Solved: Deny Internet Access from all VLAN's except 1 from L3 switch

dkellyusi · ‎07-10-2017

Hello all,

I'm running all Allen Bradley Stratix Industrial switches, which are essentially rebranded Cisco IE switches. But, the principles should still be the same.

Here's my topology:

1x Stratix 5410 (Cisco IE 4010) Layer 3 switch as Core Switch (ESXC101)

Several Stratix 5700 (Cisco IE 2000-series) L2 Switches (ESXM1101, etc.)

I have a Layer 2 Router/FW that has an Internal IP of 192.168.10.252, and it is my default route for my L3 Switch which I use to handle my Inter-VLAN routing.

Thus, all my VLANs have access to the internet.

I want to lock down the internet to ONLY my Management Vlan (10). But, I want to retain ALL Inter-VLAN routing.

I can't quite tell if I have to deny packets from VLAN's != 10 to the default GW, or permit only VLAN 10, or what the best solution should be.

What would be my best bet for ACL?

Thanks in advance!

Predrag Jovic · ‎07-12-2017

NAT solution would solve problem, but to me does not sound like a good solution since traffic will be dropped when it reaches ISP.

Simple ACL can be applied to VLAN interfaces to block internet. And any private IP address that you add will be automatically included.

interface vlan x

ip access-group 100 in

!

access-list 100 permit ip any 172.16.0.0 0.15.255.255
access-list 100 permit ip any 10.0.0.0 0.255.255.255
access-list 100 permit ip any 192.168.0.0 0.0.255.255

This one would permit traffic from any source to any destination as long as destination address is in private IP address range (that includes DHCP|DNS|any servers).

You can be more specific if you want with ACL to permit only existing networks

interface vlan 20

ip access-group 101 in

!

access-list 101 permit ip 192.168.20.0 0.0.0.255 192.168.21.0 0.0.0.255
access-list 101 permit ip 192.168.20.0 0.0.0.255 192.168.22.0 0.0.0.255

!

interface vlan 21

ip access-group 102 in

!

access-list 102 permit ip 192.168.21.0 0.0.0.255 192.168.20.0 0.0.0.255
access-list 102 permit ip 192.168.21.0 0.0.0.255 192.168.22.0 0.0.0.255

!

interface vlan 22

ip access-group 103 in

!

access-list 103 permit ip 192.168.22.0 0.0.0.255 192.168.20.0 0.0.1.255

In this case devices will not be able to ping default gateway, but ARP will still be resolvable, so interVLAN traffic will work. You can add default gateway as the first statement if you want to be able to ping default gateway.

access-list 103 permit ip 192.168.22.0 0.0.0.255 host 192.168.2.1

access-list 103 permit ip 192.168.22.0 0.0.0.255 192.168.20.0 0.0.1.255

Also, if multicast traffic is needed (or anything) should be reflected in ACLs

View solution in original post

Julio E. Moisa · ‎07-10-2017

Hi

If you want to provide Internet access to just one subnet and block the others, you need remove the other networks included on the NAT ACL and just leave the subnet that you want.

>> Marcar como útil o contestado, si la respuesta resolvió la duda, esto ayuda a futuras consultas de otros miembros de la comunidad. <<

Predrag Jovic · ‎07-12-2017