Buy or Renew
Buy or Renew
Cisco + Splunk: It’s a new day for your data. Learn more.
 
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
2469
Views
4
Helpful
7
Replies

Seperate L3 VLANS with VLAN access-maps

soeren.kromrey
Level 1
Level 1

‎07-04-2012 10:08 PM - edited ‎03-07-2019 07:36 AM

Hi guys,

the situation:

I've 6 vlan's

11,21,41 production vlans

10,20,40 lab vlans

They are all connected (routed) on a 3750 stack

I would like to seperate those two groups from each other using VLAN access-maps (or acl if it works better) and block all traffic exept http/s,rdp

I've managed to block all traffic with this config:

vlan access-map VACL_L3SEP 10

action drop

match ip address ACL_SEP

vlan access-map VACL_L3SEP 20

action forward

match ip address ACL_PERMIT_ALL

ip access-list extended ACL_PERMIT_ALL

permit ip any any

ip access-list extended ACL_SEP

permit ip 192.168.11.0 0.0.0.255 any

permit ip 192.168.21.0 0.0.0.255 any

permit ip 192.168.41.0 0.0.0.255 any

permit ip any 192.168.11.0 0.0.0.255

permit ip any 192.168.21.0 0.0.0.255

permit ip any 192.168.41.0 0.0.0.255

At the moment I'm a blockhead so I tried various config's to exept http/s and RDP but I can't achive the desired results

Some an idea?

Maybe ACL's are better used for it ?

Thanks for any help on this

Regards

Soeren

Labels:
0 Helpful
7 Replies 7

Hari Haran S M
Cisco Employee
Cisco Employee

‎07-05-2012 01:17 AM

Hi Soeren,

If you would like to block traffic between seperate vlan's, it's better if you do it through extended ACL's [where you can specify the port number to block particular port as well] applied on the SVI interface. VLAN access map will be helpful when you want to block traffic within the same vlan.

Regards,

Hari

0 Helpful

Ganesh Hariharan
VIP Alumni
VIP Alumni

‎07-05-2012 01:42 AM 

Soeren Kromrey wrote:
Hi guys,
the situation:
I've 6 vlan's
11,21,41 production vlans
10,20,40 lab vlans
They are all connected (routed) on a 3750 stack
I would like to seperate those two groups from each other using VLAN access-maps (or acl if it works better) and block all traffic exept http/s,rdp
I've managed to block all traffic with this config:
vlan access-map VACL_L3SEP 10
 action drop
 match ip address ACL_SEP
vlan access-map VACL_L3SEP 20
 action forward
 match ip address ACL_PERMIT_ALL
ip access-list extended ACL_PERMIT_ALL
 permit ip any any
ip access-list extended ACL_SEP
 permit ip 192.168.11.0 0.0.0.255 any
 permit ip 192.168.21.0 0.0.0.255 any
 permit ip 192.168.41.0 0.0.0.255 any
 permit ip any 192.168.11.0 0.0.0.255
 permit ip any 192.168.21.0 0.0.0.255
 permit ip any 192.168.41.0 0.0.0.255
At the moment I'm a blockhead so I tried various config's to exept http/s and RDP but I can't achive the desired results 
Some an idea?
Maybe ACL's are better used for it ?
Thanks for any help on this
Regards
Soeren

Soeren,

Agreed with Hari post ..Vlan access map is to play within the vlan traffic but extended acl can be used for blocking for intervlan traffic with port and protocol.

check out the below link for applying extended acl..

http://www.cisco.com/en/US/docs/app_ntwk_services/waas/waas/v4013/command/reference/ext_acl.pdf

Hope to Help !!

Regards

Ganeshh Iyer

Rate if it Helps ....

0 Helpful

soeren.kromrey
Level 1
Level 1
In response to Ganesh Hariharan

‎07-05-2012 04:20 AM

Hi Hari, Hi Ganeshh

thanks for your comments, if I'll use ext ACL's to filter the traffic would this config achive my goal

