09-26-2024 03:50 AM
Hi Techies,
We have 2 cisco 9300 switch installed in our infra, 1 switch is use for Core activity and another is Access Switch, the routings happed on the core switch...
on the Core SW have different VLANs example Vlan 50 (Subnet - 192.168.10.0/24) and VLan 51 (Subnet - 192.168.20.0/24)..
Currently my both VLANs able to communicate to each other but I need to restrict the traffic in between the VLans...
Could you please help me to tackle this issue.
Solved! Go to Solution.
09-27-2024 03:24 AM - edited 09-27-2024 03:25 AM
Don't confuse
I will try to simplify it for you dont worry
VlanA vlanB vlanC internet
I need vlanA talk to vlanB and internet and not to vlanC
1- Under vlanA apply ACL direction IN
Deny vlanA to vlanC
Permit vlanA to vlanB
Permit vlanA to any <<- internet
This ACL deny traffic direction from vlanA to vlanC
2- under vlanA ACL direction OUT
Deny vlanC to vlanA
Permit vlanB to vlanA
Permit any to vlanA
This acl will deny traffic from vlanC to vlanA' is it need ?
Yes and No
-TCP and ICMP is two way direction traffic so if apply first ACL icmp will drop but still some engineer apply both to eliminate any traffic even one direct
-Udp is unidirectional so you need both
Hope this clear now
MHM
09-27-2024 05:27 AM
Hello
@adity wrote:
Should I apply IN and OUT on both the VLANs.................................
Could you pls help me to understand as its getting confusing now...
Ideally you would apply the acl to deny as close to the source as possible which would means applying an acl on both vlan 50 and 60 SVIs, this will negate traffic even reaching the other vlan to be processed and then denied
Example1: - Preferred
ip access-list extended no-vlan60
deny ip any 10.10.60.0 0.0.0.255
permit ip any any
int vlan 50
ip access-group no-vlan60 IN
ip access-list extended no-vlan50
deny ip any 10.10.50.0 0.0.0.255
permit ip any any
int vlan 60
ip access-group no-vlan50 IN
Alternatively you could apply a single acl ingress/egress to a single SVI.
So then traffic originating from within that vlan towards the other vlan will be denied, however traffic originating from the other vlan be able to leave it own vlan and will only denied when it hits the vlan the acl OUT applied to it
example2
ip access-list extended no-vlan60
deny ip any 10.10.60.0 0.0.0.255
deny ip 10.10.60.0 0.0.0.255 any
permit ip any any
int vlan 50
ip access-group no-vlan60 IN
p access-group no-vlan60 OUT
09-26-2024 03:53 AM
Use ACL
Deny traffic between VLAN and permit other traffic
MHM
09-26-2024 04:12 AM
It would be very helpful if you helpme with some example, I have shared the details in above my post.
09-26-2024 04:54 AM
Ip access-list extended VLAN50
Deny ip 192.168.10.0/24 192.168.20.0/24
Permit ip 192.168.10.0/24 any
!
Interface vlan 50
Ip access-group VLAN50 in
MHM
09-26-2024 05:08 AM
The flow would be unidirectional I guess in cisco ACL and let say if any subnet trying to reach on 192.168.10.45 then how would comm will happen!!!
09-26-2024 05:11 AM
Check this
09-27-2024 12:13 AM
Hello @MHM Cisco World @adity
Note the acl logic on SVI is:
IN < traffic originating from within the vlan
OUT < traffic originating from outside the vlan
example1: negate vlan 50 from vlan 60
p access-list extended NO_VLAN60
deny ip any 10.10.60.0 0.0.0.255
permit ip any any
int vlan 50
10.10.50.254 255.255.255.0
ip access-list NO_VLAN60 IN
int vlan 60
10.10.60.254 255.255.255.0
example2: negate vlan 50 from vlan 60
p access-list extended NO_VLAN60
deny ip 10.10.60.0 0.0.0.255 any
permit ip any any
int vlan 50
10.10.50.254 255.255.255.0
ip access-list NO_VLAN OUT
09-27-2024 12:18 AM
09-27-2024 12:21 AM
Hello
I see it - that photo is rather confusing to the logic
09-27-2024 12:31 AM
Why
IN direction of ACL use for any traffic from same vlan
OUT direction of ACL use for any traffic ftom other VLAN
I share with him acl direction IN and apply to same VLAN.
So late wait his reply
MHM
09-27-2024 03:13 AM
Should I apply IN and OUT on both the VLANs.................................
Could you pls help me to understand as its getting confusing now...
09-27-2024 03:24 AM - edited 09-27-2024 03:25 AM
Don't confuse
I will try to simplify it for you dont worry
VlanA vlanB vlanC internet
I need vlanA talk to vlanB and internet and not to vlanC
1- Under vlanA apply ACL direction IN
Deny vlanA to vlanC
Permit vlanA to vlanB
Permit vlanA to any <<- internet
This ACL deny traffic direction from vlanA to vlanC
2- under vlanA ACL direction OUT
Deny vlanC to vlanA
Permit vlanB to vlanA
Permit any to vlanA
This acl will deny traffic from vlanC to vlanA' is it need ?
Yes and No
-TCP and ICMP is two way direction traffic so if apply first ACL icmp will drop but still some engineer apply both to eliminate any traffic even one direct
-Udp is unidirectional so you need both
Hope this clear now
MHM
09-26-2024 01:54 PM
SVI ACLs or better yet stick a firewall in the topology and use that as your layer3 enforcement point. Couple this with 802.1X/MAB dACLs, TrustSec, etc.
09-27-2024 02:58 AM
You can use private vlans
09-27-2024 05:27 AM
Hello
@adity wrote:
Should I apply IN and OUT on both the VLANs.................................
Could you pls help me to understand as its getting confusing now...
Ideally you would apply the acl to deny as close to the source as possible which would means applying an acl on both vlan 50 and 60 SVIs, this will negate traffic even reaching the other vlan to be processed and then denied
Example1: - Preferred
ip access-list extended no-vlan60
deny ip any 10.10.60.0 0.0.0.255
permit ip any any
int vlan 50
ip access-group no-vlan60 IN
ip access-list extended no-vlan50
deny ip any 10.10.50.0 0.0.0.255
permit ip any any
int vlan 60
ip access-group no-vlan50 IN
Alternatively you could apply a single acl ingress/egress to a single SVI.
So then traffic originating from within that vlan towards the other vlan will be denied, however traffic originating from the other vlan be able to leave it own vlan and will only denied when it hits the vlan the acl OUT applied to it
example2
ip access-list extended no-vlan60
deny ip any 10.10.60.0 0.0.0.255
deny ip 10.10.60.0 0.0.0.255 any
permit ip any any
int vlan 50
ip access-group no-vlan60 IN
p access-group no-vlan60 OUT
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide