Solved: Re: How to only allow 3 hosts to access vlan

celiopoulos · ‎07-12-2019

I have a user VLAN (120) and a device management VLAN (70) and i only want certain hosts( with static IP's) on VLAN120 to have access to devices on VLAN70

How would i create the ACL for this? Thank you

Giuseppe Larosa · ‎07-15-2019

Hello celiopoulos,

>> i thought i could just apply the access list on the VLAN70 interface and block all vlans except 3 hosts on VLAN120. i need hosts on VLAN70 to have access out to the internet and all vlans. Thank you

CAUTION:

the following works for TCP traffic the keyword established allow to verify that the SYN flag of first TCP packet in 3 way TCP handshake is not set.

From SVI Vlan 70 point of view you can apply an outbound extended ACL like

access-list 170 remark outbound ACL for SVI Vlan 70

access-list 170 permit ip host 10.10.120.5 10.10.70.0 0.0.0.255

access-list 170 permit ip host 10.10.120.6 10.10.70.0 0.0.0.255

access-list 170 permit ip host 10.10.120.7 10.10.70.0 0.0.0.255

access-list 170 permit tcp 10.10.0.0 0.0.255.255 10.10.70.0 0.0.0.255 established

access-list 170 deny tcp 10.10.0.0 0.0.0.255.255 10.10.70.0 0.0.0.0.255

! if needed for SNMP for example or NTP or DNS, you can specify the ports

access-list 170 permit udp 10.10.0.0 0.0.255.255 10.10.70.0 0.0.0.255 eq 162

access-list 170 permit udp 10.10.0.0 0.0.255.255 10.10.70.0 0.0.0.255 eq 53

access-list 170 permit udp 10.10.0.0 0.0.255.255 10.10.70.0 0.0.0.255 eq 67

access-list 170 permit udp 10.10.0.0 0.0.255.255 10.10.70.0 0.0.0.255 eq ntp

! allowing ping echo-replay from internal Vlans

access-list 170 permit icmp 10.10.0.0 0.0.255.255 10.10.70.0 0.0.0.255 eq echo-reply

access-list 170 permit udp any 10.10.70.0 0.0.0.255 eq 53

access-list 170 permit tcp any 10.10.70.0 0.0.0.255 established

! if you want to allow ping replies from internet

access-list 170 permit icmp any 10.10.70.0 0.0.0.255 eq echo-reply

int Vlan 70

ip access-group 170 out

The established keyword allows TCP based sessions to be started only by hosts inside vlan 70 IP subnet and not from the external.

If your DHCP servers, NTP servers, DNS servers are in Vlan 70 you need to allow UDP traffic from the vlans to the specific port to make these services to work.

I have also inserted a line to allow hosts in Vlan 70 to be able to ping other Vlans.

For internet you need to allow DNS and again TCP sessions started from the hosts inside the network.

In my example address block 10.10.0.0/16 represents all internal Vlans.

Hope to help

Giuseppe

View solution in original post

Giuseppe Larosa · ‎07-12-2019

Hello Celiopoulos,

in the following I assume you have a multilayer switch with defined L3 SVI interfaces Vlan 120 and Vlan 70.

You can apply an IP extended ACL in ingress direction under SVI interface Vlan 120

To make an example let use suppose the following IP subnets are used:

Vlan 120 : 10.10.120.0/24

Vlan 70: 10.10.70.0/24

access-list 120 permit ip host 10.10.120.5 10.10.70.0 0.0.0.255

! additional hosts to be permitted follows

access-list 120 permit ip host 10.10.120.6 10.10.70.0 0.0.0.255

access-list 120 permit ip host 10.10.120.7 10.10.70.0 0.0.0.255

! after the permit section the deny section for all other hosts to reach management Vlan 70:

access-list 120 deny ip 10.10.120.0 0.0.0.255 10.10.70.0 0.0.0.255

! final statement needed to allow access to all the rest of the network !!!!!!!!

access-list 120 permit ip 10.10.120.0 0.0.0.255 any

int Vlan 120

ip access-group 120 in

This should be enough, remember of the last statement if you want the user Vlan to be able to access the internet or other subnets.

Hope to help

Giuseppe

celiopoulos · ‎07-15-2019

i thought i could just apply the access list on the VLAN70 interface and block all vlans except 3 hosts on VLAN120. i need hosts on VLAN70 to have access out to the internet and all vlans. Thank you

Giuseppe Larosa · ‎07-15-2019