Solved: Re: Deny access from other VLANs / Allow internet

Qikqik · ‎04-23-2018

Hi guys!

I have a use-case where I’m using a L3 core switch (IP services) with InterVLAN enabled and below VLANs.

VLAN 10 SERVERS 192.168.10.0/24

VLAN 20 CLIENTS 192.168.20.0/24

VLAN 30 HR 192.168.30.0/24

(All Vlan interfaces are defined on the core switch)

I want to establish the following traffic rules:

Vl10/20 -> Vl30 DENY

Vl30 -> Vl10/20 ALLOW

Vl30 -> Internet access OK

Vl30 additional prerequisites are to:

-allow all outbound traffic (like to internet)

-allow dhcp packets (dhcp server 192.168.10.10)

-allow only specific server(s) ip address(es) from other subnet/vlan to access this vlan (like the dhcp server ip address), other traffic from other subnets/vlans should be denied

How can I achieve this setup?

I’m thinking of using ACLs or Reflexive ACLs but I’m a bit confused with the proper way to go with this setup...

Your help will be greatly appreciated!

Jon Marshall · ‎04-23-2018

If your switch supports reflexive acls that would be the way to go.

If not then you have a problem because acls are not stateful which means if you deny traffic from vlans 10/20 to vlan 30 then this acl also blocks return traffic to vlan 30 from those vlans as well.

If the connections are just TCP you could use the "established" keyword otherwise if you cannot use reflexive acls you either need to modify your requirements or use a stateful device such as a firewall to route traffic between vlans.

Jon

View solution in original post

Jon Marshall · ‎04-23-2018

If your switch supports reflexive acls that would be the way to go.

If not then you have a problem because acls are not stateful which means if you deny traffic from vlans 10/20 to vlan 30 then this acl also blocks return traffic to vlan 30 from those vlans as well.

If the connections are just TCP you could use the "established" keyword otherwise if you cannot use reflexive acls you either need to modify your requirements or use a stateful device such as a firewall to route traffic between vlans.

Jon

Akbar ali Sultan · ‎04-23-2018

i believe below command will work as per your requirement if any syntax incorrect change it yourself

ip access-list extended DENY-HR
permit tcp/udp host 192.168.30.0 0.0.0.255 host 192.168.10.10 eq domain/dhcp/bootp
deny ip 192.168.30.0 0.0.0.255 192.168.10.0 0.0.0.255

deny ip 192.168.30.0 0.0.0.255 192.168.20.0 0.0.0.255

permit ip any any log

interface Vlan30
ip access-group DENY-HR in

Jon Marshall · ‎04-23-2018

That wont work.

Jon

Akbar ali Sultan · ‎04-23-2018

The scenario looks very simple why its wont work???

Jon Marshall · ‎04-23-2018

Firstly you have applied the acl inbound so the source IPs will be 192.168.30.x.

But more importantly as I said in my first post if you deny traffic from vlans 10/20 to vlan 30 then you also deny return traffic to vlan 30 eg. you are in vlan 30 and you connect to a server in vlan 10/20 which is allowed but when the server sends the response your acl blocks it.

This is because acls are not stateful.

Jon

Akbar ali Sultan · ‎04-23-2018

thank your for correction i wrote wrong access list. check now i believe this will work sure. this type of access list i am doing in my network and its working fine.

Thanks

Jon Marshall · ‎04-23-2018

Using acls to control traffic between vlans does indeed work but the original requirement still won't work unless there are only a few connections and you can specify the ports.

Depends on exactly what the OP wants.

Jon