ACL to filter IP subnets from talking to one another on a 6500 L3 switch.

sanjay.nadarajah · ‎11-22-2011

Hi,

I would like to know how do we block some IP subnets from talking to other IP subnets on the same 6513 box.

I used an ACL to do this but it does not seem to work I can still ping the machine on the IP subnet that I want to filter.

In summary, this is what I have done :-

-----------------------------------------------

ACL :-

ip access-list extended 110

remark Deny OLD Data Subs to NEW data subnet

deny ip 10.49.0.0 0.0.15.255 any

deny ip 10.49.16.0 0.0.3.255 any

deny ip 10.49.20.0 0.0.0.255 any

deny ip 10.49.88.0 0.0.3.255 any

permit ip any any

One of the new IP subnet :-

interface Vlan600

description Data 600

ip address 10.136.20.252 255.255.255.0

ip access-group 110 in

ip helper-address 10.44.144.1

no ip redirects

no ip proxy-arp

no ip mroute-cache

standby 22 ip 10.136.20.254

standby 22 priority 105

standby 22 preempt

Old IP subnet :-

interface Vlan102

description Data 102

ip address 10.49.2.2 255.255.255.0

ip helper-address 10.49.30.11

ip directed-broadcast 108

no ip proxy-arp

no ip mroute-cache

------------------------------------------------

The test was done by pinging from a host on vlan 102 to the HSRP IP of 10.136.20.254 and it is still pingable BUT the aim is that the OLD ip subnet should not be able to talk to the NEW ip subnet.

One thing that I could have done is to put the ACL on the outbound as well but don't think that this would solve the issue.

I would like to know how can I block the old ACL to the new ACL on the same 6513 device.

Cheers,

- SN -

cadet alain · ‎11-23-2011

Hi,

if you apply this ACL on Vlan 600 it must be outbound but a ping from vlan 102 will still succeed because

10.49.2.2 doesn't match any of the deny statements so it will hit the permit all.

Regards.

Alain

Don't forget to rate helpful posts.

Latchum Naidu · ‎11-23-2011

Hi Sanjay,

Try the below should help you...

ip access-list extended Vlan600
deny ip any 10.49.2.0 0.0.0.255
permit ip any any

ip access-list extended Vlan102
deny ip any 10.136.20.0 0.0.0.255
permit ip any any

interface Vlan600
ip access-group Vlan600 in

interface Vlan102
ip access-group Vlan102 in

Please rate the helpfull posts.
Regards,
Naidu.

sanjay.nadarajah · ‎11-23-2011

Hi Alain,

The IP 10.49.2.2 falls under the this range : ** deny ip 10.49.0.0 0.0.15.255 any ** of the ACL.

ip access-list extended 110

   remark Deny OLD Data Subs to NEW data subnet
   deny ip 10.49.0.0 0.0.15.255 any <<< -----
   deny ip 10.49.16.0 0.0.3.255 any
   deny ip 10.49.20.0 0.0.0.255 any
   deny ip 10.49.88.0 0.0.3.255 any
   permit ip any any

So it should be denying this IP to get from Vlan102 to Vlan 600. The reason why I applied this inbound is so that traffic does not reach Vlan600 from the IP subnets stated in ACL 110 including vlan102. As I am denying based on IP, icmp should be denied from entering the interface of Vlan600.

Hi Naidu,

Since I have created new SVIs here vlan 600 and above, the customer wanted me to apply this on the newly created SVIs. The right way would be to have the ACL as close to the source IP. So this is the reason why I do not have any ACLs on vlan 102.

As the 6500 is an L3 switch, has this got anything to do with L3 switching ? ie) the flows are registed in the CEF table and thus not being denied ? Not too sure but it seems a bit strange to me as to why the ACL is not working.

Any help would be greatly appreciated.

Many thanks.

Cheers,

- SN -

cadet alain · ‎11-24-2011

Hi,

The IP 10.49.2.2 falls under the this range : ** deny ip 10.49.0.0 0.0.15.255 any ** of the ACL.

Yes of course but the ACL is applied inbound on VLAN 600 interface and on this interface inbound traffic can only have VLAN 600 source IP address so in the 10.136.20.0/24 subnet so there is no match in any of the deny entries and there is one for the explicit permit all you configured.

if you want these subnets not to communicate with vlan 600 subnet you can do this:

ip access-list extended 110

remark Deny OLD Data Subs to NEW data subnet

deny ip 10.136.20.0 0.0.0.255 10.49.0.0 0.0.15.255

deny ip 10.136.20.0 0.0.0.255 10.49.16.0 0.0.3.255

deny ip 10.136.20.0 0.0.0.255 10.49.20.0 0.0.0.255

deny ip 10.136.20.0 0.0.0.255 10.49.88.0 0.0.3.255

permit ip any any

int Vlan600

ip access-group 110 in

Regards.

Alain

Don't forget to rate helpful posts.

sanjay.nadarajah · ‎11-27-2011

Hi Alain,

Thanks. Since I need to enter this ACL on all floors, I guess using a standard ACL would be a better option as I then can apply this ACL on all floors.

So I would be better off using a standard ACL.

ip access-list extended 90

remark Deny OLD Data Subs to NEW data subnet

deny 10.49.0.0 0.0.15.255

deny 10.49.16.0 0.0.3.255 any

deny 10.49.20.0 0.0.0.255 any

deny 10.49.88.0 0.0.3.255 any

permit any

One of the new IP subnet :-

interface Vlan600

description Data 600

ip address 10.136.20.252 255.255.255.0

ip access-group 99 in <<<---

ip helper-address 10.44.144.1

no ip redirects

This way I can use the same ACL on all the SVIs.

Thank you.

Cheers,

- sn -

sanjay.nadarajah · ‎11-30-2011

On the same note, I believe instead of having the ACL on the inbound interface only , it should also be applied to the outbound interface to prevent unnecessary traffic flowing in the backplane.

p access-list extended 90

remark Deny OLD Data Subs to NEW data subnet

deny 10.49.0.0 0.0.15.255

deny 10.49.16.0 0.0.3.255

deny 10.49.20.0 0.0.0.255

deny 10.49.88.0 0.0.3.255

permit any

One of the new IP subnet :-

interface Vlan600

description Data 600

ip address 10.136.20.252 255.255.255.0

ip access-group 99 in

ip access-group 99 out <<<---

ip helper-address 10.44.144.1

no ip redirects

Cheers,

- SN -

lgijssel · ‎11-30-2011

If you want to isolate the subnets completely, the better option is to put them in different VRF's:

http://www.cisco.com/en/US/partner/products/hw/modules/ps2797/products_tech_note09186a0080b6216e.shtml#topic1

regards,

Leo