Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
Bookmark
|
Subscribe
|
1016
Views
3
Helpful
6
Replies

Questions about ACL in out on VLANs

timothy_MTS
Level 1
Level 1

‎03-08-2023 05:02 PM

Hi everyone,

I have the configurations in the Nexus core switches from the previous engineer setup. I would like to ask something about the flow of the traffic. So it can allow me to do some access control between VLANs. Below attached are part of the ACLs that I have omitted most of them.

Currently the ACL defined. It applied to a few VLANs. Now a system has been installed inside the VLAN142 with ip 10.10.142.xxx. Other end user (e.g. 10.10.184.xxx) from the other VLANs would like to access to the machine with certain ports to be opened.

Now I am struggling on how to interpret the ACLs IN on the VLANs. After I understand more in details, I can configure the switch.

Spoiler
ip access-list SYSTEMS
 10 permit icmp any any
 20 permit igmp any any
 30 permit udp any any eq bootps
 100 permit ip 10.10.4.0 0.0.3.255 10.10.0.48/32
 110 permit ip 10.10.16.0 0.0.1.255 10.10.4.0 0.0.3.255
 120 permit ip 10.10.16.0 0.0.1.255 10.10.16.0 0.0.1.255
 130 permit ip 10.10.16.0 0.0.1.255 10.10.142.0 0.0.0.255
 140 permit ip 10.10.16.0 0.0.1.255 10.10.144.0 0.0.7.255
 150 permit ip 10.10.16.0 0.0.1.255 10.10.61.128 0.0.0.31
 160 permit ip 10.10.16.0 0.0.1.255 10.10.0.48/32
 170 permit ip 10.10.142.0 0.0.0.255 10.10.4.0 0.0.3.255
 180 permit ip 10.10.142.0 0.0.0.255 10.10.16.0 0.0.1.255
 190 permit ip 10.10.142.0 0.0.0.255 10.10.144.0 0.0.7.255
 200 permit ip 10.10.142.0 0.0.0.255 10.10.61.128 0.0.0.31
 210 permit ip 10.10.142.0 0.0.0.255 10.10.0.48/32
 300 permit tcp any 10.10.0.1/32 eq domain
 310 permit tcp any 10.10.183.0/24 established
 320 permit tcp any 10.10.183.0/24
 330 permit udp 10.10.142.41/32 eq ntp any
 340 permit udp 10.10.142.43/32 eq ntp any
interface Vlan142
  description PROD Vlan
  no shutdown
  ip access-group SYSTEMS in
  ip address 10.10.142.250/24
interface Vlan26
  no shutdown
  mtu 9216
  ip access-group SYSTEMS in
  ip address 10.10.16.250/24

Cheers,

Timothy

 

 

 

 

Labels:
0 Helpful
6 Replies 6

timothy_MTS
Level 1
Level 1
In response to MHM Cisco World

‎03-09-2023 05:17 PM

More clear about the ACLs on VLANs, as well as the parameter "established". Basically the "IN" is the control those traffic get into the VLANs that are under the specific subnet. Quite meaningful.

Cheers,

Timothy

MHM Cisco World
VIP
VIP
In response to timothy_MTS

‎03-10-2023 02:26 AM

So welcome Friend 

0 Helpful

balaji.bandi
Hall of Fame
Hall of Fame

‎03-08-2023 06:32 PM

Since you already have ACL defined you need to ammend the new requirement example :

ip access-list SYSTEMS

350 permit tcp host 10.10.184.xxx host 10.10.142.xxx <-- this is for all the ports
351 permit tcp host 10.10.142.xxx host 10.10.184.xxx

or

permit tcp host 10.10.184.xxx host 10.10.142.xxx eq https established

note : this example, syntax may change to verify before apply to the device.

 

BB

***** Rate All Helpful Responses *****

How to Ask The Cisco Community for Help

timothy_MTS
Level 1
Level 1
In response to balaji.bandi

‎03-09-2023 05:19 PM

Will definitely worth for a trial on these commands. I also tested on the parameter at the end on certain protocols (e.g. RDP) with the "LOG" at the back to see how the traffic hits the ACLs.

Cheers,

Timothy

0 Helpful

paul driver
VIP
VIP

‎03-09-2023 11:41 PM - edited ‎03-09-2023 11:42 PM

Hello

@timothy_MTS wrote:

w I am struggling on how to interpret the ACLs IN on the VLANs. After I understand more in details, I can configure the switch.

Spoiler
ip access-list SYSTEMS
 10 permit icmp any any
 20 permit igmp any any
 30 permit udp any any eq bootps
 100 permit ip 10.10.4.0 0.0.3.255 10.10.0.48/32
 110 permit ip 10.10.16.0 0.0.1.255 10.10.4.0 0.0.3.255
 120 permit ip 10.10.16.0 0.0.1.255 10.10.16.0 0.0.1.255
 130 permit ip 10.10.16.0 0.0.1.255 10.10.142.0 0.0.0.255
 140 permit ip 10.10.16.0 0.0.1.255 10.10.144.0 0.0.7.255
 150 permit ip 10.10.16.0 0.0.1.255 10.10.61.128 0.0.0.31
 160 permit ip 10.10.16.0 0.0.1.255 10.10.0.48/32
 170 permit ip 10.10.142.0 0.0.0.255 10.10.4.0 0.0.3.255
 180 permit ip 10.10.142.0 0.0.0.255 10.10.16.0 0.0.1.255
 190 permit ip 10.10.142.0 0.0.0.255 10.10.144.0 0.0.7.255
 200 permit ip 10.10.142.0 0.0.0.255 10.10.61.128 0.0.0.31
 210 permit ip 10.10.142.0 0.0.0.255 10.10.0.48/32
 300 permit tcp any 10.10.0.1/32 eq domain
 310 permit tcp any 10.10.183.0/24 established
 320 permit tcp any 10.10.183.0/24
 330 permit udp 10.10.142.41/32 eq ntp any
 340 permit udp 10.10.142.43/32 eq ntp any
interface Vlan142
  description PROD Vlan
  no shutdown
  ip access-group SYSTEMS in
  ip address 10.10.142.250/24
interface Vlan26
  no shutdown
  mtu 9216
  ip access-group SYSTEMS in
  ip address 10.10.16.250/24

The SVi ACL logic 
IN = traffic originating from within the vlan needing to exit its vlan
OUT = traffic originating outside the vlan wanting to enter the vlan

Looking at your posted ACL, its applied inbound on two SVI's (vlan142 - 10.10.142.0/24 , vlan 26 10.10.16.0/24)
So any access-list control entry (ACE)   beginning with (any, 10.10.142.x, or 10.10.16.x) with be matched for those two vlans

As for the other non matching ACEs ( they will ONLY be matched if they  reside within the vlan the ACL is applied.to.


Please rate and mark as an accepted solution if you have found any of the information provided useful.
This then could assist others on these forums to find a valuable answer and broadens the community’s global network.

Kind Regards
Paul
0 Helpful
Customers Also Viewed These Support Documents
Top