Solved: Need some help on Inter-Vlan ACL

mon_samonte · ‎09-12-2012

Hi Experts,

I need some help on creating an Access List on my Intervlan network.

I attached my diagram so that you can have an idea on how I create my network.

I've managed to get the Inter-vlan working and my problem now is to restrict some vlan from accessing one another.

- I've enabled IP Routing on 3560 switch.

- All vlans can PING each other.

- All vlans can access the internet (172.16.1.2)

So I seek the help of the expert to be able to finished this project. Many Thanks.

Best Regards,

Mon

cadet alain · ‎09-12-2012

Hi,

task 4 can be achieved for TCP if established keyword is available( but I think so) on this platform and for ICMP by filtering on type codes

but for UDP it will be more difficult as reflexive ACLs are not supported.

Regards.

Alain.

Don't forget to rate helpful posts.

View solution in original post

srikanth ath · ‎09-12-2012

Hi,

ACL are applied either for inbound or the outbound traffic on an interface using:

ip access-group in

or

ip access-group out

Inbound access lists apply to traffic as it enters an interface.

Note: the packets coming in to the interface are filtered if ACL applied

Outbound access lists apply to traffic as it exits an interface.

The whole idea is whether you want to filter inbound packets or outbound packets.

In your tasks I have used inbound access-lists, which would be enough to achieve all your tasks.

task1:

allow vlan 15 to access only internet and bock rest all.

VLAN 15 Ping to VLAN 11 = OK

VLAN 15 Ping to VLAN 12 = Destination Unreachable

VLAN 15 Ping to VLAN 13 = Destination Unreachable

VLAN 15 Ping to VLAN 14 = Destination Unreachable

task2:

vlan 12, 13, 14 can acccess internet

VLAN 13 Ping to VLAN 11 = OK

VLAN 14 Ping to VLAN 11 = OK

VLAN 13 Ping to VLAN 11 = OK

task3:

vlan 13 and 14 can acess vlan 12.

Earlier we have allowed Vlan 12 to access only Vlan11, henceforth it denied all the traffic except to access vlan11.which shows your result as below

Result:

VLAN 13 Ping to VLAN 12 = Request Time Out

VLAN 14 Ping to VLAN 12 = Request TimeOut

Pleases add acccesslist as below. Earlier we have allowed Vlan 12 access only Vlan11

access-list 101 permit ip 192.168.1.0 0.0.0.255 192.168.0.0 0.0.0.255

access-list 101 permit ip 192.168.1.0 0.0.0.255 192.168.2.0 0.0.0.255

access-list 101 permit ip 192.168.1.0 0.0.0.255 192.168.3.0 0.0.0.255

Task4:

As i said before we cannot achieve this. Im sure you cannnot filter the traffic (allowing only one way)even based on the ports (TCP/UDP).

Hope I have answerd you, Please rate the post and mark it as answered if it solves your problem.

Thanks,

srikanth

View solution in original post

srikanth ath · ‎09-12-2012

Hello Mon

here is simple conf.

to restrict the server farm to few users of different VLAN's.

ip access-list extended Mon

permit ip host 192.168.2.10 any --------> will allow user from IT-dep to access any IP of the server farm

permit ip host 192.168.3.10 host 192.168.1.1 --------> (wil allow only IP: 192.168.3.10 to access the only IP of 192.168.1.1 in serrver farm)

add this ACL to server farm in SVI (virtual interface created for Server Farm)

int vlan 12

description vlan12-serverfarm

ip address x.x.x.x x.x.x.x

ip access-group Mon in

let me know if you need any help on this.

all the best

Regards

srikanth

mon_samonte · ‎09-12-2012

Hi Srikanth,

Thanks for a very fast reply. I will try that once I get home.

But my goal is to achieve the 4 task that is located on my JPG attachment.

Thanks again.

Best Regards,

Mon

srikanth ath · ‎09-12-2012

Task1:

Ip access-list extended allow-only-internet
permit ip any 192.168.0.0 0.0.0.255
deny ip any

On SVI Interface of VLan15 add as

vlan 15
ip address x.x.xx. x.x.x.x
ip access-group allow-only-internet in

Task2:

access-list 101 permit ip 192.168.1.0 0.0.0.255 192.168.0.0 0.0.0.255

access-list 102 permit ip 192.168.2.0 0.0.0.255 192.168.0.0 0.0.0.255
access-list 102 permit ip 192.168.2.0 0.0.0.255 192.168.1.0 0.0.0.255 -->task3

access-list 103 permit ip 192.168.3.0 0.0.0.255 192.168.0.0 0.0.0.255
access-list 103 permit ip 192.168.3.0 0.0.0.255 192.168.1.0 0.0.0.255 --> task3

on SVI interface of vlan 12, 13 and 14 add access lists as above 101, 102 and 103 respectively

Task4:

This is only possible on the statefull netowrk devices like firewall where you can control the traffic comming in and going out.

you cannot achieve allowing one way of traffic on L3 swtich.

Regards

srikanth

cadet alain · ‎09-12-2012

Hi,

task 4 can be achieved for TCP if established keyword is available( but I think so) on this platform and for ICMP by filtering on type codes

but for UDP it will be more difficult as reflexive ACLs are not supported.

Regards.

Alain.

Don't forget to rate helpful posts.

mon_samonte · ‎09-12-2012

Hi Srikanth,

Below are the result of the ACL.

Apply ACl Inbound:

interface Vlan11

ip address 192.168.0.241 255.255.255.0

!

interface Vlan12

ip address 192.168.1.1 255.255.255.0

ip access-group 101 in

!

interface Vlan13

ip address 192.168.2.1 255.255.255.0

ip access-group 102 in

!

interface Vlan14

ip address 192.168.3.1 255.255.255.0

ip access-group 103 in

!

interface Vlan15

ip address 192.168.4.1 255.255.255.0

ip access-group CCMC in

!

ip classless

ip route 0.0.0.0 0.0.0.0 192.168.0.242

!

ip access-list extended CCMC

permit ip any 192.168.0.0 0.0.0.255

permit ip any 10.10.10.0 0.0.0.255

deny ip any any

access-list 101 permit ip 192.168.1.0 0.0.0.255 192.168.0.0 0.0.0.255

access-list 102 permit ip 192.168.2.0 0.0.0.255 192.168.0.0 0.0.0.255

access-list 102 permit ip 192.168.2.0 0.0.0.255 192.168.1.0 0.0.0.255

access-list 103 permit ip 192.168.3.0 0.0.0.255 192.168.0.0 0.0.0.255

access-list 103 permit ip 192.168.3.0 0.0.0.255 192.168.1.0 0.0.0.255

Results:

VLAN 12 Ping to VLAN 11 = OK

VLAN 12 Ping to VLAN 13 = Destination Unreachable

VLAN 12 Ping to VLAN 14 = Destination Unreachable

VLAN 12 Ping to VLAN 15 = Destination Unreachable

VLAN 13 Ping to VLAN 11 = OK

VLAN 13 Ping to VLAN 12 = Request Time Out

VLAN 13 Ping to VLAN 14 = OK

VLAN 13 Ping to VLAN 15 = Destination Unreachable

VLAN 14 Ping to VLAN 11 = OK

VLAN 14 Ping to VLAN 12 = Request TimeOut

VLAN 14 Ping to VLAN 13 = Destination Unreachable

VLAN 14 Ping to VLAN 15 = Destination Unreachable

VLAN 15 Ping to VLAN 11 = OK

VLAN 15 Ping to VLAN 12 = Destination Unreachable

VLAN 15 Ping to VLAN 13 = Destination Unreachable

VLAN 15 Ping to VLAN 14 = Destination Unreachable

Apply ACL outbound:

interface Vlan11

ip address 192.168.0.241 255.255.255.0

!

interface Vlan12

ip address 192.168.1.1 255.255.255.0

ip access-group 101 out

!

interface Vlan13

ip address 192.168.2.1 255.255.255.0

ip access-group 102 out

!

interface Vlan14

ip address 192.168.3.1 255.255.255.0

ip access-group 103 out

!

interface Vlan15

ip address 192.168.4.1 255.255.255.0

ip access-group CCMC in

!

ip classless

ip route 0.0.0.0 0.0.0.0 192.168.0.242

!

ip access-list extended CCMC

permit ip any 192.168.0.0 0.0.0.255

permit ip any 10.10.10.0 0.0.0.255

deny ip any any

access-list 101 permit ip 192.168.1.0 0.0.0.255 192.168.0.0 0.0.0.255

access-list 102 permit ip 192.168.2.0 0.0.0.255 192.168.0.0 0.0.0.255

access-list 102 permit ip 192.168.2.0 0.0.0.255 192.168.1.0 0.0.0.255

access-list 103 permit ip 192.168.3.0 0.0.0.255 192.168.0.0 0.0.0.255

access-list 103 permit ip 192.168.3.0 0.0.0.255 192.168.1.0 0.0.0.255

Results:

VLAN 12 Ping to VLAN 11 = OK

VLAN 12 Ping to VLAN 13 = Destination Unreachable

VLAN 12 Ping to VLAN 14 = Destination Unreachable

VLAN 12 Ping to VLAN 15 = Request Time Out

VLAN 13 Ping to VLAN 11 = OK

VLAN 13 Ping to VLAN 12 = Destination Unreachable

VLAN 13 Ping to VLAN 14 = Destination Unreachable

VLAN 13 Ping to VLAN 15 = Request Time Out

VLAN 14 Ping to VLAN 11 = OK

VLAN 14 Ping to VLAN 12 = Destination Unreachable

VLAN 14 Ping to VLAN 13 = Destination Unreachable

VLAN 14 Ping to VLAN 15 = Request Time Out

VLAN 15 Ping to VLAN 11 = OK

VLAN 15 Ping to VLAN 12 = Destination Unreachable

VLAN 15 Ping to VLAN 13 = Destination Unreachable

VLAN 15 Ping to VLAN 14 = Destination Unreachable

PS. Am I doing the right thing? Thanks.

Best Regards,

Mon

srikanth ath · ‎09-12-2012

Hi,

ACL are applied either for inbound or the outbound traffic on an interface using:

ip access-group in

or

ip access-group out

Inbound access lists apply to traffic as it enters an interface.

Note: the packets coming in to the interface are filtered if ACL applied

Outbound access lists apply to traffic as it exits an interface.

The whole idea is whether you want to filter inbound packets or outbound packets.

In your tasks I have used inbound access-lists, which would be enough to achieve all your tasks.

task1:

allow vlan 15 to access only internet and bock rest all.

VLAN 15 Ping to VLAN 11 = OK

VLAN 15 Ping to VLAN 12 = Destination Unreachable

VLAN 15 Ping to VLAN 13 = Destination Unreachable

VLAN 15 Ping to VLAN 14 = Destination Unreachable

task2:

vlan 12, 13, 14 can acccess internet

VLAN 13 Ping to VLAN 11 = OK

VLAN 14 Ping to VLAN 11 = OK

VLAN 13 Ping to VLAN 11 = OK

task3:

vlan 13 and 14 can acess vlan 12.

Earlier we have allowed Vlan 12 to access only Vlan11, henceforth it denied all the traffic except to access vlan11.which shows your result as below

Result:

VLAN 13 Ping to VLAN 12 = Request Time Out

VLAN 14 Ping to VLAN 12 = Request TimeOut

Pleases add acccesslist as below. Earlier we have allowed Vlan 12 access only Vlan11

access-list 101 permit ip 192.168.1.0 0.0.0.255 192.168.0.0 0.0.0.255

access-list 101 permit ip 192.168.1.0 0.0.0.255 192.168.2.0 0.0.0.255

access-list 101 permit ip 192.168.1.0 0.0.0.255 192.168.3.0 0.0.0.255

Task4:

As i said before we cannot achieve this. Im sure you cannnot filter the traffic (allowing only one way)even based on the ports (TCP/UDP).

Hope I have answerd you, Please rate the post and mark it as answered if it solves your problem.

Thanks,

srikanth

mon_samonte · ‎09-13-2012

Hi Srikanth,

I test your configuration and it work. Thanks for your help.

My last question is, it is possible to create an ACL on the router to be able to achieve the task #4? If so, what interface will I apply the created ACL?

Thanks again for your help and also to Cadet Alain.

Best Regards,

Mon

srikanth ath · ‎09-13-2012

Hello mon,

You'll have to use a stateful firewall( either a router with CBAC or ZBF or an ASA) .

why is this not possible in your case because: IP communication is bideirectional:

Generally: An asa will allow traffic genereated from Higher security level to Lower security level(LSL), but blocks traffic from Lower security level to highere security level(HSL).

Unless you define an acl to HSL it would be possible an LSL generated traffic to enter into HSL.

Thanks,

srikanth