Buy or Renew
Buy or Renew
Cisco + Splunk: It’s a new day for your data. Learn more.
 
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
12865
Views
15
Helpful
12
Replies

ACL to deny subnet

Fadi Najjar
Level 1
Level 1

‎02-14-2018 09:51 PM - edited ‎03-08-2019 01:51 PM

Hi

i have to subsets

192.168.1.0/24 (VLAN1)

192.168.100.0/24 (VLAN100)

i want to deny VLAN1 from accessing VLAN100

VLAN100 should NOT have any restriction

how to acheive this through ACL?

also where to apply it?

on VLAN100 interface only?

or all interfaces tagged with VLAN100?

Labels:
0 Helpful
12 Replies 12

johnd2310
Level 8
Level 8

‎02-14-2018 10:29 PM

Hi,

Create an extended access-list. The first line denies traffic from vlan 1 to vlan 100. The second line allows vlan 1 to talk to everything else.

Apply the access to vlan 1 interface in the inbound direction. We drop the traffic near the source so that we do not waste bandwidth. 

e.g.

access-list 100 deny ip 192.168.1.0 0.0.0.255 192.168.100.0 0.0.0.255
access-list 100 permit ip 192.168.1.0 0.0.0.255 any


int vlan 1
ip access-group 100 in

 

Thanks

John

**Please rate posts you find helpful**

Fadi Najjar
Level 1
Level 1
In response to johnd2310

‎02-14-2018 10:55 PM

it doesn't work

vlan1 can still ping vlan100

also tried to change 'in' to 'out'. same thing

is there any missing setting i need to add other than this?

0 Helpful

johnd2310
Level 8
Level 8
In response to Fadi Najjar

‎02-14-2018 10:59 PM

Hi,

 

Add protocol icmp to the access-list:

access-list 100 deny ip 192.168.1.0 0.0.0.255 192.168.100.0 0.0.0.255
access-list 100 deny icmp 192.168.1.0 0.0.0.255 192.168.100.0 0.0.0.255
access-list 100 permit ip 192.168.1.0 0.0.0.255 any

**Please rate posts you find helpful**
0 Helpful

Fadi Najjar
Level 1
Level 1
In response to johnd2310

‎02-14-2018 11:28 PM

still not working

i can still ping and browse files from VLAN1 to VLAN100

0 Helpful

johnd2310
Level 8
Level 8
In response to Fadi Najjar

‎02-14-2018 11:34 PM - edited ‎02-14-2018 11:35 PM

Hi,

 

Can you post your config

 

Thanks

**Please rate posts you find helpful**
0 Helpful

Fadi Najjar
Level 1
Level 1

‎02-14-2018 11:49 PM

here it is

i removed unrelated interfaces config to make it easy for you

 

version 15.2
no service pad
service timestamps debug datetime msec
service timestamps log datetime msec
service password-encryption
!
hostname IDF_SW01
!
boot-start-marker
boot-end-marker
!
enable secret 5 $1$.b1c$nF/WbOa5zwCsUiqHZpLy8/
enable password 7 1116161E0B1223
!
username john privilege 15 secret 5 $1$s4Y9$mIqqahxjzcrsOxf9bz5uR0
aaa new-model
!
!
aaa group server radius NSS
 server-private 192.168.1.30 auth-port 1812 acct-port 1813 key 7 03055F0A15061E594F0A26181212190910
!
aaa authentication dot1x default group NSS
aaa authorization network default group NSS
!
!
!
!
!
!
aaa session-id common
clock timezone UTC 4 0
switch 1 provision ws-c2960x-48fps-l
!
!
!
!
!
!
!
!
mls qos map policed-dscp  24 26 46 to 0
mls qos map cos-dscp 0 8 16 24 32 46 48 56
mls qos srr-queue output cos-map queue 1 threshold 3 5
mls qos srr-queue output cos-map queue 2 threshold 3 3 6 7
mls qos srr-queue output cos-map queue 3 threshold 3 2 4
mls qos srr-queue output cos-map queue 4 threshold 2 1
mls qos srr-queue output cos-map queue 4 threshold 3 0
mls qos srr-queue output dscp-map queue 1 threshold 3 40 41 42 43 44 45 46 47
mls qos srr-queue output dscp-map queue 2 threshold 3 24 25 26 27 28 29 30 31
mls qos srr-queue output dscp-map queue 2 threshold 3 48 49 50 51 52 53 54 55
mls qos srr-queue output dscp-map queue 2 threshold 3 56 57 58 59 60 61 62 63
mls qos srr-queue output dscp-map queue 3 threshold 3 16 17 18 19 20 21 22 23
mls qos srr-queue output dscp-map queue 3 threshold 3 32 33 34 35 36 37 38 39
mls qos srr-queue output dscp-map queue 4 threshold 1 8
mls qos srr-queue output dscp-map queue 4 threshold 2 9 10 11 12 13 14 15
mls qos srr-queue output dscp-map queue 4 threshold 3 0 1 2 3 4 5 6 7
mls qos queue-set output 1 threshold 1 138 138 92 138
mls qos queue-set output 1 threshold 2 138 138 92 400
mls qos queue-set output 1 threshold 3 36 77 100 318
mls qos queue-set output 1 threshold 4 20 50 67 400
mls qos queue-set output 2 threshold 1 149 149 100 149
mls qos queue-set output 2 threshold 2 118 118 100 235
mls qos queue-set output 2 threshold 3 41 68 100 272
mls qos queue-set output 2 threshold 4 42 72 100 242
mls qos queue-set output 1 buffers 10 10 26 54
mls qos queue-set output 2 buffers 16 6 17 61
mls qos
!
crypto pki trustpoint TP-self-signed-2496250880
 enrollment selfsigned
 subject-name cn=IOS-Self-Signed-Certificate-2496250880
 revocation-check none
 rsakeypair TP-self-signed-2496250880
!
!
crypto pki certificate chain TP-self-signed-2496250880
 certificate self-signed 01
  3082022B 30820194 A0030201 02020101 300D0609 2A864886 F70D0101 05050030
  31312F30 2D060355 04031326 494F532D 53656C66 2D536967 6E65642D 43657274
  69666963 6174652D 32343936 32353038 3830301E 170D3136 30333137 31353336
  32315A17 0D323030 31303130 30303030 305A3031 312F302D 06035504 03132649
  4F532D53 656C662D 5369676E 65642D43 65727469 66696361 74652D32 34393632
  35303838 3030819F 300D0609 2A864886 F70D0101 01050003 818D0030 81890281
  8100B082 ACE12853 D9BA62DC A6BABDA7 6472C406 B1D64515 53A90C13 8EB6E43C
  25C5AD22 EE28516C 9451FBF0 AD1F6348 EA541409 73210A86 97D3CC74 06CBB603
  DEF83E05 8F8D8319 A076D3E5 6563AC9B A05B14B0 C4DE3574 99C657C7 BB74FD7D
  B29E52FF 9DD8971A D19CA698 035AFFCC 7D0E8ABC 54D33047 056D3786 0F7CF111
  53B30203 010001A3 53305130 0F060355 1D130101 FF040530 030101FF 301F0603
  551D2304 18301680 1410B983 614E1C55 A07F3E26 A71A1846 9868E527 D2301D06
  03551D0E 04160414 10B98361 4E1C55A0 7F3E26A7 1A184698 68E527D2 300D0609
  2A864886 F70D0101 05050003 818100A7 41F3B969 99EEEAFD 738F3E23 72DB6BC2
  9D6F1BA7 5765603C 6018D3A5 98C6C064 02B22FCC B1122EB6 A4DE3C36 9D1DADA6
  53DD4BD6 6539403E E673C573 68F98D2B B06E5037 103BF443 58DAE06D 8042BF85
  62353C17 A66AB51E B2931355 6EB7D8C4 913032E5 95953901 D2F1F6DF F858248C
  E70D2129 2257A213 A58369B7 5AF3F1
        quit
dot1x system-auth-control
!
spanning-tree mode rapid-pvst
spanning-tree loopguard default
spanning-tree portfast bpduguard default
spanning-tree extend system-id
spanning-tree uplinkfast
!
!
!
!
vlan internal allocation policy ascending
!
!
class-map match-all AutoQoS-VoIP-RTP-Trust
 match ip dscp ef
class-map match-all AutoQoS-VoIP-Control-Trust
 match ip dscp cs3  af31
!
policy-map AutoQoS-Police-CiscoPhone
 class AutoQoS-VoIP-RTP-Trust
  set dscp ef
  police 320000 8000 exceed-action policed-dscp-transmit
 class AutoQoS-VoIP-Control-Trust
  set dscp cs3
  police 32000 8000 exceed-action policed-dscp-transmit
!
!
!
!
!
!
!
!
!
!
!
interface FastEthernet0
 no ip address
 shutdown
!
interface GigabitEthernet1/0/1
 switchport access vlan 1
 switchport mode access
 switchport voice vlan 2
 srr-queue bandwidth share 1 30 35 5
 priority-queue out
 authentication event server dead action authorize vlan 1
 authentication host-mode multi-host
 authentication port-control auto
 authentication periodic
 authentication timer reauthenticate server
 authentication violation protect
 mls qos trust device cisco-phone
 mls qos trust cos
 dot1x pae authenticator
 dot1x timeout tx-period 20
 auto qos voip cisco-phone
 spanning-tree portfast
 service-policy input AutoQoS-Police-CiscoPhone
!

interface GigabitEthernet1/0/42
 switchport access vlan 100
 switchport mode access
 switchport voice vlan 2
 srr-queue bandwidth share 10 10 60 20
 queue-set 2
 priority-queue out
 mls qos trust device cisco-phone
 mls qos trust cos
 auto qos voip cisco-phone
 spanning-tree portfast
 service-policy input AutoQoS-Police-CiscoPhone

interface GigabitEthernet1/0/49
 switchport mode trunk
!
interface GigabitEthernet1/0/50
 switchport mode trunk
!
interface GigabitEthernet1/0/51
!
interface GigabitEthernet1/0/52
!
interface Vlan1
 no ip address
 ip access-group 105 in
!
interface Vlan50
 ip address 192.168.50.216 255.255.255.0
 no ip route-cache
!
interface Vlan100
 no ip address
!
ip default-gateway 192.168.1.1
ip http server
ip http secure-server
!
!
access-list 100 deny   ip 192.168.1.0 0.0.0.255 192.168.100.0 0.0.0.255
access-list 100 deny   icmp 192.168.1.0 0.0.0.255 192.168.100.0 0.0.0.255
access-list 100 permit ip 192.168.1.0 0.0.0.255 any
!
tftp-server flash:L
tftp-server flash:c2960x-universalk9-mz.150-2.EX3.bin
snmp-server community C.5dd! RO
!
radius-server dead-criteria tries 3
radius-server retransmit 0
radius-server timeout 4
radius-server deadtime 5
!
radius server NSS
 address ipv4 192.168.1.30 auth-port 1812 acct-port 1813
 key 7 03055F0A15061E594F0A26181212190910
!
!
!
line con 0
 password 7 130413074A1A0D
line vty 0 4
 password 7 130413074A1A0D
 length 0
line vty 5 15
 password 7 130413074A1A0D
!
end

IDF_SW01#
0 Helpful

johnd2310
Level 8
Level 8
In response to Fadi Najjar

‎02-14-2018 11:54 PM

Hi,

 

Do you have a router in your topology? Where is the gateway for vlan 1 and vlan 100?

 

Thanks

**Please rate posts you find helpful**
0 Helpful

Fadi Najjar
Level 1
Level 1
In response to Fadi Najjar

‎02-14-2018 11:58 PM

its 192.168.1.1

its a 4500 Core
but both source computer (VLAN1) and destination computer (VLAN100) is in the same access switch with above config

0 Helpful

johnd2310
Level 8
Level 8
In response to Fadi Najjar

‎02-15-2018 05:59 AM

Hi,

 

You will need to apply the access-list on the SVI(routed interface) for vlan 1. This should be on the 4500 core.

 

Thanks

John

**Please rate posts you find helpful**

Richard Burts
Hall of Fame
Hall of Fame
In response to johnd2310

‎02-15-2018 06:42 AM

John is correct. The ACL is used to control how packets are routed. So it needs to be applied on the interface where the packets are routed. And in this case that is not on the switch where the users are connected but is on the 4500 switch.

 

HTH

 

Rick

HTH

Rick
0 Helpful

Fadi Najjar
Level 1
Level 1
In response to johnd2310

‎02-18-2018 04:04 AM

OK

applying the same on Core did half of the trick only

it ended denying both VLANs from accessing each other

my goal was to deny only VLAN1 from accessing VLAN100

 

after researching i found that i can use 'established' in ACL

so i ended using the below which did the required

 

IP access list Extended 105
10 permit tcp 192.168.1.0 0.0.0.255 192.168.100.0 0.0.0.255 established
20 permit icmp 192.168.1.0 0.0.0.255 192.168.100.0 0.0.0.255  echo-reply
30 deny ip 192.168.1.0 0.0.0.255 192.168.100.0 0.0.0.255 
40 permit ip any any

 

Vlan 100
ip access group 105 in

any better solutions are welcom

Richard Burts
Hall of Fame
Hall of Fame
In response to Fadi Najjar

‎02-19-2018 12:38 PM

Thank you for posting back to the forum and letting us know that you did find a solution for your requirements. +5 for that. Yes if your requirements are that one vlan should be able to communicate with the other but that the other vlan should not be able to initiate communication then you need to permit the response traffic before you deny the other traffic. Using the established parameter is effective for TCP traffic. For things like ICMP or UDP then you need permit statements in the ACL for that traffic.

 

HTH

 

Rick

HTH

Rick
0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card