cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
10634
Views
28
Helpful
26
Replies

Block traffic between two vlans on a Cat3560C + Internet Access

John Peterson
Level 1
Level 1

Hi,

I have a Cisco C3560CG which is running C3560c405ex-UNIVERSALK9-M), Version 12.2(55)EX2.

The switch has vlan 1 and vlan 50 configured, vlan 50 should have access to a limited number of host in vlan 1.

The following acl has been applied on the inbound to vlan 50:

10 permit tcp 10.16.30.0 0.0.0.255 host 192.168.15.243 eq 137 138 139 445

20 permit udp 10.16.30.0 0.0.0.255 host 192.168.15.243 eq netbios-ns netbios-dgm netbios-ss 445

25 permit icmp 10.16.30.0 0.0.0.255 host 192.168.1.243

26 permit ip 10.16.30.0 0.0.0.255 host 10.16.30.254

30 permit ip 10.16.30.0 0.0.0.255 host 192.168.15.254

40 deny ip 10.16.30.0 0.0.0.255 192.168.15.0 0.0.0.255

50 permit udp any any eq bootps

60 permit udp any any eq bootpc

70 permit udp 10.16.30.0 0.0.0.255 any eq domain

80 permit tcp 10.16.30.0 0.0.0.255 any eq domain

90 permit tcp 10.16.30.0 0.0.0.255 any eq www

95 permit tcp 10.16.30.0 0.0.0.255 any eq 443

100 permit icmp 10.16.30.0 0.0.0.255 any

I sure the above would work, but for some reason some of the packet counter are not incrementing but the traffic is being blocked. But I would like to see the counter increament.

Also I have that I may beed to use VACL wouls this be the case?

Thanks

1 Accepted Solution

Accepted Solutions

Hi John,

AA* When I read your reply at the point of AA* traffic enters VLAN 50 from VLAN 1 therefore as the acl in inbound it should apply.

No, this is incorrect. Do not think in terms "traffic being sent into VLAN 50". This is one of the most common mistakes people make when trying to understand multilayer switching, SVIs and ACL directions. Think in terms of interfaces. A traffic is inbound to interface if it is being received by the interface. A traffic is outbound from interface if it is being sent out that interface.

As to your network: You have interface VLAN 1 that is the first one that receives traffic from the internet destined to some other VLAN, so the traffic is inbound on this interface. Afterwards, the switch determines that the destination is reachable in VLAN 50 and sends the traffic out the interface VLAN 50, consulting the outbound ACL if there is any. Even though this traffic, from the viewpoint of the entire VLAN 50, enters this VLAN, it is nonetheless sent out the interface VLAN 50. Do not let yourself confuse here - traffic entering VLAN 50 is outbound from interface VLAN 50!

AB* I would see this as inbound to vlan 1 and then when routed also inbound to vlan 50 and then outbound to vlan 50.

Again, this is incorrect. Such a traffic is only inbound to interface VLAN 1 and outbound to interface VLAN 50. No other combinations are valid.

I guess I need to think of the acl as being applied to a physical/sub interface not a SVI, 

You should definitely think of these ACLs as being aplied to physical/sub interfaces - but SVIs work in the same way and treat the traffic and its directions identically to physical interfaces!

Please consider the following picture:

Here, you have two VLANs and their corresponding SVIs. If traffic flows from VLAN1 into VLAN50, it will be inspected by inbound ACL on interface VLAN1 and by outbound ACL on interface VLAN50. It's as simple as that. Nothing more will take place here.

Best regards,

Peter

View solution in original post

26 Replies 26

Edison Ortiz
Hall of Fame
Hall of Fame

ACL counters are software based and the switch processes these entries in hardware.

You mentioned traffic is being blocked, it indicates the ACL is doing its job.

Thanks Edison,

Therefore If I append the log cmd at the end of each access-list would this force process to the hardware and therefore increment the counters?

Are L3 ACL best to be used here, or would I use VACL? Is there any reson for this?

Thanks

John Peterson
Level 1
Level 1

I also notice this morning that even tho the access-list is applied traffic from the Internet is still able to come into the vlan.

My understanding was that at the end of a acl is a explicit deny?

Sent from Cisco Technical Support iPhone App

Hi John,

Yes we can do with the help of ACL.

just as an example:block traffic between vlan 5 and vlan 8

access-list testacl deny ip 10.58.5.0 0.0.0.255 10.58.8.0 0.0.0.255
access-list testacl permit every

and to apply the ACL, I used the following:

interface vlan 5
ip access-group testacl

Regards

Please rate if it helps.

Thanks I guess you would apply this acl inbound.

But with the acl above which I have used there is a firewall which is vlan 1 and has a static route pointing toward the switch which has vlan 15 connected. The access list should block all internet traffic as there is no acl to permit this. But I can still access the internet?

Hi John,

ACL in switches/routers will not have explicit deny @ the end like the firewall. You have to specify it else it will go through as far as i know.

You can put a VACL to achive what you are looking for. You can permit the specific IP's that needs to access the other VLAN's and deny rest other traffic that goes through the other VLAN. Lets say..

10.16.30.0 - VLAN 50

192.168.15.0 - VLAN 1

So you want one host from 10.16.30.100 alone needs to get communicate with vlan 1 then you can put like this.

10 permit ip host 10.16.30.100 host 192.168.15.0 0.0.0.255

20 deny ip 10.16.30.0 0.0.0.255 192.168.15.0 0.0.0.255

30 permit ip any any

!

So it will allow only the access to 192.168.15.0 vlan 1 from the host 10.16.30.100 in vlan 50... rest all other trafficx from vlan 50 to vlan 1 will get denied and all other traffic will be permitted.

Please do rate if the given information helps.

By

Karthik

Hi Karthikeyan,

I'm sure the basic of Cisco acl from my ccna days was that every acl has an explict deny at the end, do you have any papers where it says otherwise as this is a big problem.

I understand I could VACL but, I don't really want to change the entire network to VACL is I can you acl.

I inital concern was that the acl had no hit counters, I therefore applied the log cmd at the end so it would need to be processed by the software.

But with the above ACL i have used, I still seem to have traffic from the internet which is passed down by the firewall enter the vlan? I mean the firewall is on a native vlan which just has static routes to the L3 switch which holds both vlans.

Hello John,

Every ACL has an implicit (i.e. invisible but still present) deny any at its end, regardless of whether it is an ACL defined on switches or on routers. In other words, what is not allowed explicitly (i.e. by a manually entered ACL entry). Karthik was somewhat unclear in what he wrote: he indicated that no ACLs have explicit (i.e. visible) deny statements automatically added in their end, which is correct. However, he also suggested that it is the reason why the traffic will go through, and this is incorrect.

However, your ACL should indeed not allow traffic other than what is explicitly permitted. How do you know that internet traffic is passing into your VLAN? Is it possible that the internet traffic is already being permitted by some ACL entries? Remember that it may be translated into private IP address space, and you have several entries in your ACL permitting selected privately addresses IP traffic.

Best regards,

Peter

Hi Peter,

Thank you for the above.

The setup I have is one asa5505 which has the following ip:

Inside:192.168.15.253

WAN: XXX.XXX.XXX.XXX

Both subnets can are allowed to be natted towards the internet.

There is static route to say if the 10 subnet wants to be reached it needs to push packets toward the L3 switch:

route inside 10.16.30.0/24 pointing towards 192.168.15.254

The L3 Switch then has the following IP address:

Vlan 1 IP: 192.168.15.254

Vlan 50 IP: 10.16.30.254

Default route to pointing toward the firewall ip 192.168.15.253.

The access-list is applied inbound to vlan 50.

