08-08-2023 03:45 PM
So this all takes place on a Catalyst 9200 Layer 3 switch, where VLANs have virtual interfaces (SVIs). I have several networks of 10.1.x.x that are our main data subnets (VLANs 25, 26, 29, 30). There is a lab network (VLAN 20) at 172.16.20.0 /24 that I want the other networks to be able to access or initiate connections to, but not vice-versa from the lab network out the others. For example I didn't want to enable pinging and RDP sessions from the VLAN 20 network to the others, but vice-versa is okay. I tried setting up some ACLs but they doesn't seem to be doing what I want:
Extended IP access list established_tcp
10 permit tcp 10.1.0.0 0.0.255.255 172.16.20.0 0.0.0.255 established
20 deny tcp 172.16.20.0 0.0.0.255 10.1.0.0 0.0.255.255
30 permit ip any any
Extended IP access list icmp_across_vlan
10 permit icmp 10.1.0.0 0.0.255.255 172.16.20.0 0.0.0.255 echo
20 permit icmp 10.1.0.0 0.0.255.255 172.16.20.0 0.0.0.255 echo-reply
25 deny icmp 172.16.0.0 0.0.255.255 10.1.0.0 0.0.255.255 (10 matches)
30 permit ip any any
Then I went into the config for the SVI 'int vlan 20' and entered
ip access-group established_tcp in
ip access-group icmp_across_vlan in
But this prevents pings from either side, not just from the Vlan 20 side. Also, somehow RDP sessions still are able to work even from the Vlan 20 when they're not supposed to. Not sure what's wrong here. I even tried modifying the second line in the first ACL to be '20 deny tcp 172.16.20.0 0.0.0.255 10.1.0.0 0.0.255.255 eq 3389' to explicitly specify RDP (although I want to cover all TCP), and it still didn't block it.
Any ideas for this?
Solved! Go to Solution.
08-10-2023 06:59 AM
I actually figured it out using these simple commands
Extended IP access list est_tcp
10 permit tcp any any established
20 permit icmp any any echo-reply
and then putting that on int vlan 20 in
08-08-2023 05:58 PM
I would try something simples like
ip acccess-list extended Lab
deny ip any 172.16.20.0 0.0.0.255
permit ip an any
interfaca vlan 25, 26, 29, 30 (do it for every vlan )
ip access-group Lab in
08-10-2023 06:59 AM
I actually figured it out using these simple commands
Extended IP access list est_tcp
10 permit tcp any any established
20 permit icmp any any echo-reply
and then putting that on int vlan 20 in
08-10-2023 08:22 AM
Correct because "establish" is a TCP protocol option, and ping is ICMP.
Possibly, if your device supports, the next "level" of ACL to ("better") support your requirement, might be, Cisco's Reflexive ACL.
08-16-2023 07:56 AM - edited 08-16-2023 07:58 AM
By the way, would you know how to make that 172.16.20.0 VLAN 20 network able to get an address via DHCP from a server in the 10.1.26.0 subnet, given this access list? I set up a dhcp relay and moved the dhcp server to 10.1.26.5 rather than using the built in switch dhcp that has worked thus far (basically to make it easier to manage).
I added a '30 permit udp 172.16.20.0 0.0.0.255 10.1.26.0 0.0.0.255 eq 67 68' (also one for the other way around), but now even internet access is blocked for VLAN 20, whereas it wasn't before. The only deny is the implicit deny at the end of the ACL. Also, when I just use the built-in DHCP server on the Catalyst switch itself, it doesn't have this problem.
I added an 'ip helper-address 10.1.26.5' line. But it only works when I take that ACL down entirely. Not sure why it's still blocking it.
08-16-2023 08:55 AM
A helper "repackages" the DHCP request. Off-the-top-of-my-head I don't recall all the details. You might search for that info or try logging on an explicit, and last, ACE denying all.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide