09-12-2012 02:47 AM - edited 03-07-2019 08:50 AM
Hi Experts,
I need some help on creating an Access List on my Intervlan network.
I attached my diagram so that you can have an idea on how I create my network.
I've managed to get the Inter-vlan working and my problem now is to restrict some vlan from accessing one another.
- I've enabled IP Routing on 3560 switch.
- All vlans can PING each other.
- All vlans can access the internet (172.16.1.2)
So I seek the help of the expert to be able to finished this project. Many Thanks.
Best Regards,
Mon
Solved! Go to Solution.
09-12-2012 04:10 AM
Hi,
task 4 can be achieved for TCP if established keyword is available( but I think so) on this platform and for ICMP by filtering on type codes
but for UDP it will be more difficult as reflexive ACLs are not supported.
Regards.
Alain.
Don't forget to rate helpful posts.
09-12-2012 09:21 PM
Hi,
ACL are applied either for inbound or the outbound traffic on an interface using:
ip access-group
or
ip access-group
Inbound access lists apply to traffic as it enters an interface.
Note: the packets coming in to the interface are filtered if ACL applied
Outbound access lists apply to traffic as it exits an interface.
The whole idea is whether you want to filter inbound packets or outbound packets.
In your tasks I have used inbound access-lists, which would be enough to achieve all your tasks.
task1:
allow vlan 15 to access only internet and bock rest all.
VLAN 15 Ping to VLAN 11 = OK
VLAN 15 Ping to VLAN 12 = Destination Unreachable
VLAN 15 Ping to VLAN 13 = Destination Unreachable
VLAN 15 Ping to VLAN 14 = Destination Unreachable
task2:
vlan 12, 13, 14 can acccess internet
VLAN 13 Ping to VLAN 11 = OK
VLAN 14 Ping to VLAN 11 = OK
VLAN 13 Ping to VLAN 11 = OK
task3:
vlan 13 and 14 can acess vlan 12.
Earlier we have allowed Vlan 12 to access only Vlan11, henceforth it denied all the traffic except to access vlan11.which shows your result as below
Result:
VLAN 13 Ping to VLAN 12 = Request Time Out
VLAN 14 Ping to VLAN 12 = Request TimeOut
Pleases add acccesslist as below. Earlier we have allowed Vlan 12 access only Vlan11
access-list 101 permit ip 192.168.1.0 0.0.0.255 192.168.0.0 0.0.0.255
access-list 101 permit ip 192.168.1.0 0.0.0.255 192.168.2.0 0.0.0.255
access-list 101 permit ip 192.168.1.0 0.0.0.255 192.168.3.0 0.0.0.255
Task4:
As i said before we cannot achieve this. Im sure you cannnot filter the traffic (allowing only one way)even based on the ports (TCP/UDP).
Hope I have answerd you, Please rate the post and mark it as answered if it solves your problem.
Thanks,
srikanth
09-12-2012 03:01 AM
Hello Mon
here is simple conf.
to restrict the server farm to few users of different VLAN's.
ip access-list extended Mon
permit ip host 192.168.2.10 any --------> will allow user from IT-dep to access any IP of the server farm
permit ip host 192.168.3.10 host 192.168.1.1 --------> (wil allow only IP: 192.168.3.10 to access the only IP of 192.168.1.1 in serrver farm)
add this ACL to server farm in SVI (virtual interface created for Server Farm)
int vlan 12
description vlan12-serverfarm
ip address x.x.x.x x.x.x.x
ip access-group Mon in
let me know if you need any help on this.
all the best
Regards
srikanth
09-12-2012 03:09 AM
Hi Srikanth,
Thanks for a very fast reply. I will try that once I get home.
But my goal is to achieve the 4 task that is located on my JPG attachment.
Thanks again.
Best Regards,
Mon
09-12-2012 03:29 AM
Task1:
Ip access-list extended allow-only-internet
permit ip any 192.168.0.0 0.0.0.255
deny ip any
On SVI Interface of VLan15 add as
vlan 15
ip address x.x.xx. x.x.x.x
ip access-group allow-only-internet in
Task2:
access-list 101 permit ip 192.168.1.0 0.0.0.255 192.168.0.0 0.0.0.255
access-list 102 permit ip 192.168.2.0 0.0.0.255 192.168.0.0 0.0.0.255
access-list 102 permit ip 192.168.2.0 0.0.0.255 192.168.1.0 0.0.0.255 -->task3
access-list 103 permit ip 192.168.3.0 0.0.0.255 192.168.0.0 0.0.0.255
access-list 103 permit ip 192.168.3.0 0.0.0.255 192.168.1.0 0.0.0.255 --> task3
on SVI interface of vlan 12, 13 and 14 add access lists as above 101, 102 and 103 respectively
Task4:
This is only possible on the statefull netowrk devices like firewall where you can control the traffic comming in and going out.
you cannot achieve allowing one way of traffic on L3 swtich.
Regards
srikanth
09-12-2012 04:10 AM
Hi,
task 4 can be achieved for TCP if established keyword is available( but I think so) on this platform and for ICMP by filtering on type codes
but for UDP it will be more difficult as reflexive ACLs are not supported.
Regards.
Alain.
Don't forget to rate helpful posts.
09-12-2012 06:18 PM
Hi Srikanth,
Below are the result of the ACL.
Apply ACl Inbound:
interface Vlan11
ip address 192.168.0.241 255.255.255.0
!
interface Vlan12
ip address 192.168.1.1 255.255.255.0
ip access-group 101 in
!
interface Vlan13
ip address 192.168.2.1 255.255.255.0
ip access-group 102 in
!
interface Vlan14
ip address 192.168.3.1 255.255.255.0
ip access-group 103 in
!
interface Vlan15
ip address 192.168.4.1 255.255.255.0
ip access-group CCMC in
!
ip classless
ip route 0.0.0.0 0.0.0.0 192.168.0.242
!
!
ip access-list extended CCMC
permit ip any 192.168.0.0 0.0.0.255
permit ip any 10.10.10.0 0.0.0.255
deny ip any any
access-list 101 permit ip 192.168.1.0 0.0.0.255 192.168.0.0 0.0.0.255
access-list 102 permit ip 192.168.2.0 0.0.0.255 192.168.0.0 0.0.0.255
access-list 102 permit ip 192.168.2.0 0.0.0.255 192.168.1.0 0.0.0.255
access-list 103 permit ip 192.168.3.0 0.0.0.255 192.168.0.0 0.0.0.255
access-list 103 permit ip 192.168.3.0 0.0.0.255 192.168.1.0 0.0.0.255
Results:
VLAN 12 Ping to VLAN 11 = OK
VLAN 12 Ping to VLAN 13 = Destination Unreachable
VLAN 12 Ping to VLAN 14 = Destination Unreachable
VLAN 12 Ping to VLAN 15 = Destination Unreachable
VLAN 13 Ping to VLAN 11 = OK
VLAN 13 Ping to VLAN 12 = Request Time Out
VLAN 13 Ping to VLAN 14 = OK
VLAN 13 Ping to VLAN 15 = Destination Unreachable
VLAN 14 Ping to VLAN 11 = OK
VLAN 14 Ping to VLAN 12 = Request TimeOut
VLAN 14 Ping to VLAN 13 = Destination Unreachable
VLAN 14 Ping to VLAN 15 = Destination Unreachable
VLAN 15 Ping to VLAN 11 = OK
VLAN 15 Ping to VLAN 12 = Destination Unreachable
VLAN 15 Ping to VLAN 13 = Destination Unreachable
VLAN 15 Ping to VLAN 14 = Destination Unreachable
Apply ACL outbound:
interface Vlan11
ip address 192.168.0.241 255.255.255.0
!
interface Vlan12
ip address 192.168.1.1 255.255.255.0
ip access-group 101 out
!
interface Vlan13
ip address 192.168.2.1 255.255.255.0
ip access-group 102 out
!
interface Vlan14
ip address 192.168.3.1 255.255.255.0
ip access-group 103 out
!
interface Vlan15
ip address 192.168.4.1 255.255.255.0
ip access-group CCMC in
!
ip classless
ip route 0.0.0.0 0.0.0.0 192.168.0.242
!
!
ip access-list extended CCMC
permit ip any 192.168.0.0 0.0.0.255
permit ip any 10.10.10.0 0.0.0.255
deny ip any any
access-list 101 permit ip 192.168.1.0 0.0.0.255 192.168.0.0 0.0.0.255
access-list 102 permit ip 192.168.2.0 0.0.0.255 192.168.0.0 0.0.0.255
access-list 102 permit ip 192.168.2.0 0.0.0.255 192.168.1.0 0.0.0.255
access-list 103 permit ip 192.168.3.0 0.0.0.255 192.168.0.0 0.0.0.255
access-list 103 permit ip 192.168.3.0 0.0.0.255 192.168.1.0 0.0.0.255
Results:
VLAN 12 Ping to VLAN 11 = OK
VLAN 12 Ping to VLAN 13 = Destination Unreachable
VLAN 12 Ping to VLAN 14 = Destination Unreachable
VLAN 12 Ping to VLAN 15 = Request Time Out
VLAN 13 Ping to VLAN 11 = OK
VLAN 13 Ping to VLAN 12 = Destination Unreachable
VLAN 13 Ping to VLAN 14 = Destination Unreachable
VLAN 13 Ping to VLAN 15 = Request Time Out
VLAN 14 Ping to VLAN 11 = OK
VLAN 14 Ping to VLAN 12 = Destination Unreachable
VLAN 14 Ping to VLAN 13 = Destination Unreachable
VLAN 14 Ping to VLAN 15 = Request Time Out
VLAN 15 Ping to VLAN 11 = OK
VLAN 15 Ping to VLAN 12 = Destination Unreachable
VLAN 15 Ping to VLAN 13 = Destination Unreachable
VLAN 15 Ping to VLAN 14 = Destination Unreachable
PS. Am I doing the right thing? Thanks.
Best Regards,
Mon
09-12-2012 09:21 PM
Hi,
ACL are applied either for inbound or the outbound traffic on an interface using:
ip access-group
or
ip access-group
Inbound access lists apply to traffic as it enters an interface.
Note: the packets coming in to the interface are filtered if ACL applied
Outbound access lists apply to traffic as it exits an interface.
The whole idea is whether you want to filter inbound packets or outbound packets.
In your tasks I have used inbound access-lists, which would be enough to achieve all your tasks.
task1:
allow vlan 15 to access only internet and bock rest all.
VLAN 15 Ping to VLAN 11 = OK
VLAN 15 Ping to VLAN 12 = Destination Unreachable
VLAN 15 Ping to VLAN 13 = Destination Unreachable
VLAN 15 Ping to VLAN 14 = Destination Unreachable
task2:
vlan 12, 13, 14 can acccess internet
VLAN 13 Ping to VLAN 11 = OK
VLAN 14 Ping to VLAN 11 = OK
VLAN 13 Ping to VLAN 11 = OK
task3:
vlan 13 and 14 can acess vlan 12.
Earlier we have allowed Vlan 12 to access only Vlan11, henceforth it denied all the traffic except to access vlan11.which shows your result as below
Result:
VLAN 13 Ping to VLAN 12 = Request Time Out
VLAN 14 Ping to VLAN 12 = Request TimeOut
Pleases add acccesslist as below. Earlier we have allowed Vlan 12 access only Vlan11
access-list 101 permit ip 192.168.1.0 0.0.0.255 192.168.0.0 0.0.0.255
access-list 101 permit ip 192.168.1.0 0.0.0.255 192.168.2.0 0.0.0.255
access-list 101 permit ip 192.168.1.0 0.0.0.255 192.168.3.0 0.0.0.255
Task4:
As i said before we cannot achieve this. Im sure you cannnot filter the traffic (allowing only one way)even based on the ports (TCP/UDP).
Hope I have answerd you, Please rate the post and mark it as answered if it solves your problem.
Thanks,
srikanth
09-13-2012 06:30 PM
Hi Srikanth,
I test your configuration and it work. Thanks for your help.
My last question is, it is possible to create an ACL on the router to be able to achieve the task #4? If so, what interface will I apply the created ACL?
Thanks again for your help and also to Cadet Alain.
Best Regards,
Mon
09-13-2012 09:30 PM
Hello mon,
You'll have to use a stateful firewall( either a router with CBAC or ZBF or an ASA) .
why is this not possible in your case because: IP communication is bideirectional:
Generally: An asa will allow traffic genereated from Higher security level to Lower security level(LSL), but blocks traffic from Lower security level to highere security level(HSL).
Unless you define an acl to HSL it would be possible an LSL generated traffic to enter into HSL.
Thanks,
srikanth
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide