4
radius-server deadtime 5
!
radius server NSS
 address ipv4 192.168.1.30 auth-port 1812 acct-port 1813
 key 7 03055F0A15061E594F0A26181212190910
!
!
!
line con 0
 password 7 130413074A1A0D
line vty 0 4
 password 7 130413074A1A0D
 length 0
line vty 5 15
 password 7 130413074A1A0D
!
end

IDF_SW01#

johnd2310 · ‎02-14-2018

Hi,

Do you have a router in your topology? Where is the gateway for vlan 1 and vlan 100?

Thanks

**Please rate posts you find helpful**

Fadi Najjar · ‎02-14-2018

its 192.168.1.1

its a 4500 Core
but both source computer (VLAN1) and destination computer (VLAN100) is in the same access switch with above config

johnd2310 · ‎02-15-2018

Hi,

You will need to apply the access-list on the SVI(routed interface) for vlan 1. This should be on the 4500 core.

Thanks

John

**Please rate posts you find helpful**

Richard Burts · ‎02-15-2018

John is correct. The ACL is used to control how packets are routed. So it needs to be applied on the interface where the packets are routed. And in this case that is not on the switch where the users are connected but is on the 4500 switch.

HTH

Rick

HTH

Rick

Fadi Najjar · ‎02-18-2018

OK

applying the same on Core did half of the trick only

it ended denying both VLANs from accessing each other

my goal was to deny only VLAN1 from accessing VLAN100

after researching i found that i can use 'established' in ACL

so i ended using the below which did the required

IP access list Extended 105
10 permit tcp 192.168.1.0 0.0.0.255 192.168.100.0 0.0.0.255 established
20 permit icmp 192.168.1.0 0.0.0.255 192.168.100.0 0.0.0.255 echo-reply
30 deny ip 192.168.1.0 0.0.0.255 192.168.100.0 0.0.0.255
40 permit ip any any

Vlan 100
ip access group 105 in

any better solutions are welcom

Richard Burts · ‎02-19-2018

Thank you for posting back to the forum and letting us know that you did find a solution for your requirements. +5 for that. Yes if your requirements are that one vlan should be able to communicate with the other but that the other vlan should not be able to initiate communication then you need to permit the response traffic before you deny the other traffic. Using the established parameter is effective for TCP traffic. For things like ICMP or UDP then you need permit statements in the ACL for that traffic.

HTH

Rick

HTH

Rick