09-20-2013 06:50 AM - edited 03-07-2019 03:35 PM
I'm trying to figure out the best method to use for blocking all access on VLAN 7 from VLAN 3. I know the best rule of thumb for extended ACLs is to put it as close to the destination as possible so that makes me think it should be configured on VLAN 3. but right now I have this ACL configured on the VLAN 7 in bound:
access-list 107 remark This ACL prohibits the 7 VLAN to only access specific servers
access-list 107 permit tcp 10.7.0.0 0.0.0.255 host 10.3.10.10 eq 445
access-list 107 permit tcp 10.7.0.0 0.0.0.255 host 10.3.20.20 eq 135
access-list 107 permit icmp 10.7.0.0 0.0.0.255 host 10.3.10.10 echo
access-list 107 permit icmp 10.7.0.0 0.0.0.255 host 10.3.10.10 echo-reply
access-list 107 permit icmp 10.7.0.0 0.0.0.255 host 10.3.20.20 echo-reply
access-list 107 permit icmp 10.7.0.0 0.0.0.255 host 10.3.20.20 echo
access-list 107 deny ip 10.7.0.0 0.0.0.255 10.0.0.0 0.255.255.255
access-list 107 permit ip any any
Would the ACE:
access-list 107 deny ip 10.7.0.0 0.0.0.255 10.0.0.0 0.255.255.255, block users on the 10.7.0.0 network from reaching other users on the 10.7.0.0 network?
Should my ACl be configured like this and applied to the in bound VLAN 3 instead?:
access-list 103 remark This ACL prohibits the 7 VLAN to only access specific servers
access-list 103 permit tcp 10.7.0.0 0.0.0.255 host 10.3.10.10 eq 445
access-list 103 permit tcp 10.7.0.0 0.0.0.255 host 10.3.20.20 eq 135
access-list 103 permit icmp 10.7.0.0 0.0.0.255 host 10.3.10.10 echo
access-list 103 permit icmp 10.7.0.0 0.0.0.255 host 10.3.10.10 echo-reply
access-list 103 permit icmp 10.7.0.0 0.0.0.255 host 10.3.20.20 echo-reply
access-list 103 permit icmp 10.7.0.0 0.0.0.255 host 10.3.20.20 echo
access-list 103 deny ip 10.7.0.0 0.0.0.255 10.0.0.0 0.255.255.255
access-list 103 permit ip any any
09-20-2013 06:58 AM
Hi,
1) hosts in vlan 7 will not use the vlan 7 SVI to communicate with other hosts in the same vlan so this ACE:
access-list 103 deny ip 10.7.0.0 0.0.0.255 10.0.0.0 0.255.255.255
will deny vlan 7 from communicating with any other vlan whose subnet begins with 10 including host in vlan 3 whose traffic is not matched bt previous ACE.
2)traffic entering vlan 3 can't have 10.7.0.0 as a subnet, it must be 10.3.0.0 so none of your ACEs will match except last one(permit ip any any) meaning you won't filter anything.
Regards
Alain
Don't forget to rate helpful posts.
09-20-2013 07:06 AM
Thanks for the reply Alain. When you say, " 2)traffic entering vlan 3 can't have 10.7.0.0 as a subnet, it must be 10.3.0.0 so none of your ACEs will match except last one(permit ip any any) meaning you won't filter anything."
I thought this ACL would be read as, anything from the source 10.7.0.0 trying to go to 10.3.0.0 would be filterd or denied, but the last statement of permit ip any any would let any other source with a 10 address into the 10.3 network?
In my first post I intended to apply ACL 103 to the in bound direction of VLAN 3. Whereas the other ACL 107 I intended to apply to the in bound of VLAN 7. Which ACL statments and where they should be applied do you think is correct?
Thanks for your help!
09-20-2013 10:38 AM
Hi,
traffic from vlan 3 subnet going to vlan 7 subnet will enter the interface vlan 3 so if you want to deny traffic from all but some machines in vlan 3 towards all vlan 7 subnet you should configure an ACL inbound on vlan 3 interface permitting traffic from vlan 3 host towards vlan 7 and then the implicit deny at the end will filter vlan 3 traffic towards all other vlans.
Just tell us also if vlan 7 can talk with vlan 3 as well as what host in vlan 3 can communicate with which host in vlan 7 and if you've got other vlans or any routed IP you want vlan 3 to communicate with(like for example a default gateway).
Regards
Alain
Don't forget to rate helpful posts.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide