Solved: Depends on what equipment you

buystrobby · ‎05-30-2015

hello,

i want to block traffic from VLAN1 to VLAN2, but i need VLAN2 to be able to make a connection to VLAN1.

How do i do this?

thanks for the help!

Jon Marshall · ‎05-30-2015

Yes you can still make and RDP connection to them because the ports are different ie.

vlan 10 to vlan 99 RDP connection -

source port = random, destination port = TCP/UDP 3389

you block that with your inbound acl on vlan 10

vlan 99 to vlan 10 RDP connection -

source port = random, destination port = TCP/UDP 3389

the acl that blocks 3389 from vlan 10 does not block the return traffic because when the traffic is sent back from vlan 10 the destination port is now the random port and you are allowing that.

So modify your BLOCK_VLAN10 acl ie.

you still need the first 4 lines but then before the "permit ip any any" add these lines -

deny tcp any 172.16.99.0 0.0.0.255 eq 20
deny tcp any 172.16.99.0 0.0.0.255 eq 21
deny tcp any 172.16.99.0 0.0.0.255 eq 23
deny tcp any 172.16.99.0 0.0.0.255 eq 3389
deny udp any 172.16.99.0 0.0.0.255 eq 3389

then finish with -

permit ip any any

what the above will do is stop vlan 10 clients making FTP, telnet or RDP connections to vlan 99.

It will allow return traffic from RDP connections initiated from vlan 99.

Note I have included both both TCP and UDP for RDP, not sure whether you need both, up to you.

But it is important to note it will also allow any other connections to vlan 99 that have not been explicitly denied so if you have other services/applications in vlan 99 that you want to block from vlan 10 you need to add lines for those as well.

It is not as secure as a stafeful firewall setup but it may do what you need.

You don't need the VLAN_99 acl because it is not doing anything for you.

Try out the above and let me know how you get on or if you need any more help.

I am logging off now but I'll check in later today to see how you got on.

Jon

View solution in original post

Jon Marshall · ‎05-30-2015

Depends on what equipment you have.

The problem you have is that if you block traffic one way you also block the return traffic in the same direction.

If it is just TCP then you can use the "established" keyword in your acl which most devices will support.

If you need it for UDP as well then there is no such keyword and you then either need -

1) reflexive acls but if you are using a L3 switch there is a good chance they won't be supported.

Some L3 switches do though and routers do so as I say it comes down to your equipment.

2) a stateful firewall will also allow you to do what you want.

So what device are you trying to do this on ?

By the way this post has turned up twice on the forum, can you delete the other one so any answers can be given in here ?

Jon

buystrobby · ‎05-30-2015

i'm using a L3 switch.

at this moment i'm trying this out on VLAN10 with VLAN99

this is my config:

interface Vlan10

ip address 172.16.10.1 255.255.254.0

ip access-group BLOCK_VLAN10 in

ip access-group VLAN_99 out

!

interface Vlan20

ip address 172.16.20.1 255.255.254.0

ip access-group BLOCK_VLAN20 in

!

interface Vlan30

ip address 172.16.30.1 255.255.255.0

ip access-group BLOCK_VLAN30 in

!

interface Vlan40

ip address 172.16.40.1 255.255.255.0

ip access-group BLOCK_VLAN40 in

!

interface Vlan99

ip address 172.16.99.1 255.255.255.0

!

ip classless

ip route 0.0.0.0 0.0.0.0 FastEthernet0/1

!

ip flow-export version 9

!

ip access-list extended BLOCK_VLAN10

deny ip any 172.16.20.0 0.0.1.255

deny ip any 172.16.30.0 0.0.0.255

deny ip any 172.16.40.0 0.0.0.255

permit ip any any

ip access-list extended BLOCK_VLAN20

deny ip any 172.16.10.0 0.0.1.255

deny ip any 172.16.30.0 0.0.0.255

deny ip any 172.16.40.0 0.0.0.255

permit ip any any

ip access-list extended BLOCK_VLAN30

deny ip any 172.16.10.0 0.0.1.255

deny ip any 172.16.20.0 0.0.1.255

deny ip any 172.16.40.0 0.0.0.255

permit ip any any

ip access-list extended BLOCK_VLAN40

deny ip any 172.16.10.0 0.0.1.255

deny ip any 172.16.20.0 0.0.1.255

deny ip any 172.16.30.0 0.0.0.255

permit ip any any

ip access-list extended VLAN_99

permit ip 172.16.99.0 0.0.0.255 any

deny ip 172.16.10.0 0.0.1.255 172.16.99.0 0.0.0.255

Jon Marshall · ‎05-30-2015

Okay the acls applied inbound stop communication between vlans 10, 20,30 and 40.

The acl for VLAN_99 applied to vlan 10 -

the first line allows vlan 99 devices to connect to vlan 10 devices.

The second line does nothing because that acl is applied outbound and the source IPs will never be from vlan 10.

So vlan 99 should be able to talk to vlan 10 and get the return traffic.

If you what you want is for vlan 99 to be able to talk to vlan 10 but not for vlan 10 to be able to initiate a connection to vlan 99 but still send return traffic to a vlan 99 device then see my original post as to what you need.

So can you clarify exactly which vlans you are trying to do this for, is it for TCP and UDP and what model of switch you have.

Jon

buystrobby · ‎05-30-2015

i'm using a 3560 switch.

vlan10 is the vlan for the students, they only need to acces the internet.

vlan99 is my management vlan and i do not whant that the students can acces my management (switches and routers). but when there is a problem, i need to acces that vlan10.

is it just enough to block tcp request for telnet and ftp then?

or i need your option 2 and block it true firewall?

Jon Marshall · ‎05-30-2015

Unfortunately 3560s don't support reflexive acls.

So the issue is if you block vlan 10 to vlan 99 which makes sense in your setup you also block access from vlan 99 to vlan 10 because the return traffic from vlan 10 to vlan 99 is blocked by your acl.

You can however block vlan 10 from initiating connections to vlan 99 on specific ports and still allow return traffic because the return traffic would be to a random source port.

So you may be able to achieve most of what you want depending on what you need.

Can you clarify -

1) what do you specifically need to block in terms of access from vlan 10 to vlan 99 ie. what services/applications

2) when you say from vlan 99 access vlan 10 what application(s) would you do this with eg. RDP for the desktops etc.

We may be able to come up with a useable acl that will work and you can see if it does everything you need.

Otherwise, yes, you need some sort of stateful device.

Jon

buystrobby · ‎05-30-2015

1: they may not be able to do a telnet session to a switch or trying to make a connection via FTP to a server. also an RDP session must be excluded.

but if i block this, can i still make a rdp session to them?

Jon Marshall · ‎05-30-2015