As I don't have permit ip any any at the end of the acl, my understanding is when from a workstation on vlan 50 wants to acccess the internet. its src will be the 10 range ip and dest will be an www.cisco.com. Therefore the 1st packet will get out on the internet but, when the firewalls send the packet back then the packet should reach the L3 switch and before any packets entering (inbound acl) into vlan 50 it should go though the acl and be blocked. At this moment the src would be www.cisco.com and des would the workstation on vlan 50.

On my acl I don't have a entry which permits src any dest vlan 50. Unless, as the acl 1st allowed the packet it will therefore also allow the return packet through. But I'm sure this is highly unlikely.

This is really strange unless I'm missing something, its allmost like acl aren't really coming into action.

Hi John,

before any packets entering (inbound acl) into vlan 50 it should go though the acl and be blocked.

You are probably confusing the ACL directions.

Remember that the interface VLAN is a virtual interface of the "router" inside your multilayer switch. Traffic inbound to interface VLAN 50 is the traffic that originated or traverses VLAN 50 and is going to be routed elsewhere. Traffic outbound to interface VLAN 50 is the traffic that came from other VLANs and is sent into VLAN 50. Does this make sense?

Following this logic, your ACL placed on interface VLAN 50 in the inbound direction controls the traffic that actually exits the VLAN 50 and goes out to the internet. The return traffic from internet towards VLAN 50 is outbound from interface VLAN 50, and you have no ACL in the outbound direction to filter the communication with internet.

Best regards,

Peter

Hi Peter,

Remember that the interface VLAN is a virtual interface of the "router" inside your multilayer switch. Traffic inbound to interface VLAN 50 is the traffic that originated or traverses VLAN 50 and is going to be routed elsewhere.

Understood, traffic being routed to another vlan i.e. vlan 1 or being pushed towards the default gateway.

Traffic outbound to interface VLAN 50 is the traffic that came from other VLANs and is sent into VLAN 50. Does this make sense?

See, I see this has traffic inbound because traffic is sent into vlan 50, but this time the traffic did not originate on vlan 50, is this what your trying to mean?

My understanding of inbound is when traffic enters an interface which is from the outside and outbound is when traffic leaves an interface. With this in mind, the acl should be checked and the traffic from the internet enters into vlan 50 from from vlan 1.

Please correct me if I'm wrong, really apperciate your help.

Hi John,

See, I see this has traffic inbound because traffic is sent into vlan  50, but this time the traffic did not originate on vlan 50, is this what  your trying to mean?

I am sorry - I do not understand this question. Perhaps you could rephrase it differently.

My understanding of inbound is when traffic enters an interface which is  from the outside and outbound is when traffic leaves an interface.

This seems to be correct. For VLAN 50, traffic that was sent by stations in VLAN 50 and addressed to destinations in a different network is inbound to interface VLAN 50. The traffic flowing in the opposite direction (e.g. the responses to requests sent from within VLAN 50) is outbound from interface VLAN 50.

With this in mind, the acl should be checked and the traffic from the internet enters into vlan 50 from from vlan 1.

Well, if internet traffic comes into interface VLAN 1 and is routed out interface VLAN 50, it is inbound to interface VLAN 1 and outbound from interface VLAN 50, right? You have yourself indicated that your ACL is placed in the inbound direction on the interface VLAN 50. That means that it filters requests going to internet but it does not apply to flows from the internet back to VLAN 50. And because your ACL contains lines as

70 permit udp 10.16.30.0 0.0.0.255 any eq domain

80 permit tcp 10.16.30.0 0.0.0.255 any eq domain

90 permit tcp 10.16.30.0 0.0.0.255 any eq www

95 permit tcp 10.16.30.0 0.0.0.255 any eq 443

100 permit icmp 10.16.30.0 0.0.0.255 any

the VLAN 50 can access the DNS, HTTP and HTTPS services anywhere on the internet. Responses from these services are not filtered because there is no outbound ACL on interface VLAN 50.

Best regards,

Peter

My understanding of inbound is when traffic enters an interface which is  from the outside and outbound is when traffic leaves an interface.

This seems to be correct. For VLAN 50, traffic that was sent by stations in VLAN 50 and addressed to destinations in a different network is inbound to interface VLAN 50. The traffic flowing in the opposite direction (e.g. the responses to requests sent from within VLAN 50) is outbound from interface VLAN 50.

With this in mind, the acl should be checked and the traffic from the internet enters into vlan 50 from from vlan 1.

Well, if internet traffic comes into interface VLAN 1 and is  AA* routed out interface VLAN 50, it is inbound to interface VLAN 1 and AB* outbound from interface VLAN 50, right? You have yourself indicated that your ACL is placed in the inbound direction on the interface VLAN 50. That means that it filters requests going to internet but it does not apply to flows from the internet back to VLAN 50. And because your ACL contains lines as

70 permit udp 10.16.30.0 0.0.0.255 any eq domain

80 permit tcp 10.16.30.0 0.0.0.255 any eq domain

90 permit tcp 10.16.30.0 0.0.0.255 any eq www

95 permit tcp 10.16.30.0 0.0.0.255 any eq 443

100 permit icmp 10.16.30.0 0.0.0.255 any

the VLAN 50 can access the DNS, HTTP and HTTPS services anywhere on the internet. Responses from these services are not filtered because there is no outbound ACL on interface VLAN 50.

Best regards,

Peter

Hi Peter,

I have made marks on your text and replied:

AA* When I read your reply at the point of AA* traffic enters VLAN 50 from VLAN 1 therefore as the acl in inbound it should apply.

AB* I would see this as inbound to vlan 1 and then when routed also inbound to vlan 50 and then outbound to vlan 50.

My concern is at the point on when the packets are being routed the acl should apply. I think when the routing takes place as the packet is already within the router/switch the acl does not apply. Whereas I think it should do when the switch looks at the routing table and pushes each packet to vlan 50. I guess I need to think of the acl as being applied to a physical/sub interface not a SVI, which is maybe where I'm going wrong. If I place myself right in the middle of the switch then your reply becomes true.

Would you agree with the above?

Hi John,

AA* When I read your reply at the point of AA* traffic enters VLAN 50 from VLAN 1 therefore as the acl in inbound it should apply.

No, this is incorrect. Do not think in terms "traffic being sent into VLAN 50". This is one of the most common mistakes people make when trying to understand multilayer switching, SVIs and ACL directions. Think in terms of interfaces. A traffic is inbound to interface if it is being received by the interface. A traffic is outbound from interface if it is being sent out that interface.

As to your network: You have interface VLAN 1 that is the first one that receives traffic from the internet destined to some other VLAN, so the traffic is inbound on this interface. Afterwards, the switch determines that the destination is reachable in VLAN 50 and sends the traffic out the interface VLAN 50, consulting the outbound ACL if there is any. Even though this traffic, from the viewpoint of the entire VLAN 50, enters this VLAN, it is nonetheless sent out the interface VLAN 50. Do not let yourself confuse here - traffic entering VLAN 50 is outbound from interface VLAN 50!

AB* I would see this as inbound to vlan 1 and then when routed also inbound to vlan 50 and then outbound to vlan 50.

Again, this is incorrect. Such a traffic is only inbound to interface VLAN 1 and outbound to interface VLAN 50. No other combinations are valid.

I guess I need to think of the acl as being applied to a physical/sub interface not a SVI, 

You should definitely think of these ACLs as being aplied to physical/sub interfaces - but SVIs work in the same way and treat the traffic and its directions identically to physical interfaces!

Please consider the following picture:

Here, you have two VLANs and their corresponding SVIs. If traffic flows from VLAN1 into VLAN50, it will be inspected by inbound ACL on interface VLAN1 and by outbound ACL on interface VLAN50. It's as simple as that. Nothing more will take place here.

Best regards,

Peter

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Innovations in Cisco Full Stack Observability - A new webinar from Cisco