06-21-2011 08:59 AM - edited 03-07-2019 12:55 AM
Hello,
I have problem with the security VLAN, my network is composed with :
(access switch : 2960)
(Core switch : 4507R)
(Firewall (Internet Security) : ASA 5510)
(Router (Internet connexion) : 2811)
I have a similar network:
1st STEP WITHOUT ACL
I want to secure between vlans, for example I need:
2nd STEP WITH ACL (several attempts)
I attempt several ways to implement ACL on Cisco Switch 4507R
1st attempt
Vlan 20 does not accede to VLAN 30
Vlan 20 does not accede to Internet ********************** I don't need that
Vlan 30 accedes to all vlan including vlan 20
Vlan 30 accedes to Internet
Ip access-list extended 120
Permit ip 10.0.20.0 0.0.0.255 10.0.30.0 0.0.0.255
Permit ip any 10.0.40.0 0.0.0.255
Int vlan 20
Ip access-group 120 in
2nd attempt
Vlan 20 does not accede to VLAN 30
Vlan 20 does not accede to Internet ********************* I don't need that
Vlan 30 accedes to all vlan including vlan 20
Vlan 30 accedes to Internet
Ip access-list extended 120
Permit ip 10.0.20.0 0.0.0.255 10.0.30.0 0.0.0.255
Int vlan 20
Ip access-group 120 in
3rd attempt
Vlan 20 does not accede to VLAN 30
Vlan 20 accedes to Internet
Vlan 30 accedes to all vlan excluding vlan 20
Vlan 30 does not accede to VLAN 20 ************************ I don't need that
Vlan 30 accedes to Internet
Ip access-list extended 120
Deny ip 10.0.20.0 0.0.0.255 10.0.30.0 0.0.0.255
Permit ip 10.0.20.0 0.0.0.255 any
Int vlan 20
Ip access-group 120 in
4th attempt
Vlan 20 does not accede to VLAN 30
Vlan 20 accedes to Internet
Vlan 30 accedes to all vlan excluding vlan 20
Vlan 30 does not accede to VLAN 20 *********************** I don't need that
Vlan 30 accedes to Internet
Ip access-list extended 120
Deny ip 10.0.20.0 0.0.0.255 10.0.30.0 0.0.0.255
Permit ip 10.0.30.0 0.0.0.255 10.0.20.0 0.0.0.255
Permit ip 10.0.20.0 0.0.0.255 any
Int vlan 20
Ip access-group 120 in
WITHOUT DENY (1st and 2nd attempts) VLAN 20 does not accede to Internet, I want it to accede the Internet
EXPLICITE DENY (3rd and 4th attempts) stops traffic from the two directions and I need just one direction to be blocked.
Can someone help me to have :
Thank yo.
06-21-2011 10:25 AM
kassab2005 a écrit:
Hello,
I have problem with the security VLAN, my network is composed with :
(access switch : 2960)
(Core switch : 4507R)
(Firewall (Internet Security) : ASA 5510)
(Router (Internet connexion) : 2811)I have a similar network:
1st STEP WITHOUT ACL
I want to secure between vlans, for example I need:
2nd STEP WITH ACL (several attempts)
I attempt several ways to implement ACL on Cisco Switch 4507R
1st attempt
Vlan 20 does not accede to VLAN 30
Vlan 20 does not accede to Internet ********************** I don't need that
Vlan 30 accedes to all vlan including vlan 20
Vlan 30 accedes to Internet
Ip access-list extended 120
Permit ip 10.0.20.0 0.0.0.255 10.0.30.0 0.0.0.255
Permit ip any 10.0.40.0 0.0.0.255
Int vlan 20
Ip access-group 120 in
Communication is a 2way process so if vlan30 accedes vlan20 that means vlan 20 can accede vlan30
2nd attempt
Vlan 20 does not accede to VLAN 30
Vlan 20 does not accede to Internet ********************* I don't need that
Vlan 30 accedes to all vlan including vlan 20
Vlan 30 accedes to Internet
Ip access-list extended 120
Permit ip 10.0.20.0 0.0.0.255 10.0.30.0 0.0.0.255
Int vlan 20
Ip access-group 120 in
The same as above
3rd attempt
Vlan 20 does not accede to VLAN 30
Vlan 20 accedes to Internet
Vlan 30 accedes to all vlan excluding vlan 20
Vlan 30 does not accede to VLAN 20 ************************ I don't need that
Vlan 30 accedes to Internet
Ip access-list extended 120
Deny ip 10.0.20.0 0.0.0.255 10.0.30.0 0.0.0.255
Permit ip 10.0.20.0 0.0.0.255 any
Int vlan 20
Ip access-group 120 in
This is normal according to your ACL
4th attempt
Vlan 20 does not accede to VLAN 30
Vlan 20 accedes to Internet
Vlan 30 accedes to all vlan excluding vlan 20
Vlan 30 does not accede to VLAN 20 *********************** I don't need that
Vlan 30 accedes to Internet
Ip access-list extended 120
Deny ip 10.0.20.0 0.0.0.255 10.0.30.0 0.0.0.255
Permit ip 10.0.30.0 0.0.0.255 10.0.20.0 0.0.0.255
Permit ip 10.0.20.0 0.0.0.255 any
Int vlan 20
Ip access-group 120 in
Same as above
WITHOUT DENY (1st and 2nd attempts) VLAN 20 does not accede to Internet, I want it to accede the Internet
use an explicit permit for vlan20 to any as last entry
EXPLICITE DENY (3rd and 4th attempts) stops traffic from the two directions and I need just one direction to be blocked.
AFAIK this is not possible with regular ACLs you'd have to use CBAC or ZBF to achieve such a result
Can someone help me to have :
Thank yo.
Regards.
Alain.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide