ACL to deny subnet
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
02-14-2018 09:51 PM - edited 03-08-2019 01:51 PM
Hi
i have to subsets
192.168.1.0/24 (VLAN1)
192.168.100.0/24 (VLAN100)
i want to deny VLAN1 from accessing VLAN100
VLAN100 should NOT have any restriction
how to acheive this through ACL?
also where to apply it?
on VLAN100 interface only?
or all interfaces tagged with VLAN100?
- Labels:
-
Other Switching
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
02-14-2018 10:29 PM
Hi,
Create an extended access-list. The first line denies traffic from vlan 1 to vlan 100. The second line allows vlan 1 to talk to everything else.
Apply the access to vlan 1 interface in the inbound direction. We drop the traffic near the source so that we do not waste bandwidth.
e.g.
access-list 100 deny ip 192.168.1.0 0.0.0.255 192.168.100.0 0.0.0.255
access-list 100 permit ip 192.168.1.0 0.0.0.255 any
int vlan 1
ip access-group 100 in
Thanks
John
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
02-14-2018 10:55 PM
it doesn't work
vlan1 can still ping vlan100
also tried to change 'in' to 'out'. same thing
is there any missing setting i need to add other than this?
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
02-14-2018 10:59 PM
Hi,
Add protocol icmp to the access-list:
access-list 100 deny ip 192.168.1.0 0.0.0.255 192.168.100.0 0.0.0.255
access-list 100 deny icmp 192.168.1.0 0.0.0.255 192.168.100.0 0.0.0.255
access-list 100 permit ip 192.168.1.0 0.0.0.255 any
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
02-14-2018 11:28 PM
still not working
i can still ping and browse files from VLAN1 to VLAN100
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
02-14-2018 11:34 PM - edited 02-14-2018 11:35 PM
Hi,
Can you post your config
Thanks
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
02-14-2018 11:49 PM
here it is
i removed unrelated interfaces config to make it easy for you
version 15.2 no service pad service timestamps debug datetime msec service timestamps log datetime msec service password-encryption ! hostname IDF_SW01 ! boot-start-marker boot-end-marker ! enable secret 5 $1$.b1c$nF/WbOa5zwCsUiqHZpLy8/ enable password 7 1116161E0B1223 ! username john privilege 15 secret 5 $1$s4Y9$mIqqahxjzcrsOxf9bz5uR0 aaa new-model ! ! aaa group server radius NSS server-private 192.168.1.30 auth-port 1812 acct-port 1813 key 7 03055F0A15061E594F0A26181212190910 ! aaa authentication dot1x default group NSS aaa authorization network default group NSS ! ! ! ! ! ! aaa session-id common clock timezone UTC 4 0 switch 1 provision ws-c2960x-48fps-l ! ! ! ! ! ! ! ! mls qos map policed-dscp 24 26 46 to 0 mls qos map cos-dscp 0 8 16 24 32 46 48 56 mls qos srr-queue output cos-map queue 1 threshold 3 5 mls qos srr-queue output cos-map queue 2 threshold 3 3 6 7 mls qos srr-queue output cos-map queue 3 threshold 3 2 4 mls qos srr-queue output cos-map queue 4 threshold 2 1 mls qos srr-queue output cos-map queue 4 threshold 3 0 mls qos srr-queue output dscp-map queue 1 threshold 3 40 41 42 43 44 45 46 47 mls qos srr-queue output dscp-map queue 2 threshold 3 24 25 26 27 28 29 30 31 mls qos srr-queue output dscp-map queue 2 threshold 3 48 49 50 51 52 53 54 55 mls qos srr-queue output dscp-map queue 2 threshold 3 56 57 58 59 60 61 62 63 mls qos srr-queue output dscp-map queue 3 threshold 3 16 17 18 19 20 21 22 23 mls qos srr-queue output dscp-map queue 3 threshold 3 32 33 34 35 36 37 38 39 mls qos srr-queue output dscp-map queue 4 threshold 1 8 mls qos srr-queue output dscp-map queue 4 threshold 2 9 10 11 12 13 14 15 mls qos srr-queue output dscp-map queue 4 threshold 3 0 1 2 3 4 5 6 7 mls qos queue-set output 1 threshold 1 138 138 92 138 mls qos queue-set output 1 threshold 2 138 138 92 400 mls qos queue-set output 1 threshold 3 36 77 100 318 mls qos queue-set output 1 threshold 4 20 50 67 400 mls qos queue-set output 2 threshold 1 149 149 100 149 mls qos queue-set output 2 threshold 2 118 118 100 235 mls qos queue-set output 2 threshold 3 41 68 100 272 mls qos queue-set output 2 threshold 4 42 72 100 242 mls qos queue-set output 1 buffers 10 10 26 54 mls qos queue-set output 2 buffers 16 6 17 61 mls qos ! crypto pki trustpoint TP-self-signed-2496250880 enrollment selfsigned subject-name cn=IOS-Self-Signed-Certificate-2496250880 revocation-check none rsakeypair TP-self-signed-2496250880 ! ! crypto pki certificate chain TP-self-signed-2496250880 certificate self-signed 01 3082022B 30820194 A0030201 02020101 300D0609 2A864886 F70D0101 05050030 31312F30 2D060355 04031326 494F532D 53656C66 2D536967 6E65642D 43657274 69666963 6174652D 32343936 32353038 3830301E 170D3136 30333137 31353336 32315A17 0D323030 31303130 30303030 305A3031 312F302D 06035504 03132649 4F532D53 656C662D 5369676E 65642D43 65727469 66696361 74652D32 34393632 35303838 3030819F 300D0609 2A864886 F70D0101 01050003 818D0030 81890281 8100B082 ACE12853 D9BA62DC A6BABDA7 6472C406 B1D64515 53A90C13 8EB6E43C 25C5AD22 EE28516C 9451FBF0 AD1F6348 EA541409 73210A86 97D3CC74 06CBB603 DEF83E05 8F8D8319 A076D3E5 6563AC9B A05B14B0 C4DE3574 99C657C7 BB74FD7D B29E52FF 9DD8971A D19CA698 035AFFCC 7D0E8ABC 54D33047 056D3786 0F7CF111 53B30203 010001A3 53305130 0F060355 1D130101 FF040530 030101FF 301F0603 551D2304 18301680 1410B983 614E1C55 A07F3E26 A71A1846 9868E527 D2301D06 03551D0E 04160414 10B98361 4E1C55A0 7F3E26A7 1A184698 68E527D2 300D0609 2A864886 F70D0101 05050003 818100A7 41F3B969 99EEEAFD 738F3E23 72DB6BC2 9D6F1BA7 5765603C 6018D3A5 98C6C064 02B22FCC B1122EB6 A4DE3C36 9D1DADA6 53DD4BD6 6539403E E673C573 68F98D2B B06E5037 103BF443 58DAE06D 8042BF85 62353C17 A66AB51E B2931355 6EB7D8C4 913032E5 95953901 D2F1F6DF F858248C E70D2129 2257A213 A58369B7 5AF3F1 quit dot1x system-auth-control ! spanning-tree mode rapid-pvst spanning-tree loopguard default spanning-tree portfast bpduguard default spanning-tree extend system-id spanning-tree uplinkfast ! ! ! ! vlan internal allocation policy ascending ! ! class-map match-all AutoQoS-VoIP-RTP-Trust match ip dscp ef class-map match-all AutoQoS-VoIP-Control-Trust match ip dscp cs3 af31 ! policy-map AutoQoS-Police-CiscoPhone class AutoQoS-VoIP-RTP-Trust set dscp ef police 320000 8000 exceed-action policed-dscp-transmit class AutoQoS-VoIP-Control-Trust set dscp cs3 police 32000 8000 exceed-action policed-dscp-transmit ! ! ! ! ! ! ! ! ! ! ! interface FastEthernet0 no ip address shutdown ! interface GigabitEthernet1/0/1 switchport access vlan 1 switchport mode access switchport voice vlan 2 srr-queue bandwidth share 1 30 35 5 priority-queue out authentication event server dead action authorize vlan 1 authentication host-mode multi-host authentication port-control auto authentication periodic authentication timer reauthenticate server authentication violation protect mls qos trust device cisco-phone mls qos trust cos dot1x pae authenticator dot1x timeout tx-period 20 auto qos voip cisco-phone spanning-tree portfast service-policy input AutoQoS-Police-CiscoPhone ! interface GigabitEthernet1/0/42 switchport access vlan 100 switchport mode access switchport voice vlan 2 srr-queue bandwidth share 10 10 60 20 queue-set 2 priority-queue out mls qos trust device cisco-phone mls qos trust cos auto qos voip cisco-phone spanning-tree portfast service-policy input AutoQoS-Police-CiscoPhone interface GigabitEthernet1/0/49 switchport mode trunk ! interface GigabitEthernet1/0/50 switchport mode trunk ! interface GigabitEthernet1/0/51 ! interface GigabitEthernet1/0/52 ! interface Vlan1 no ip address ip access-group 105 in ! interface Vlan50 ip address 192.168.50.216 255.255.255.0 no ip route-cache ! interface Vlan100 no ip address ! ip default-gateway 192.168.1.1 ip http server ip http secure-server ! ! access-list 100 deny ip 192.168.1.0 0.0.0.255 192.168.100.0 0.0.0.255 access-list 100 deny icmp 192.168.1.0 0.0.0.255 192.168.100.0 0.0.0.255 access-list 100 permit ip 192.168.1.0 0.0.0.255 any ! tftp-server flash:L tftp-server flash:c2960x-universalk9-mz.150-2.EX3.bin snmp-server community C.5dd! RO ! radius-server dead-criteria tries 3 radius-server retransmit 0 radius-server timeout 4 radius-server deadtime 5 ! radius server NSS address ipv4 192.168.1.30 auth-port 1812 acct-port 1813 key 7 03055F0A15061E594F0A26181212190910 ! ! ! line con 0 password 7 130413074A1A0D line vty 0 4 password 7 130413074A1A0D length 0 line vty 5 15 password 7 130413074A1A0D ! end IDF_SW01#
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
02-14-2018 11:54 PM
Hi,
Do you have a router in your topology? Where is the gateway for vlan 1 and vlan 100?
Thanks
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
02-14-2018 11:58 PM
its 192.168.1.1
its a 4500 Core
but both source computer (VLAN1) and destination computer (VLAN100) is in the same access switch with above config
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
02-15-2018 05:59 AM
Hi,
You will need to apply the access-list on the SVI(routed interface) for vlan 1. This should be on the 4500 core.
Thanks
John
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
02-15-2018 06:42 AM
John is correct. The ACL is used to control how packets are routed. So it needs to be applied on the interface where the packets are routed. And in this case that is not on the switch where the users are connected but is on the 4500 switch.
HTH
Rick
Rick
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
02-18-2018 04:04 AM
OK
applying the same on Core did half of the trick only
it ended denying both VLANs from accessing each other
my goal was to deny only VLAN1 from accessing VLAN100
after researching i found that i can use 'established' in ACL
so i ended using the below which did the required
IP access list Extended 105
10 permit tcp 192.168.1.0 0.0.0.255 192.168.100.0 0.0.0.255 established
20 permit icmp 192.168.1.0 0.0.0.255 192.168.100.0 0.0.0.255 echo-reply
30 deny ip 192.168.1.0 0.0.0.255 192.168.100.0 0.0.0.255
40 permit ip any any
Vlan 100
ip access group 105 in
any better solutions are welcom
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
02-19-2018 12:38 PM
Thank you for posting back to the forum and letting us know that you did find a solution for your requirements. +5 for that. Yes if your requirements are that one vlan should be able to communicate with the other but that the other vlan should not be able to initiate communication then you need to permit the response traffic before you deny the other traffic. Using the established parameter is effective for TCP traffic. For things like ICMP or UDP then you need permit statements in the ACL for that traffic.
HTH
Rick
Rick