interface vlan 10

     ip address 192.168.10.1 255.255.255.0

     access-group aclvl10 in

interface vlan 20

     ip address 192.168.20.1 255.255.255.0

     access-group aclvl20 in

interface vlan 40

     ip address 192.168.40.1 255.255.255.0

     access-group aclvl40 in

access-list extended v10

    permit tcp any 192.168.10.0 0.0.0.255 eq 3389

    permit tcp any 192.168.10.0 0.0.0.255 eq 443

    permit tcp any 192.168.10.0 0.0.0.255 eq 80

    permit tcp 192.168.10.0 0.0.0.255 eq 3389 any

    permit tcp 192.168.10.0 0.0.0.255 eq 443 any

    permit tcp 192.168.10.0 0.0.0.255 eq 80 any

    deny ip 192.168.10.0 0.0.0.255 192.168.11.0 0.0.0.255

    deny ip 192.168.10.0 0.0.0.255 192.168.21.0 0.0.0.255

    deny ip 192.168.10.0 0.0.0.255 192.168.41.0 0.0.0.255

    deny ip 192.168.11.0 0.0.0.255 192.168.10.0 0.0.0.255

    deny ip 192.168.21.0 0.0.0.255 192.168.10.0 0.0.0.255

    deny ip 192.168.41.0 0.0.0.255 192.168.10.0 0.0.0.255

    permit ip any any

    deny any

access-list extended v20

    permit tcp any 192.168.20.0 0.0.0.255 eq 3389

    permit tcp any 192.168.20.0 0.0.0.255 eq 443

    permit tcp any 192.168.20.0 0.0.0.255 eq 80

    permit tcp 192.168.20.0 0.0.0.255 eq 3389 any

    permit tcp 192.168.20.0 0.0.0.255 eq 443 any

    permit tcp 192.168.20.0 0.0.0.255 eq 80 any

    deny ip 192.168.20.0 0.0.0.255 192.168.11.0 0.0.0.255

    deny ip 192.168.20.0 0.0.0.255 192.168.21.0 0.0.0.255

    deny ip 192.168.20.0 0.0.0.255 192.168.41.0 0.0.0.255

    deny ip 192.168.11.0 0.0.0.255 192.168.20.0 0.0.0.255

    deny ip 192.168.21.0 0.0.0.255 192.168.20.0 0.0.0.255

    deny ip 192.168.41.0 0.0.0.255 192.168.20.0 0.0.0.255

    permit ip any any

    deny any

access-list extended v40

    permit tcp any 192.168.40.0 0.0.0.255 eq 3389

    permit tcp any 192.168.40.0 0.0.0.255 eq 443

    permit tcp any 192.168.40.0 0.0.0.255 eq 80

    permit tcp 192.168.40.0 0.0.0.255 eq 3389 any

    permit tcp 192.168.40.0 0.0.0.255 eq 443 any

    permit tcp 192.168.40.0 0.0.0.255 eq 80 any

    deny ip 192.168.40.0 0.0.0.255 192.168.11.0 0.0.0.255

    deny ip 192.168.40.0 0.0.0.255 192.168.21.0 0.0.0.255

    deny ip 192.168.40.0 0.0.0.255 192.168.41.0 0.0.0.255

    deny ip 192.168.11.0 0.0.0.255 192.168.40.0 0.0.0.255

    deny ip 192.168.21.0 0.0.0.255 192.168.40.0 0.0.0.255

    deny ip 192.168.41.0 0.0.0.255 192.168.40.0 0.0.0.255

    permit ip any any

    deny any

  • only http,https and rdp are allowed between vlan 10,20,30 and vlan 11,21,41 all other traffic between them is blocked
  • all traffic to and from other vlans (e.g. vlan 10 <--> 20 or 11<- ->12 or new vlan 2 <--> 10)  is permitted

Correct ?

Thx for your help in advance

0 Helpful

Ganesh Hariharan
VIP Alumni
VIP Alumni
In response to soeren.kromrey

‎07-05-2012 06:25 AM 

Soeren Kromrey wrote:
Hi Hari, Hi Ganeshh
thanks for your comments, if I'll use ext ACL's to filter the traffic would this config achive my goal
interface vlan 10
     ip address 192.168.10.1 255.255.255.0
     access-group aclvl10 in
interface vlan 20
     ip address 192.168.20.1 255.255.255.0
     access-group aclvl20 in
interface vlan 40
     ip address 192.168.40.1 255.255.255.0
     access-group aclvl40 in
access-list extended v10
    permit tcp any 192.168.10.0 0.0.0.255 eq 3389
    permit tcp any 192.168.10.0 0.0.0.255 eq 443
    permit tcp any 192.168.10.0 0.0.0.255 eq 80
    permit tcp 192.168.10.0 0.0.0.255 eq 3389 any
    permit tcp 192.168.10.0 0.0.0.255 eq 443 any
    permit tcp 192.168.10.0 0.0.0.255 eq 80 any
    deny ip 192.168.10.0 0.0.0.255 192.168.11.0 0.0.0.255
    deny ip 192.168.10.0 0.0.0.255 192.168.21.0 0.0.0.255
    deny ip 192.168.10.0 0.0.0.255 192.168.41.0 0.0.0.255
    deny ip 192.168.11.0 0.0.0.255 192.168.10.0 0.0.0.255
    deny ip 192.168.21.0 0.0.0.255 192.168.10.0 0.0.0.255
    deny ip 192.168.41.0 0.0.0.255 192.168.10.0 0.0.0.255
    permit ip any any
    deny any
access-list extended v20
    permit tcp any 192.168.20.0 0.0.0.255 eq 3389
    permit tcp any 192.168.20.0 0.0.0.255 eq 443
    permit tcp any 192.168.20.0 0.0.0.255 eq 80
    permit tcp 192.168.20.0 0.0.0.255 eq 3389 any
    permit tcp 192.168.20.0 0.0.0.255 eq 443 any
    permit tcp 192.168.20.0 0.0.0.255 eq 80 any
    deny ip 192.168.20.0 0.0.0.255 192.168.11.0 0.0.0.255
    deny ip 192.168.20.0 0.0.0.255 192.168.21.0 0.0.0.255
    deny ip 192.168.20.0 0.0.0.255 192.168.41.0 0.0.0.255
    deny ip 192.168.11.0 0.0.0.255 192.168.20.0 0.0.0.255
    deny ip 192.168.21.0 0.0.0.255 192.168.20.0 0.0.0.255
    deny ip 192.168.41.0 0.0.0.255 192.168.20.0 0.0.0.255
    permit ip any any
    deny any
access-list extended v40
    permit tcp any 192.168.40.0 0.0.0.255 eq 3389
    permit tcp any 192.168.40.0 0.0.0.255 eq 443
    permit tcp any 192.168.40.0 0.0.0.255 eq 80
    permit tcp 192.168.40.0 0.0.0.255 eq 3389 any
    permit tcp 192.168.40.0 0.0.0.255 eq 443 any
    permit tcp 192.168.40.0 0.0.0.255 eq 80 any
    deny ip 192.168.40.0 0.0.0.255 192.168.11.0 0.0.0.255
    deny ip 192.168.40.0 0.0.0.255 192.168.21.0 0.0.0.255
    deny ip 192.168.40.0 0.0.0.255 192.168.41.0 0.0.0.255
    deny ip 192.168.11.0 0.0.0.255 192.168.40.0 0.0.0.255
    deny ip 192.168.21.0 0.0.0.255 192.168.40.0 0.0.0.255
    deny ip 192.168.41.0 0.0.0.255 192.168.40.0 0.0.0.255
    permit ip any any
    deny any
  • only http,https and rdp are allowed between vlan 10,20,30 and vlan 11,21,41 all other traffic between them is blocked
  • all traffic to and from other vlans (e.g. vlan 10 <--> 20 or 11<- ->12 or new vlan 2 <--> 10)  is permitted
Correct ?
Thx for your help in advance


Hello ,

I am bit confused with your requirement..do you want only http,https and 3389 is allowed between 10,20,30 and rest shoudl be blocked. Then try the below acl and apply this on interface vlan 10,20 and 30 in direction

For example:-

access-list extended v10

    permit tcp any vlan 20 subnet eq 3389

    permit tcp any vlan 20 eq 443

    permit tcp any vlan 20 eq 80

    permit tcp vlan 30 eq 3389 any

    permit tcp vlan 30 eq 443 any

    permit tcp vlan 30 eq 80 any

    deny ip any any

Correct me if i am wrong with your requirement and make sure you are applying under controlled change window.

Regards

Ganeshh Iyer

Rate if it Helps ...

0 Helpful

soeren.kromrey
Level 1
Level 1

‎07-05-2012 07:34 AM

Yep, this is one of my hidden talents, to confuse everyone around me

More detail:

We have in sum 8 vlans

Vlan 11 Server Production

Vlan 21 Clients Production

Vlan 41 Printer Production

Vlan 2 Managment

Vlan 27 Internet Edge ( Default Route)

Vlan 10 Server Migration

Vlan 20 Clients Migration

Vlan 40 Printer Migration

What I want to achive is,

- permit all Traffic between vlan 11,21,41,2,27

- permit all Traffic between vlan 10,20,40,2,27

- permit rdp, http, https between vlan (10,20,40) <--> (11,21,41) so that I can rdp http https between the two Ranges (e.g rdp from 21 to 10 or http from 20 to 41)

-Block all other Traffic between (11,21,41) <--> (10,20,40) e.g. Dns, ad, Kerberos etc....

