04-23-2018 05:48 AM - edited 03-08-2019 02:45 PM
Hi guys!
I have a use-case where I’m using a L3 core switch (IP services) with InterVLAN enabled and below VLANs.
VLAN 10 SERVERS 192.168.10.0/24
VLAN 20 CLIENTS 192.168.20.0/24
VLAN 30 HR 192.168.30.0/24
(All Vlan interfaces are defined on the core switch)
I want to establish the following traffic rules:
Vl10/20 -> Vl30 DENY
Vl30 -> Vl10/20 ALLOW
Vl30 -> Internet access OK
Vl30 additional prerequisites are to:
-allow all outbound traffic (like to internet)
-allow dhcp packets (dhcp server 192.168.10.10)
-allow only specific server(s) ip address(es) from other subnet/vlan to access this vlan (like the dhcp server ip address), other traffic from other subnets/vlans should be denied
How can I achieve this setup?
I’m thinking of using ACLs or Reflexive ACLs but I’m a bit confused with the proper way to go with this setup...
Your help will be greatly appreciated!
Solved! Go to Solution.
04-23-2018 06:00 AM
If your switch supports reflexive acls that would be the way to go.
If not then you have a problem because acls are not stateful which means if you deny traffic from vlans 10/20 to vlan 30 then this acl also blocks return traffic to vlan 30 from those vlans as well.
If the connections are just TCP you could use the "established" keyword otherwise if you cannot use reflexive acls you either need to modify your requirements or use a stateful device such as a firewall to route traffic between vlans.
Jon
04-23-2018 06:00 AM
If your switch supports reflexive acls that would be the way to go.
If not then you have a problem because acls are not stateful which means if you deny traffic from vlans 10/20 to vlan 30 then this acl also blocks return traffic to vlan 30 from those vlans as well.
If the connections are just TCP you could use the "established" keyword otherwise if you cannot use reflexive acls you either need to modify your requirements or use a stateful device such as a firewall to route traffic between vlans.
Jon
04-23-2018 06:47 AM - edited 04-23-2018 07:19 AM
i believe below command will work as per your requirement if any syntax incorrect change it yourself
ip access-list extended DENY-HR
permit tcp/udp host 192.168.30.0 0.0.0.255 host 192.168.10.10 eq domain/dhcp/bootp
deny ip 192.168.30.0 0.0.0.255 192.168.10.0 0.0.0.255
deny ip 192.168.30.0 0.0.0.255 192.168.20.0 0.0.0.255
permit ip any any log
interface Vlan30
ip access-group DENY-HR in
04-23-2018 06:54 AM
That wont work.
Jon
04-23-2018 07:08 AM
The scenario looks very simple why its wont work???
04-23-2018 07:12 AM
Firstly you have applied the acl inbound so the source IPs will be 192.168.30.x.
But more importantly as I said in my first post if you deny traffic from vlans 10/20 to vlan 30 then you also deny return traffic to vlan 30 eg. you are in vlan 30 and you connect to a server in vlan 10/20 which is allowed but when the server sends the response your acl blocks it.
This is because acls are not stateful.
Jon
04-23-2018 07:20 AM
thank your for correction i wrote wrong access list. check now i believe this will work sure. this type of access list i am doing in my network and its working fine.
Thanks
04-23-2018 07:23 AM
Using acls to control traffic between vlans does indeed work but the original requirement still won't work unless there are only a few connections and you can specify the ports.
Depends on exactly what the OP wants.
Jon
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide