07-04-2012 10:08 PM - edited 03-07-2019 07:36 AM
Hi guys,
the situation:
I've 6 vlan's
11,21,41 production vlans
10,20,40 lab vlans
They are all connected (routed) on a 3750 stack
I would like to seperate those two groups from each other using VLAN access-maps (or acl if it works better) and block all traffic exept http/s,rdp
I've managed to block all traffic with this config:
vlan access-map VACL_L3SEP 10
action drop
match ip address ACL_SEP
vlan access-map VACL_L3SEP 20
action forward
match ip address ACL_PERMIT_ALL
ip access-list extended ACL_PERMIT_ALL
permit ip any any
ip access-list extended ACL_SEP
permit ip 192.168.11.0 0.0.0.255 any
permit ip 192.168.21.0 0.0.0.255 any
permit ip 192.168.41.0 0.0.0.255 any
permit ip any 192.168.11.0 0.0.0.255
permit ip any 192.168.21.0 0.0.0.255
permit ip any 192.168.41.0 0.0.0.255
At the moment I'm a blockhead so I tried various config's to exept http/s and RDP but I can't achive the desired results
Some an idea?
Maybe ACL's are better used for it ?
Thanks for any help on this
Regards
Soeren
07-05-2012 01:17 AM
Hi Soeren,
If you would like to block traffic between seperate vlan's, it's better if you do it through extended ACL's [where you can specify the port number to block particular port as well] applied on the SVI interface. VLAN access map will be helpful when you want to block traffic within the same vlan.
Regards,
Hari
07-05-2012 01:42 AM
Soeren Kromrey wrote:
Hi guys,
the situation:
I've 6 vlan's
11,21,41 production vlans
10,20,40 lab vlans
They are all connected (routed) on a 3750 stack
I would like to seperate those two groups from each other using VLAN access-maps (or acl if it works better) and block all traffic exept http/s,rdp
I've managed to block all traffic with this config:
vlan access-map VACL_L3SEP 10
action drop
match ip address ACL_SEP
vlan access-map VACL_L3SEP 20
action forward
match ip address ACL_PERMIT_ALL
ip access-list extended ACL_PERMIT_ALL
permit ip any any
ip access-list extended ACL_SEP
permit ip 192.168.11.0 0.0.0.255 any
permit ip 192.168.21.0 0.0.0.255 any
permit ip 192.168.41.0 0.0.0.255 any
permit ip any 192.168.11.0 0.0.0.255
permit ip any 192.168.21.0 0.0.0.255
permit ip any 192.168.41.0 0.0.0.255
At the moment I'm a blockhead so I tried various config's to exept http/s and RDP but I can't achive the desired results
Some an idea?
Maybe ACL's are better used for it ?
Thanks for any help on this
Regards
Soeren
Soeren,
Agreed with Hari post ..Vlan access map is to play within the vlan traffic but extended acl can be used for blocking for intervlan traffic with port and protocol.
check out the below link for applying extended acl..
http://www.cisco.com/en/US/docs/app_ntwk_services/waas/waas/v4013/command/reference/ext_acl.pdf
Hope to Help !!
Regards
Ganeshh Iyer
Rate if it Helps ....
