cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
2732
Views
0
Helpful
10
Replies
Sandip Barot
Beginner

Intervlan traffic filter

Hi

We have 2 VLANs as follows configured on Cisco 3750 Switch

Vlan1 --> 192.168.1.x

Vlan2 --> 192.168.2.x

Now, we would like to block traffic from 192.168.2.x subnet to 192.168.1.x. But, we want to allow 192.168.1.x subnet to access 192.168.2.x.

Can any one help how to acheive above with the ACLs please?

Thanks

Sandip

10 REPLIES 10
Reza Sharifi
Hall of Fame Expert

Hi,

Try this:

access-list 111 deny ip 192.168.2.0 0.0.0.255 192.168.1.0 0.0.0.255

access-list 111 permit ip any any

inter vlan 1

ip access-group 111 in

HTH

Reza

Hi,

Thanks.

Just wondering if I have to apply it to vlan1 (192.168.1.x) or vlan2(192.168.2.x) interface.?

==============================

so should it be 

inter vlan 1 

ip access-group 111 in

or

inter vlan 2

ip access-group 111 in

===============================

Sandip

hi sandip,

i tried lab'ng this in one of our 3750 and VACL is supported. can try the below:

Switch(config)#access-list 10 permit 192.168.1.0 0.0.0.255

Switch(config)#access-list 20 permit 192.168.2.0 0.0.0.255

Switch(config)#vlan access-map FILTER1

Switch(config-access-map)#match ip address 20

Switch(config-access-map)#action drop

Switch(config)#vlan filter FILTER1 vlan-list 1

Switch(config)#vlan access-map FILTER2 10

Switch(config-access-map)#match ip address 10

Switch(config-access-map)#action forward

Switch(config)#vlan access-map FILTER2 20

Switch(config-access-map)#action drop

Switch(config)#vlan filter FILTER2 vlan-list 2

John

How does this work. Filter1 is configured to drop any packets from 192.168.2.x so how does return traffic to vlan 1 get back to the vlan 1 client ?

Note, i'm not saying it doesn't work, i just can't understand the logic.

Jon

hi jon,

it's just the 192.168.2.x traffic i've blocked towards VLAN 1 and the rest should be normal.

please feel free to correct my assumptions since i've  just explored the possibility of using VACL in this case.

John

I'm not saying you are wrong but have you tested this. The OP wants to ensure that vlan 2 cannot access vlan 1 which your VACL will do.

But he also wants vlan 1 to be able to access vlan 2. Now the problem is that traffic from vlan 1 to vlan 2 will be allowed but when vlan 2 responds won't your VACL in vlan 1 block the return traffic ?

So basically can you try connecting from a vlan 1 client to a vlan 2 client 2 and see if it works because my belief is it won't because the return traffic will be dropped due to your VACL applied in vlan 1.

I could well be wrong and as i don't have a switch to test with it would be good if you could test it.

Jon

khongming
Beginner

Hi,

From the reply you got from Reza Sharifi, you have to apply the rules to vlan 1.

By the way, if you think you have to manage traffic from vlan 1 more than from vlan 2,

then it's better to apply the Vlan ACL to the vlan 1. Otherwise, you have to change the ACL rules and apply it to vlan 2.

Thanks^^

Hi,

Please see the below config for your scenario.

ip access-list extended vlan1_access
permit ip 192.168.1.0 0.0.0.255 any


ip access-list extended vlan2_access
deny ip 192.168.2.0 0.0.0.255 192.168.1.0 0.0.0.255
permit ip any any


int Vlan1
ip address 192.168.1.x
ip access-group vlan1_access


int Vlan2
ip address 192.168.2.x
ip access-group vlan2_access

Please rate the helpfull posts.
Regards,
Naidu.

Jon Marshall
VIP Community Legend

Sandip

Unfortunately you can't do this with standard acls. The problem you have is that you want to deny traffic from vlan 2 to vlan 1 but allow traffic from vlan 1 to vlan 2. So using Naidu's example -

int vlan 2

ip address 192.168.1.x

ip access-group vlan2_access

ip acces-list extended vlan2_access

deny 192.168.2.0 0.0.0.255 192.168.1.0 0.0.0.255

permit ip 192.168.2.0 0.0.0.255 any

the above will indeed stop vlan 2 from accessing vlan 1 ie. no client on vlan 2 will be to initiate a connection to a client on vlan 1. But the problem is that if vlan 1 sends a packet to a client on vlan 2 it will be allowed but the return packet from vlan 2 to vlan 1 will also be blocked by the above acl.

What you need to use is either -

1) a stateful firewall

or

2) reflexive acls

unfortuately, the 3750 doesn't support either. If the connections were only TCP then you may be able to use the "established" keyword in your acls but i'm not even sure that is supported on the 3750.

So it's not possible to do what you want with the equipment you have i'm afraid.

Jon

valter.popeskic
Beginner

Hi,

I wrote about how to do this in the past. You should find your answer in my post:

Unidirectional communication filter between two VLANs: http://howdoesinternetwork.com/2012/allow-vlan-access-but-no-back

Valter Popeskic