07-31-2011 07:23 PM - edited 03-07-2019 01:29 AM
Hi
We have 2 VLANs as follows configured on Cisco 3750 Switch
Vlan1 --> 192.168.1.x
Vlan2 --> 192.168.2.x
Now, we would like to block traffic from 192.168.2.x subnet to 192.168.1.x. But, we want to allow 192.168.1.x subnet to access 192.168.2.x.
Can any one help how to acheive above with the ACLs please?
Thanks
Sandip
07-31-2011 08:21 PM
Hi,
Try this:
access-list 111 deny ip 192.168.2.0 0.0.0.255 192.168.1.0 0.0.0.255
access-list 111 permit ip any any
inter vlan 1
ip access-group 111 in
HTH
Reza
07-31-2011 08:27 PM
Hi,
Thanks.
Just wondering if I have to apply it to vlan1 (192.168.1.x) or vlan2(192.168.2.x) interface.?
==============================
so should it be
inter vlan 1
ip access-group 111 in
or
inter vlan 2
ip access-group 111 in
===============================
Sandip
08-01-2011 03:33 AM
hi sandip,
i tried lab'ng this in one of our 3750 and VACL is supported. can try the below:
Switch(config)#access-list 10 permit 192.168.1.0 0.0.0.255
Switch(config)#access-list 20 permit 192.168.2.0 0.0.0.255
Switch(config)#vlan access-map FILTER1
Switch(config-access-map)#match ip address 20
Switch(config-access-map)#action drop
Switch(config)#vlan filter FILTER1 vlan-list 1
Switch(config)#vlan access-map FILTER2 10
Switch(config-access-map)#match ip address 10
Switch(config-access-map)#action forward
Switch(config)#vlan access-map FILTER2 20
Switch(config-access-map)#action drop
Switch(config)#vlan filter FILTER2 vlan-list 2
08-01-2011 03:53 AM
John
How does this work. Filter1 is configured to drop any packets from 192.168.2.x so how does return traffic to vlan 1 get back to the vlan 1 client ?
Note, i'm not saying it doesn't work, i just can't understand the logic.
Jon
08-01-2011 05:19 AM
hi jon,
it's just the 192.168.2.x traffic i've blocked towards VLAN 1 and the rest should be normal.
please feel free to correct my assumptions since i've just explored the possibility of using VACL in this case.
08-01-2011 05:25 AM
John
I'm not saying you are wrong but have you tested this. The OP wants to ensure that vlan 2 cannot access vlan 1 which your VACL will do.
But he also wants vlan 1 to be able to access vlan 2. Now the problem is that traffic from vlan 1 to vlan 2 will be allowed but when vlan 2 responds won't your VACL in vlan 1 block the return traffic ?
So basically can you try connecting from a vlan 1 client to a vlan 2 client 2 and see if it works because my belief is it won't because the return traffic will be dropped due to your VACL applied in vlan 1.
I could well be wrong and as i don't have a switch to test with it would be good if you could test it.
Jon
07-31-2011 10:09 PM
Hi,
From the reply you got from Reza Sharifi, you have to apply the rules to vlan 1.
By the way, if you think you have to manage traffic from vlan 1 more than from vlan 2,
then it's better to apply the Vlan ACL to the vlan 1. Otherwise, you have to change the ACL rules and apply it to vlan 2.
Thanks^^
08-01-2011 12:22 AM
Hi,
Please see the below config for your scenario.
ip access-list extended vlan1_access
permit ip 192.168.1.0 0.0.0.255 any
ip access-list extended vlan2_access
deny ip 192.168.2.0 0.0.0.255 192.168.1.0 0.0.0.255
permit ip any any
int Vlan1
ip address 192.168.1.x
ip access-group vlan1_access
int Vlan2
ip address 192.168.2.x
ip access-group vlan2_access
Please rate the helpfull posts.
Regards,
Naidu.
08-01-2011 02:34 AM
Sandip
Unfortunately you can't do this with standard acls. The problem you have is that you want to deny traffic from vlan 2 to vlan 1 but allow traffic from vlan 1 to vlan 2. So using Naidu's example -
int vlan 2
ip address 192.168.1.x
ip access-group vlan2_access
ip acces-list extended vlan2_access
deny 192.168.2.0 0.0.0.255 192.168.1.0 0.0.0.255
permit ip 192.168.2.0 0.0.0.255 any
the above will indeed stop vlan 2 from accessing vlan 1 ie. no client on vlan 2 will be to initiate a connection to a client on vlan 1. But the problem is that if vlan 1 sends a packet to a client on vlan 2 it will be allowed but the return packet from vlan 2 to vlan 1 will also be blocked by the above acl.
What you need to use is either -
1) a stateful firewall
or
2) reflexive acls
unfortuately, the 3750 doesn't support either. If the connections were only TCP then you may be able to use the "established" keyword in your acls but i'm not even sure that is supported on the 3750.
So it's not possible to do what you want with the equipment you have i'm afraid.
Jon
02-10-2016 06:56 AM
Hi,
I wrote about how to do this in the past. You should find your answer in my post:
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide