07-12-2019 11:40 AM
I have a user VLAN (120) and a device management VLAN (70) and i only want certain hosts( with static IP's) on VLAN120 to have access to devices on VLAN70
How would i create the ACL for this? Thank you
Solved! Go to Solution.
07-15-2019 12:01 PM - edited 07-15-2019 12:03 PM
Hello celiopoulos,
>> i thought i could just apply the access list on the VLAN70 interface and block all vlans except 3 hosts on VLAN120. i need hosts on VLAN70 to have access out to the internet and all vlans. Thank you
CAUTION:
the following works for TCP traffic the keyword established allow to verify that the SYN flag of first TCP packet in 3 way TCP handshake is not set.
From SVI Vlan 70 point of view you can apply an outbound extended ACL like
access-list 170 remark outbound ACL for SVI Vlan 70
access-list 170 permit ip host 10.10.120.5 10.10.70.0 0.0.0.255
access-list 170 permit ip host 10.10.120.6 10.10.70.0 0.0.0.255
access-list 170 permit ip host 10.10.120.7 10.10.70.0 0.0.0.255
access-list 170 permit tcp 10.10.0.0 0.0.255.255 10.10.70.0 0.0.0.255 established
access-list 170 deny tcp 10.10.0.0 0.0.0.255.255 10.10.70.0 0.0.0.0.255
! if needed for SNMP for example or NTP or DNS, you can specify the ports
access-list 170 permit udp 10.10.0.0 0.0.255.255 10.10.70.0 0.0.0.255 eq 162
access-list 170 permit udp 10.10.0.0 0.0.255.255 10.10.70.0 0.0.0.255 eq 53
access-list 170 permit udp 10.10.0.0 0.0.255.255 10.10.70.0 0.0.0.255 eq 67
access-list 170 permit udp 10.10.0.0 0.0.255.255 10.10.70.0 0.0.0.255 eq ntp
! allowing ping echo-replay from internal Vlans
access-list 170 permit icmp 10.10.0.0 0.0.255.255 10.10.70.0 0.0.0.255 eq echo-reply
access-list 170 permit udp any 10.10.70.0 0.0.0.255 eq 53
access-list 170 permit tcp any 10.10.70.0 0.0.0.255 established
! if you want to allow ping replies from internet
access-list 170 permit icmp any 10.10.70.0 0.0.0.255 eq echo-reply
int Vlan 70
ip access-group 170 out
The established keyword allows TCP based sessions to be started only by hosts inside vlan 70 IP subnet and not from the external.
If your DHCP servers, NTP servers, DNS servers are in Vlan 70 you need to allow UDP traffic from the vlans to the specific port to make these services to work.
I have also inserted a line to allow hosts in Vlan 70 to be able to ping other Vlans.
For internet you need to allow DNS and again TCP sessions started from the hosts inside the network.
In my example address block 10.10.0.0/16 represents all internal Vlans.
Hope to help
Giuseppe
07-12-2019 12:22 PM - edited 07-12-2019 12:25 PM
Hello Celiopoulos,
in the following I assume you have a multilayer switch with defined L3 SVI interfaces Vlan 120 and Vlan 70.
You can apply an IP extended ACL in ingress direction under SVI interface Vlan 120
To make an example let use suppose the following IP subnets are used:
Vlan 120 : 10.10.120.0/24
Vlan 70: 10.10.70.0/24
access-list 120 permit ip host 10.10.120.5 10.10.70.0 0.0.0.255
! additional hosts to be permitted follows
access-list 120 permit ip host 10.10.120.6 10.10.70.0 0.0.0.255
access-list 120 permit ip host 10.10.120.7 10.10.70.0 0.0.0.255
! after the permit section the deny section for all other hosts to reach management Vlan 70:
access-list 120 deny ip 10.10.120.0 0.0.0.255 10.10.70.0 0.0.0.255
! final statement needed to allow access to all the rest of the network !!!!!!!!
access-list 120 permit ip 10.10.120.0 0.0.0.255 any
int Vlan 120
ip access-group 120 in
This should be enough, remember of the last statement if you want the user Vlan to be able to access the internet or other subnets.
Hope to help
Giuseppe
07-15-2019 07:35 AM
i thought i could just apply the access list on the VLAN70 interface and block all vlans except 3 hosts on VLAN120. i need hosts on VLAN70 to have access out to the internet and all vlans. Thank you
07-15-2019 12:01 PM - edited 07-15-2019 12:03 PM
Hello celiopoulos,
>> i thought i could just apply the access list on the VLAN70 interface and block all vlans except 3 hosts on VLAN120. i need hosts on VLAN70 to have access out to the internet and all vlans. Thank you
CAUTION:
the following works for TCP traffic the keyword established allow to verify that the SYN flag of first TCP packet in 3 way TCP handshake is not set.
From SVI Vlan 70 point of view you can apply an outbound extended ACL like
access-list 170 remark outbound ACL for SVI Vlan 70
access-list 170 permit ip host 10.10.120.5 10.10.70.0 0.0.0.255
access-list 170 permit ip host 10.10.120.6 10.10.70.0 0.0.0.255
access-list 170 permit ip host 10.10.120.7 10.10.70.0 0.0.0.255
access-list 170 permit tcp 10.10.0.0 0.0.255.255 10.10.70.0 0.0.0.255 established
access-list 170 deny tcp 10.10.0.0 0.0.0.255.255 10.10.70.0 0.0.0.0.255
! if needed for SNMP for example or NTP or DNS, you can specify the ports
access-list 170 permit udp 10.10.0.0 0.0.255.255 10.10.70.0 0.0.0.255 eq 162
access-list 170 permit udp 10.10.0.0 0.0.255.255 10.10.70.0 0.0.0.255 eq 53
access-list 170 permit udp 10.10.0.0 0.0.255.255 10.10.70.0 0.0.0.255 eq 67
access-list 170 permit udp 10.10.0.0 0.0.255.255 10.10.70.0 0.0.0.255 eq ntp
! allowing ping echo-replay from internal Vlans
access-list 170 permit icmp 10.10.0.0 0.0.255.255 10.10.70.0 0.0.0.255 eq echo-reply
access-list 170 permit udp any 10.10.70.0 0.0.0.255 eq 53
access-list 170 permit tcp any 10.10.70.0 0.0.0.255 established
! if you want to allow ping replies from internet
access-list 170 permit icmp any 10.10.70.0 0.0.0.255 eq echo-reply
int Vlan 70
ip access-group 170 out
The established keyword allows TCP based sessions to be started only by hosts inside vlan 70 IP subnet and not from the external.
If your DHCP servers, NTP servers, DNS servers are in Vlan 70 you need to allow UDP traffic from the vlans to the specific port to make these services to work.
I have also inserted a line to allow hosts in Vlan 70 to be able to ping other Vlans.
For internet you need to allow DNS and again TCP sessions started from the hosts inside the network.
In my example address block 10.10.0.0/16 represents all internal Vlans.
Hope to help
Giuseppe
07-12-2019 12:26 PM
Hello,
here is an example. Hosts 192.168.120.10/11/12 are allowed access to Vlan 70, the rest is not.Since your Vlan 120 hosts probably need access to other Vlans and/or the Internet, the last two lines in the access list have been added:
interface Vlan70
description Management Vlan
ip address 192.168.70.1 255.255.255.0
!
interface Vlan120
description User Vlan
ip address 192.168.120.1 255.255.255.0
ip access-group VLAN120_TO_VLAN70 out
!
ip access-list extended name VLAN120_TO_VLAN70
permit ip host 192.168.120.10 192.168.70.0 0.0.0.255
permit ip 192.168.70.0 0.0.0.255 host 192.168.120.10
permit ip host 192.168.120.11 192.168.70.0 0.0.0.255
permit ip 192.168.70.0 0.0.0.255 host 192.168.120.11
permit ip host 192.168.120.12 192.168.70.0 0.0.0.255
permit ip 192.168.70.0 0.0.0.255 host 192.168.120.12
deny ip 192.168.120.0 0.0.0.255 192.168.70.0 0.0.0.255
permit 192.168.120.0 0.0.0.255 any
07-15-2019 06:43 AM - edited 07-15-2019 08:31 AM
Ok i need to add some extra information. I have multiple VLANS, not just the two. I need to prevent access to VLAN70 from all VLANS except a couple of hosts on VLAN120. VLAN70 requires access to all VLANS and internet access.
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: