Solved: Cisco 9300 Switch || restrict the inter VLAN communication

adity · ‎09-26-2024

Hi Techies,

We have 2 cisco 9300 switch installed in our infra, 1 switch is use for Core activity and another is Access Switch, the routings happed on the core switch...

on the Core SW have different VLANs example Vlan 50 (Subnet - 192.168.10.0/24) and VLan 51 (Subnet - 192.168.20.0/24)..

Currently my both VLANs able to communicate to each other but I need to restrict the traffic in between the VLans...

Could you please help me to tackle this issue.

MHM Cisco World · ‎09-27-2024

Don't confuse

I will try to simplify it for you dont worry

VlanA vlanB vlanC internet

I need vlanA talk to vlanB and internet and not to vlanC

1- Under vlanA apply ACL direction IN

Deny vlanA to vlanC

Permit vlanA to vlanB

Permit vlanA to any <<- internet

This ACL deny traffic direction from vlanA to vlanC

2- under vlanA ACL direction OUT

Deny vlanC to vlanA

Permit vlanB to vlanA

Permit any to vlanA

This acl will deny traffic from vlanC to vlanA' is it need ?

Yes and No

-TCP and ICMP is two way direction traffic so if apply first ACL icmp will drop but still some engineer apply both to eliminate any traffic even one direct

-Udp is unidirectional so you need both

Hope this clear now

MHM

View solution in original post

paul driver · ‎09-27-2024

Hello

@adity wrote:
Should I apply IN and OUT on both the VLANs.................................
Could you pls help me to understand as its getting confusing now...

Ideally you would apply the acl to deny as close to the source as possible which would means applying an acl on both vlan 50 and 60 SVIs, this will negate traffic even reaching the other vlan to be processed and then denied

Example1: - Preferred
ip access-list extended no-vlan60
deny ip any 10.10.60.0 0.0.0.255
permit ip any any

int vlan 50
ip access-group no-vlan60 IN

ip access-list extended no-vlan50
deny ip any 10.10.50.0 0.0.0.255
permit ip any any

int vlan 60
ip access-group no-vlan50 IN

Alternatively you could apply a single acl ingress/egress to a single SVI.
So then traffic originating from within that vlan towards the other vlan will be denied, however traffic originating from the other vlan be able to leave it own vlan and will only denied when it hits the vlan the acl OUT applied to it

example2
ip access-list extended no-vlan60
deny ip any 10.10.60.0 0.0.0.255
deny ip 10.10.60.0 0.0.0.255 any
permit ip any any

int vlan 50
ip access-group no-vlan60 IN
p access-group no-vlan60 OUT

Please rate and mark as an accepted solution if you have found any of the information provided useful.
This then could assist others on these forums to find a valuable answer and broadens the community’s global network.

Kind Regards
Paul

View solution in original post

MHM Cisco World · ‎09-26-2024

Use ACL

Deny traffic between VLAN and permit other traffic

MHM

adity · ‎09-26-2024

It would be very helpful if you helpme with some example, I have shared the details in above my post.

MHM Cisco World · ‎09-26-2024

Ip access-list extended VLAN50

Deny ip 192.168.10.0/24 192.168.20.0/24

Permit ip 192.168.10.0/24 any

!

Interface vlan 50

Ip access-group VLAN50 in

MHM

adity · ‎09-26-2024

The flow would be unidirectional I guess in cisco ACL and let say if any subnet trying to reach on 192.168.10.45 then how would comm will happen!!!

MHM Cisco World · ‎09-26-2024

Check this

paul driver · ‎09-27-2024

Hello @MHM Cisco World @adity

Note the acl logic on SVI is:
IN < traffic originating from within the vlan
OUT < traffic originating from outside the vlan

example1: negate vlan 50 from vlan 60
p access-list extended NO_VLAN60
deny ip any 10.10.60.0 0.0.0.255
permit ip any any

int vlan 50
10.10.50.254 255.255.255.0
ip access-list NO_VLAN60 IN

int vlan 60
10.10.60.254 255.255.255.0

example2: negate vlan 50 from vlan 60
p access-list extended NO_VLAN60
deny ip 10.10.60.0 0.0.0.255 any
permit ip any any

int vlan 50
10.10.50.254 255.255.255.0
ip access-list NO_VLAN OUT

Please rate and mark as an accepted solution if you have found any of the information provided useful.
This then could assist others on these forums to find a valuable answer and broadens the community’s global network.

Kind Regards
Paul

MHM Cisco World · ‎09-27-2024

I clear this in photo I share

@adity did you check photo' the direction in photo is for ACL

MHM

paul driver · ‎09-27-2024

Hello
I see it - that photo is rather confusing to the logic

Please rate and mark as an accepted solution if you have found any of the information provided useful.
This then could assist others on these forums to find a valuable answer and broadens the community’s global network.

Kind Regards
Paul

MHM Cisco World · ‎09-27-2024

Why

IN direction of ACL use for any traffic from same vlan

OUT direction of ACL use for any traffic ftom other VLAN

I share with him acl direction IN and apply to same VLAN.

So late wait his reply

MHM

adity · ‎09-27-2024

Should I apply IN and OUT on both the VLANs.................................

Could you pls help me to understand as its getting confusing now...

MHM Cisco World · ‎09-27-2024

Don't confuse

I will try to simplify it for you dont worry

VlanA vlanB vlanC internet

I need vlanA talk to vlanB and internet and not to vlanC

1- Under vlanA apply ACL direction IN

Deny vlanA to vlanC

Permit vlanA to vlanB

Permit vlanA to any <<- internet

This ACL deny traffic direction from vlanA to vlanC

2- under vlanA ACL direction OUT

Deny vlanC to vlanA

Permit vlanB to vlanA

Permit any to vlanA

This acl will deny traffic from vlanC to vlanA' is it need ?

Yes and No

-TCP and ICMP is two way direction traffic so if apply first ACL icmp will drop but still some engineer apply both to eliminate any traffic even one direct

-Udp is unidirectional so you need both

Hope this clear now

MHM

ahollifield · ‎09-26-2024

SVI ACLs or better yet stick a firewall in the topology and use that as your layer3 enforcement point. Couple this with 802.1X/MAB dACLs, TrustSec, etc.

anwaryp · ‎09-27-2024

You can use private vlans

paul driver · ‎09-27-2024

Hello

@adity wrote:
Should I apply IN and OUT on both the VLANs.................................
Could you pls help me to understand as its getting confusing now...

Ideally you would apply the acl to deny as close to the source as possible which would means applying an acl on both vlan 50 and 60 SVIs, this will negate traffic even reaching the other vlan to be processed and then denied

Example1: - Preferred
ip access-list extended no-vlan60
deny ip any 10.10.60.0 0.0.0.255
permit ip any any

int vlan 50
ip access-group no-vlan60 IN

ip access-list extended no-vlan50
deny ip any 10.10.50.0 0.0.0.255
permit ip any any

int vlan 60
ip access-group no-vlan50 IN

Alternatively you could apply a single acl ingress/egress to a single SVI.
So then traffic originating from within that vlan towards the other vlan will be denied, however traffic originating from the other vlan be able to leave it own vlan and will only denied when it hits the vlan the acl OUT applied to it

example2
ip access-list extended no-vlan60
deny ip any 10.10.60.0 0.0.0.255
deny ip 10.10.60.0 0.0.0.255 any
permit ip any any

int vlan 50
ip access-group no-vlan60 IN
p access-group no-vlan60 OUT

Please rate and mark as an accepted solution if you have found any of the information provided useful.
This then could assist others on these forums to find a valuable answer and broadens the community’s global network.

Kind Regards
Paul