Re: Inter Vlan routing with ACL

olivia_wong · ‎07-09-2018

Hello all,

I am trying to set up 3 VLANs with these conditions applied;

VLAN 2 can communicate with VLAN 3

VLAN 3 can communicate with VLAN 4

VLAN 2 and VLAN 4 cannot communicate.

Network address for the three VLANs

VLAN 2: 192.168.2.0/26

VLAN 3: 192.168.2.64/26

VLAN 4: 192.168.2.128/26

I have tried simulating using Cisco Packet Tracer and was able to connect three VLANs using a router.

I have tried using Access control list and extended ACL however I could not block the traffic for VLAN 2 and 4.

router_a(config)#access-list 101 deny ip 192.168.2.128 0.0.0.63 192.168.2.0 0.0.0.63
router_a(config)#access-list 101 permit ip 192.168.2.64 0.0.0.63 192.168.2.0 0.0.0.63
router_a(config)#int vlan 2
%LINK-5-CHANGED: Interface Vlan2, changed state to up

router_a(config-if)#ip access-group 101 out
router_a(config-if)#end

Thanks in advance for all the help!

Seb Rupik · ‎07-09-2018

Hi there,

you should always try and filter traffic as close to source as possible, therefore you should apply the ACLs on ingress to the SVIs. Try the following config:

!
access-list 102 deny ip 192.168.2.0 0.0.0.63 192.168.2.128 0.0.0.63
access-list 102 permit ip any any
!
access-list 103 deny ip 192.168.2.64 0.0.0.63 192.168.2.0 0.0.0.63
access-list 103 perit ip any any
!
access-list 104 deny ip 192.168.2.128 0.0.0.63 192.168.2.0 0.0.0.63
access-list 104 permit ip any any
!
int vlan 2
  ip access-group 101 in
!
int vlan 3
  ip access-group 102 in
!
int vlan 4
  ip access-group 103 in
!

cheers,

Seb.

Richard Burts · ‎07-09-2018

This is really a more complicated issue than it might appear on the surface. Communication needs to be 2 way, If vlan 2 needs to communicate with vlan 3 and sends a packet to vlan 3 then vlan 3 needs to be able to send a response. ACL 103 prevents this by denying anything being sent from 3 to 2.

If I am understanding the original post correctly then we may be able to state the requirements is a slightly different way and make the solution more obvious. I believe that we can state the requirement this way:

vlan 2 should not communicate with vlan 4. vlan 4 should not communicate with vlan 2. vlan 3 can communicate with anyone. In that case all we need are ACL 102 and 104.

HTH

Rick

HTH

Rick

Seb Rupik · ‎07-09-2018

I knew I should have paused to write out a matrix, thanks Rick! ;)

Richard Burts · ‎07-09-2018

Seb

You are welcome. All of us will occasionally be eager to provide an answer and will post a response without thinking all the way through (I know that happens to me from time to time). The statement of the requirement specified that vlan 3 should communicate with vlan 4 and did not say anything about vlan 3 to vlan 2. So it was easy to assume that the intent was that vlan 3 should not communicate with vlan 2 and to suggest access list 103. But if you think about the fact that communication must be two way then it is clear that vlan 3 must be able to send responses to vlan 2 and that access list 103 prevented that.

Your responses are usually right on target and helpful. I enjoy seeing your activity in the forum and look forward to further cooperation in providing answers in the forum.

HTH

Rick

HTH

Rick

olivia_wong · ‎07-09-2018

Hello , all thanks for all the help and replies!

I kind of confused regarding Inter VLAN routing as I have included a router in the network to allow inter VLAN communication between VLAN 2 and VLAN 3 , VLAN 3 and VLAN 4. So, I need to implement access control list (ACL) to block traffic between VLAN 2 and VLAN 4. I have a doubt regarding implementation of ACL, so do I implement ACL in the router or switch? The switch is nearer to the source but the router is responsible for routing packets in the network?

Moreover, I have tried implementing ACL at the switches, this is the response I got:

switch_a(config)#access-list 101 deny ip 192.168.2.0 0.0.0.63 192.168.2.128 0.0.0.63
switch_a(config)#access-list 101 permit ip any any
switch_a(config)#int vlan 2
switch_a(config-if)#ip access-group 101 in
^
% Invalid input detected at '^' marker.

So, I could not implement ACL at the switches. But I was able to implement ACL in the router but when I tried to ping workstation on VLAN 4 from workstation on VLAN 2 and I was able to get response which I should not get response from workstations on VLAN 2 and VLAN 4 and vice versa

These commands for implementing ACL in the router.

router_a(config)#access-list 101 deny ip 192.168.2.0 0.0.0.63 192.168.2.128 0.0.0.63
router_a(config)#access-list 101 permit ip any any
router_a(config)#access-list 102 deny ip 192.168.2.128 0.0.0.63 192.168.2.0 0.0.0.63
router_a(config)#access-list 102 permit ip any any

router_a(config)#end

router_a(config)#int vlan 2

router_a(config-if)#ip access-group 101 in
router_a(config-if)#exit
router_a(config)#int vlan 4

router_a(config-if)#ip access-group 102 in
router_a(config-if)#exit

When i tried pinging one of VLAN 4 workstations from one of VLAN 2's workstation. This was the response:

Pinging 192.168.2.130 with 32 bytes of data:

Reply from 192.168.2.130: bytes=32 time=0ms TTL=127
Reply from 192.168.2.130: bytes=32 time=1ms TTL=127
Reply from 192.168.2.130: bytes=32 time=1ms TTL=127
Reply from 192.168.2.130: bytes=32 time=0ms TTL=127

Seb Rupik · ‎07-10-2018

Hello again,
To answer your first question, you should place the IP ACL at the point in the network where the packets are routed. In your case the SVI on the router.

Since you have tried to implement the ACL on the switch, can you confirm that you have not configured SVIs on the switch, or at least you have now removed that config?

Placing the ACLs on the router should have the desired effect providing the switch is operating at Layer2 only.

If you could attached both the configs for the router and switch that would be great.

cheers,
Seb.

olivia_wong · ‎07-11-2018

Hello,

Thanks for all the help, I was able to implement ACL on router. I have removed the configurations on the switch. Once again, thanks for all the help and responses!

Cheers,

Olivia