07-05-2012 04:20 AM
Hi Hari, Hi Ganeshh
thanks for your comments, if I'll use ext ACL's to filter the traffic would this config achive my goal
interface vlan 10
ip address 192.168.10.1 255.255.255.0
access-group aclvl10 in
interface vlan 20
ip address 192.168.20.1 255.255.255.0
access-group aclvl20 in
interface vlan 40
ip address 192.168.40.1 255.255.255.0
access-group aclvl40 in
access-list extended v10
permit tcp any 192.168.10.0 0.0.0.255 eq 3389
permit tcp any 192.168.10.0 0.0.0.255 eq 443
permit tcp any 192.168.10.0 0.0.0.255 eq 80
permit tcp 192.168.10.0 0.0.0.255 eq 3389 any
permit tcp 192.168.10.0 0.0.0.255 eq 443 any
permit tcp 192.168.10.0 0.0.0.255 eq 80 any
deny ip 192.168.10.0 0.0.0.255 192.168.11.0 0.0.0.255
deny ip 192.168.10.0 0.0.0.255 192.168.21.0 0.0.0.255
deny ip 192.168.10.0 0.0.0.255 192.168.41.0 0.0.0.255
deny ip 192.168.11.0 0.0.0.255 192.168.10.0 0.0.0.255
deny ip 192.168.21.0 0.0.0.255 192.168.10.0 0.0.0.255
deny ip 192.168.41.0 0.0.0.255 192.168.10.0 0.0.0.255
permit ip any any
deny any
access-list extended v20
permit tcp any 192.168.20.0 0.0.0.255 eq 3389
permit tcp any 192.168.20.0 0.0.0.255 eq 443
permit tcp any 192.168.20.0 0.0.0.255 eq 80
permit tcp 192.168.20.0 0.0.0.255 eq 3389 any
permit tcp 192.168.20.0 0.0.0.255 eq 443 any
permit tcp 192.168.20.0 0.0.0.255 eq 80 any
deny ip 192.168.20.0 0.0.0.255 192.168.11.0 0.0.0.255
deny ip 192.168.20.0 0.0.0.255 192.168.21.0 0.0.0.255
deny ip 192.168.20.0 0.0.0.255 192.168.41.0 0.0.0.255
deny ip 192.168.11.0 0.0.0.255 192.168.20.0 0.0.0.255
deny ip 192.168.21.0 0.0.0.255 192.168.20.0 0.0.0.255
deny ip 192.168.41.0 0.0.0.255 192.168.20.0 0.0.0.255
permit ip any any
deny any
access-list extended v40
permit tcp any 192.168.40.0 0.0.0.255 eq 3389
permit tcp any 192.168.40.0 0.0.0.255 eq 443
permit tcp any 192.168.40.0 0.0.0.255 eq 80
permit tcp 192.168.40.0 0.0.0.255 eq 3389 any
permit tcp 192.168.40.0 0.0.0.255 eq 443 any
permit tcp 192.168.40.0 0.0.0.255 eq 80 any
deny ip 192.168.40.0 0.0.0.255 192.168.11.0 0.0.0.255
deny ip 192.168.40.0 0.0.0.255 192.168.21.0 0.0.0.255
deny ip 192.168.40.0 0.0.0.255 192.168.41.0 0.0.0.255
deny ip 192.168.11.0 0.0.0.255 192.168.40.0 0.0.0.255
deny ip 192.168.21.0 0.0.0.255 192.168.40.0 0.0.0.255
deny ip 192.168.41.0 0.0.0.255 192.168.40.0 0.0.0.255
permit ip any any
deny any
Correct ?
Thx for your help in advance
07-05-2012 06:25 AM
Soeren Kromrey wrote:
Hi Hari, Hi Ganeshh
thanks for your comments, if I'll use ext ACL's to filter the traffic would this config achive my goal
interface vlan 10
ip address 192.168.10.1 255.255.255.0
access-group aclvl10 in
interface vlan 20
ip address 192.168.20.1 255.255.255.0
access-group aclvl20 in
interface vlan 40
ip address 192.168.40.1 255.255.255.0
access-group aclvl40 in
access-list extended v10
permit tcp any 192.168.10.0 0.0.0.255 eq 3389
permit tcp any 192.168.10.0 0.0.0.255 eq 443
permit tcp any 192.168.10.0 0.0.0.255 eq 80
permit tcp 192.168.10.0 0.0.0.255 eq 3389 any
permit tcp 192.168.10.0 0.0.0.255 eq 443 any
permit tcp 192.168.10.0 0.0.0.255 eq 80 any
deny ip 192.168.10.0 0.0.0.255 192.168.11.0 0.0.0.255
deny ip 192.168.10.0 0.0.0.255 192.168.21.0 0.0.0.255
deny ip 192.168.10.0 0.0.0.255 192.168.41.0 0.0.0.255
deny ip 192.168.11.0 0.0.0.255 192.168.10.0 0.0.0.255
deny ip 192.168.21.0 0.0.0.255 192.168.10.0 0.0.0.255
deny ip 192.168.41.0 0.0.0.255 192.168.10.0 0.0.0.255
permit ip any any
deny any
access-list extended v20
permit tcp any 192.168.20.0 0.0.0.255 eq 3389
permit tcp any 192.168.20.0 0.0.0.255 eq 443
permit tcp any 192.168.20.0 0.0.0.255 eq 80
permit tcp 192.168.20.0 0.0.0.255 eq 3389 any
permit tcp 192.168.20.0 0.0.0.255 eq 443 any
permit tcp 192.168.20.0 0.0.0.255 eq 80 any
deny ip 192.168.20.0 0.0.0.255 192.168.11.0 0.0.0.255
deny ip 192.168.20.0 0.0.0.255 192.168.21.0 0.0.0.255
deny ip 192.168.20.0 0.0.0.255 192.168.41.0 0.0.0.255
deny ip 192.168.11.0 0.0.0.255 192.168.20.0 0.0.0.255
deny ip 192.168.21.0 0.0.0.255 192.168.20.0 0.0.0.255
deny ip 192.168.41.0 0.0.0.255 192.168.20.0 0.0.0.255
permit ip any any
deny any
access-list extended v40
permit tcp any 192.168.40.0 0.0.0.255 eq 3389
permit tcp any 192.168.40.0 0.0.0.255 eq 443
permit tcp any 192.168.40.0 0.0.0.255 eq 80
permit tcp 192.168.40.0 0.0.0.255 eq 3389 any
permit tcp 192.168.40.0 0.0.0.255 eq 443 any
permit tcp 192.168.40.0 0.0.0.255 eq 80 any
deny ip 192.168.40.0 0.0.0.255 192.168.11.0 0.0.0.255
deny ip 192.168.40.0 0.0.0.255 192.168.21.0 0.0.0.255
deny ip 192.168.40.0 0.0.0.255 192.168.41.0 0.0.0.255
deny ip 192.168.11.0 0.0.0.255 192.168.40.0 0.0.0.255
deny ip 192.168.21.0 0.0.0.255 192.168.40.0 0.0.0.255
deny ip 192.168.41.0 0.0.0.255 192.168.40.0 0.0.0.255
permit ip any any
deny any
Correct ?
Thx for your help in advance
Hello ,
I am bit confused with your requirement..do you want only http,https and 3389 is allowed between 10,20,30 and rest shoudl be blocked. Then try the below acl and apply this on interface vlan 10,20 and 30 in direction
For example:-
access-list extended v10
permit tcp any vlan 20 subnet eq 3389
permit tcp any vlan 20 eq 443
permit tcp any vlan 20 eq 80
permit tcp vlan 30 eq 3389 any
permit tcp vlan 30 eq 443 any
permit tcp vlan 30 eq 80 any
deny ip any any
Correct me if i am wrong with your requirement and make sure you are applying under controlled change window.
Regards
Ganeshh Iyer
Rate if it Helps ...
07-05-2012 07:34 AM
Yep, this is one of my hidden talents, to confuse everyone around me
More detail:
We have in sum 8 vlans
Vlan 11 Server Production
Vlan 21 Clients Production
Vlan 41 Printer Production
Vlan 2 Managment
Vlan 27 Internet Edge ( Default Route)
Vlan 10 Server Migration
Vlan 20 Clients Migration
Vlan 40 Printer Migration
What I want to achive is,
- permit all Traffic between vlan 11,21,41,2,27
- permit all Traffic between vlan 10,20,40,2,27
- permit rdp, http, https between vlan (10,20,40) <--> (11,21,41) so that I can rdp http https between the two Ranges (e.g rdp from 21 to 10 or http from 20 to 41)
-Block all other Traffic between (11,21,41) <--> (10,20,40) e.g. Dns, ad, Kerberos etc....
Hope that bring's a Little light to the darkness
P.s. Apologize for Letter Case up & down, m. iPhone is Set to German locale and gramma correction
Regards
Soeren
Sent from Cisco Technical Support iPhone App
07-06-2012 12:46 AM
Soeren Kromrey wrote:
Yep, this is one of my hidden talents, to confuse everyone around me
More detail:
We have in sum 8 vlans
Vlan 11 Server Production
Vlan 21 Clients Production
Vlan 41 Printer Production
Vlan 2 Managment
Vlan 27 Internet Edge ( Default Route)
Vlan 10 Server Migration
Vlan 20 Clients Migration
Vlan 40 Printer Migration
What I want to achive is,
- permit all Traffic between vlan 11,21,41,2,27
- permit all Traffic between vlan 10,20,40,2,27
- permit rdp, http, https between vlan (10,20,40) <--> (11,21,41) so that I can rdp http https between the two Ranges (e.g rdp from 21 to 10 or http from 20 to 41)
-Block all other Traffic between (11,21,41) <--> (10,20,40) e.g. Dns, ad, Kerberos etc....
Hope that bring's a Little light to the darkness
P.s. Apologize for Letter Case up & down, m. iPhone is Set to German locale and gramma correction
Regards
Soeren
Sent from Cisco Technical Support iPhone App
Hello Soeren,
Thanks for putting a clear picture ...Here you go ...
- permit all Traffic between vlan 11,21,41,2,27
- permit all Traffic between vlan 10,20,40,2,27
- permit rdp, http, https between vlan (10,20,40) <--> (11,21,41) so that I can rdp http https between the two Ranges (e.g rdp from 21 to 10 or http from 20 to 41)
-Block all other Traffic between (11,21,41) <--> (10,20,40) e.g. Dns, ad, Kerberos etc....
Let concentrate on example for one of the SVI say VLAN 11
access-list extended v10
permit tcp any x.x.x.x ( Vlan 10 subnet )eq 3389
permit tcp any x.x.x.x ( Vlan 10 subnet ) eq 443
permit tcp any x.x.x.x ( Vlan 10 subnet )eq 80
permit tcp any vlan x.x.x.x ( Vlan 20 subnet ) 3389 any
permit tcp any x.x.x.x ( Vlan 20 subnet )eq 443 any
permit tcp any x.x.x.x ( Vlan 20 subnet )eq 80 any
permit tcp any vlan x.x.x.x ( Vlan 30 subnet ) 3389 any
permit tcp any x.x.x.x ( Vlan 30 subnet )eq 443 any
permit tcp any x.x.x.x ( Vlan 30 subnet )eq 80 any
Permit ip any x.x.x.x ( vlan 21subnet)
Permit ip any x.x.x.x ( vlan 41subnet)
deny ip any any
Apply the above sample on in direction of the SVI for vlan 11 and createthe same type acl for other vlan and apply that in in direction.
I hope the above answer your reqirement.
Ganeshh Iyer
Rate if it Helps ....
07-09-2012 09:39 PM
Hi Ganeshh,
thx for your suggestion.
The problem I encoutered with your ACL was, that I would have to permit traffic to my vlan 27 (which route to the Internet Edge) for every protocol I would like to use (e.g. http, ftp, https, smtp....). This would have led to very blown up ACL so I accomplished my needs with the following config:
Examples for vlan10 & vlan 11 applied inbound direction
ip access-list extended VLAN10_IN
permit tcp
permit tcp
permit tcp
permit tcp
permit tcp
permit tcp
permit tcp
permit tcp
permit tcp
permit tcp
deny ip
deny ip
deny ip
permit ip any any
ip access-list extended VLAN11_IN
permit tcp
permit tcp
permit tcp
permit tcp
permit tcp
permit tcp
permit tcp
permit tcp
permit tcp
permit tcp
deny ip
deny ip
deny ip
permit ip any any
With this there is no need for specifing single ports for IE access.
Nevertheless thx for your thoughts which led me to the right solution
Cheers
Soeren
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide