Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
2556
Views
0
Helpful
4
Replies

configure ACLs to manage vlan communication

tacit.cheddar
Level 1
Level 1

‎11-14-2021 07:39 PM - edited ‎11-14-2021 08:04 PM

Access Control Lists (ACL) Explained @VLAN Y ACL 

I am using packet tracer version 8.0.1.0064 to build a network.

 

I am trying to configure ACLs to manage vlan communication on the cisco 3650 switch. I want vlan 10 to be able to reach vlan 20, but I do not want vlan 20 to be able to reach vlan 10. (vlan 10 is assigned ip address 10.10.10.1/24), (vlan 20 is assigned ip address 10.10.20.1/24). Without any ACLs in place, vlan 10 and vlan 20 are able to ping each other.

 

I created the following ACLs:

          *access-list 110 permit ip any any

          *access-list 199 deny ip any any

 

I applied them to vlan 10 to permit outgoing traffic but restrict incoming traffic:

          *SW1(config-vlan)#in vlan 10

          *SW1(config-if)#ip access-group 110 out

          *SW1(config-if)#ip access-group 199 in

 

Once applied, when I try to ping a device on vlan 10 from a device on vlan 20 (which I’m trying to prohibit), I get the following message:

          *Request timed out.

 

When I try to ping a device on vlan 20 from a device on vlan 10 (which I’m trying to allow), I get the following message:

          *Reply from 10.10.10.1: Destination host unreachable.

 

Thinking vlan 20 might need an ACL to allow vlan 10 to reach it, I create and implement the following ACL:

          *SW1(config)#access-list 120 permit ip 10.10.10.0 0.0.0.255 10.10.20.0 0.0.0.255

          *SW1(config)#int vlan 20

          *SW1(config-if)#ip access-group 120 in

          *SW1(config-if)#

 

With that new access-list, when I ping a device on vlan 20 from a device on vlan 10, I get the following response:

          *Reply from 10.10.10.1: Destination host unreachable.

 

When I ping a device on vlan 10 from a device on vlan 20, I get the following response:

         *Reply from 10.10.20.1: Destination host unreachable.

=====================================================

I also deleted everything from global config mode and from the vlan interfaces and tried the following code, but it still didn't work.

          *SW1(config)#access-list 110 permit ip 10.10.10.0 0.0.0.255 any

          *SW1(config)#access-list 111 deny ip any 10.10.10.0 0.0.0.255

          *SW1(config)#int vlan 10

          *SW1(config-if)#ip access-group 110 out

          *SW1(config-if)#ip access-group 111 in

I still got "destination host unreachable"

 

What am I doing wrong?

Labels:
0 Helpful
4 Replies 4

Kasun Bandara
VIP
VIP

‎11-14-2021 09:09 PM - edited ‎11-14-2021 09:15 PM

Hi,

check below link. it explains how to enable only one network to other.

https://community.cisco.com/t5/switching/acl-block-tcp-traffic-one-way/td-p/1449230

 

but this is for TCP connections.

ACLs are not statefull. so if you enables for one way, return traffic will drop at switch. for solution, use TCP layer established connections to allow return traffic. or you may use some NAT option to change source address to different network and allow incoming for that address. this needs router/firewall.

 

Please rate this and mark as solution/answer, if this resolved your issue
Good luck
KB
0 Helpful

tacit.cheddar
Level 1
Level 1
In response to Kasun Bandara

‎11-15-2021 07:49 AM

Thanks Bandara, I would take TCP or anything at this point just as a proof
of concept. When I type it it it doesn't seem to like "ack" or "syn",
which, reading down in the thread of the link you sent, it looks like
packet tracer might not support that.
thank you though
0 Helpful

paul driver
VIP
VIP

‎11-15-2021 12:09 AM - edited ‎11-15-2021 12:10 AM

Hello
You need to perform this on the switch that is performing the L3 inter-vlan routing, and it would only be applicable to tcp session and as udp is connectionless it won’t be subject to the access-list you apply on vlan10 svi.

Example:
access-list 100 permit tcp 20.20.20.0 0.0.0. 255 any established
access-list 100 deny tcp 20.20.20.0 0.0.0. 255 any
access-list 100 permit any any

int vlan 10
ip access-group 100 out


Please rate and mark as an accepted solution if you have found any of the information provided useful.
This then could assist others on these forums to find a valuable answer and broadens the community’s global network.

Kind Regards
Paul
0 Helpful

tacit.cheddar
Level 1
Level 1
In response to paul driver

‎11-15-2021 08:01 AM

I tried it. It didn't like something in the "permit any any" line, so I
added tcp... should I have added something else? I exchanged "20.20.20.0"
for "10.10.20.0," which is my subnet for vlan 20. Below is the code I typed
in. When I try to ping vlan 20 from vlan 10, it gives me a "Request timed
out." still. Any thoughts?


*SW1(config)#no ip access-list extended test-in

*SW1(config)#access-list 100 permit tcp 10.10.20.10 0.0.0.255 any
established

*SW1(config)#no access-list 100 permit tcp 10.10.20.10 0.0.0.255 any
established

*SW1(config)#access-list 100 permit tcp 10.10.20.0 0.0.0.255 any established

*SW1(config)#access-list 100 permit tcp 10.10.20.0 0.0.0.255 any

*SW1(config)#access-list 100 permit any any

^

*% Invalid input detected at '^' marker.

*SW1(config)#access-list 100 permit tcp any any

*SW1(config)#int vlan 10

*SW1(config-if)#ip access-group 100 out

*SW1(config-if)#


Thanks!
0 Helpful
Customers Also Viewed These Support Documents