Hope that bring's a Little light to the darkness

P.s. Apologize for Letter Case up & down, m. iPhone is Set to German locale and gramma correction

Regards

Soeren

Sent from Cisco Technical Support iPhone App

0 Helpful

Ganesh Hariharan
VIP Alumni
VIP Alumni
In response to soeren.kromrey

‎07-06-2012 12:46 AM 

Soeren Kromrey wrote:
Yep, this is one of my hidden talents, to confuse everyone around me 
More detail:
We have in sum 8 vlans
Vlan 11 Server Production 
Vlan 21 Clients Production
Vlan 41 Printer Production
Vlan 2 Managment
Vlan 27 Internet Edge ( Default Route)
Vlan 10 Server Migration
Vlan 20 Clients Migration
Vlan 40 Printer Migration
What I want to achive is, 
- permit all Traffic between vlan 11,21,41,2,27
- permit all Traffic between vlan 10,20,40,2,27
- permit rdp, http, https between vlan (10,20,40) <--> (11,21,41) so that I can rdp http https between the two Ranges (e.g rdp from 21 to 10 or http from 20 to 41)
-Block all other Traffic between (11,21,41) <--> (10,20,40) e.g. Dns, ad, Kerberos etc....
Hope that bring's a Little light to the darkness
P.s. Apologize for Letter Case up & down, m. iPhone is Set to German locale and gramma correction
Regards
Soeren
Sent from Cisco Technical Support iPhone App


Hello Soeren,

Thanks for putting a clear picture ...Here you go ...

- permit all Traffic between vlan 11,21,41,2,27

- permit all Traffic between vlan 10,20,40,2,27

- permit rdp, http, https between vlan (10,20,40) <--> (11,21,41) so that I can rdp http https between the two Ranges (e.g rdp from 21 to 10 or http from 20 to 41)

-Block all other Traffic between (11,21,41) <--> (10,20,40) e.g. Dns, ad, Kerberos etc....

Let concentrate on example for one of the SVI say VLAN 11

access-list extended v10

    permit tcp any x.x.x.x ( Vlan 10 subnet )eq 3389

    permit tcp any x.x.x.x ( Vlan 10 subnet ) eq 443

    permit tcp any x.x.x.x ( Vlan 10 subnet )eq 80

    permit tcp any vlan x.x.x.x ( Vlan 20 subnet ) 3389 any

    permit tcp any x.x.x.x ( Vlan 20 subnet )eq 443 any

    permit tcp any x.x.x.x ( Vlan 20 subnet )eq 80 any

    permit tcp any vlan x.x.x.x ( Vlan 30 subnet ) 3389 any

    permit tcp any x.x.x.x ( Vlan 30 subnet )eq 443 any

    permit tcp any x.x.x.x ( Vlan 30 subnet )eq 80 any

    Permit ip any x.x.x.x ( vlan 21subnet)

    Permit ip any x.x.x.x ( vlan 41subnet)

    deny ip any any

Apply the above sample on in direction of the SVI for vlan 11 and createthe same type acl for other vlan and apply that in in direction.

I hope the above answer your reqirement.

Ganeshh Iyer

Rate if it Helps ....

soeren.kromrey
Level 1
Level 1
In response to Ganesh Hariharan

‎07-09-2012 09:39 PM

Hi Ganeshh,

thx for your suggestion.

The problem I encoutered with your ACL was, that I would have to permit traffic to my vlan 27 (which route to the Internet Edge) for every protocol I would like to use (e.g. http, ftp, https, smtp....). This would have led to very blown up ACL so I accomplished my needs with the following config:

Examples for vlan10 & vlan 11 applied inbound direction

ip access-list extended VLAN10_IN

    permit tcp any eq 3389

    permit tcp any eq 80

    permit tcp any eq 443

    permit tcp any eq ftp

    permit tcp any eq 20

    permit tcp eq 3389 any

    permit tcp eq 80 any

    permit tcp eq 443 any

    permit tcp eq ftp any

    permit tcp eq 20 any

    deny ip

    deny ip

    deny ip

    permit ip any any

ip access-list extended VLAN11_IN

    permit tcp any eq 3389

    permit tcp any eq 80

    permit tcp any eq 443

    permit tcp any eq ftp

    permit tcp any eq 20

    permit tcp eq 3389 any

    permit tcp eq 80 any

    permit tcp eq 443 any

    permit tcp eq ftp any

    permit tcp eq 20 any

    deny ip

    deny ip

    deny ip

    permit ip any any

With this there is no need for specifing single ports for IE access.

Nevertheless thx for your thoughts which led me to the right solution

Cheers

Soeren

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card