cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
11174
Views
28
Helpful
26
Replies

Block traffic between two vlans on a Cat3560C + Internet Access

John Peterson
Level 1
Level 1

Hi,

I have a Cisco C3560CG which is running C3560c405ex-UNIVERSALK9-M), Version 12.2(55)EX2.

The switch has vlan 1 and vlan 50 configured, vlan 50 should have access to a limited number of host in vlan 1.

The following acl has been applied on the inbound to vlan 50:

10 permit tcp 10.16.30.0 0.0.0.255 host 192.168.15.243 eq 137 138 139 445

20 permit udp 10.16.30.0 0.0.0.255 host 192.168.15.243 eq netbios-ns netbios-dgm netbios-ss 445

25 permit icmp 10.16.30.0 0.0.0.255 host 192.168.1.243

26 permit ip 10.16.30.0 0.0.0.255 host 10.16.30.254

30 permit ip 10.16.30.0 0.0.0.255 host 192.168.15.254

40 deny ip 10.16.30.0 0.0.0.255 192.168.15.0 0.0.0.255

50 permit udp any any eq bootps

60 permit udp any any eq bootpc

70 permit udp 10.16.30.0 0.0.0.255 any eq domain

80 permit tcp 10.16.30.0 0.0.0.255 any eq domain

90 permit tcp 10.16.30.0 0.0.0.255 any eq www

95 permit tcp 10.16.30.0 0.0.0.255 any eq 443

100 permit icmp 10.16.30.0 0.0.0.255 any

I sure the above would work, but for some reason some of the packet counter are not incrementing but the traffic is being blocked. But I would like to see the counter increament.

Also I have that I may beed to use VACL wouls this be the case?

Thanks

1 Accepted Solution

Accepted Solutions

Hi John,

AA* When I read your reply at the point of AA* traffic enters VLAN 50 from VLAN 1 therefore as the acl in inbound it should apply.

No, this is incorrect. Do not think in terms "traffic being sent into VLAN 50". This is one of the most common mistakes people make when trying to understand multilayer switching, SVIs and ACL directions. Think in terms of interfaces. A traffic is inbound to interface if it is being received by the interface. A traffic is outbound from interface if it is being sent out that interface.

As to your network: You have interface VLAN 1 that is the first one that receives traffic from the internet destined to some other VLAN, so the traffic is inbound on this interface. Afterwards, the switch determines that the destination is reachable in VLAN 50 and sends the traffic out the interface VLAN 50, consulting the outbound ACL if there is any. Even though this traffic, from the viewpoint of the entire VLAN 50, enters this VLAN, it is nonetheless sent out the interface VLAN 50. Do not let yourself confuse here - traffic entering VLAN 50 is outbound from interface VLAN 50!

AB* I would see this as inbound to vlan 1 and then when routed also inbound to vlan 50 and then outbound to vlan 50.

Again, this is incorrect. Such a traffic is only inbound to interface VLAN 1 and outbound to interface VLAN 50. No other combinations are valid.

I guess I need to think of the acl as being applied to a physical/sub interface not a SVI, 

You should definitely think of these ACLs as being aplied to physical/sub interfaces - but SVIs work in the same way and treat the traffic and its directions identically to physical interfaces!

Please consider the following picture:

Here, you have two VLANs and their corresponding SVIs. If traffic flows from VLAN1 into VLAN50, it will be inspected by inbound ACL on interface VLAN1 and by outbound ACL on interface VLAN50. It's as simple as that. Nothing more will take place here.

Best regards,

Peter

View solution in original post