Solved: Hello,

Chris Eliopoulos · ‎12-21-2015

Hello Community

I have two VLANs that I use for management. VLAN 100 for Cisco Switch interfaces and VLAN 70 for other device interfaces. I want to prevent access to these devices and therefor restrict which Department VLAN has access to them. I would like only VLAN 10, VLAN 111 and VLAN 120 to have access to VLAN 100 and VLAN 70. How would I create and apply the ACL's for this senerio. I use a 3560G Switch with SW 12.2(55)SE10 to route between VLANs.

Thank You

Richard Bradfield · ‎12-21-2015

You need to put the ACL's on the Vlan interfaces( where you configure the Ip address for the Vlan)

so do you have interface vlan 10, interface vlan 111, etc on the 3560G, if not the ACL's have to be configured where these interfaces are.

then the ACL itself will be something like

access-list 100 permit ip <ip subnet of vlan 10> < ip subnet vlan of 100>

access-list 100 permit ip <ip subnet of vlan 10> < ip subnet vlan of 70>

access-list 100 permit ip <ip subnet of vlan 111> < ip subnet vlan of 100>

access-list 100 permit ip <ip subnet of vlan 111> < ip subnet vlan of 70>

access-list 100 permit ip <ip subnet of vlan 120> < ip subnet vlan of 100>

access-list 100 permit ip <ip subnet of vlan 120> < ip subnet vlan of 70>

access-list 100 deny ip any any

then apply it to vlan 100 and vlan 70 interfaces

HTH

Richard

View solution in original post

Masoud Pourshabanian · ‎12-22-2015

Hello,

It is Port ACL. VLAN ACL is something else. You need to change 70 to 170 [above 100].

You need to config access-list in global configuration and assign to the interface.

************

access-list 100 permit ip 10.10.10.0 0.0.0.255 10.10.100.0 0.0.0.255

access-list 100 permit ip 10.10.111.0 0.0.0.255 10.10.100.0 0.0.0.255

access-list 100 permit ip 10.10.120.0 0.0.0.255 10.10.100.0 0.0.0.255

access-list 100 Deny IP 10.0.0.0 0.255.255.255 10.10.100.0 0.0.0.255

access-list 100 permit ip any any [this line is for vlan 100 Internet access]

The bold line is denying your network to access vlan 100

******************

access-list 170 permit ip 10.10.10.0 0.0.0.255 10.10.70.0 0.0.0.255

access-list 170 permit ip 10.10.111.0 0.0.0.255 10.10.70.0 0.0.0.255

access-list 170 permit ip 10.10.120.0 0.0.0.255 10.10.70.0 0.0.0.255

access-list 170 Deny IP 10.0.0.0 0.255.255.255 10.10.70.0 0.0.0.255

access-list 170 permit ip any any [this line is for Internet access]

The bold line is denying your network to access vlan 70

********************

Int Vlan 100

ip address 10.10.100.1 255.255.255.0

ip access-group 100 out

Int Vlan 70

ip address 192.168.70.1 255.255.255.0

ip access-group 170 out

Masoud

View solution in original post

Richard Bradfield · ‎12-21-2015

You need to put the ACL's on the Vlan interfaces( where you configure the Ip address for the Vlan)

so do you have interface vlan 10, interface vlan 111, etc on the 3560G, if not the ACL's have to be configured where these interfaces are.

then the ACL itself will be something like

access-list 100 permit ip <ip subnet of vlan 10> < ip subnet vlan of 100>

access-list 100 permit ip <ip subnet of vlan 10> < ip subnet vlan of 70>

access-list 100 permit ip <ip subnet of vlan 111> < ip subnet vlan of 100>

access-list 100 permit ip <ip subnet of vlan 111> < ip subnet vlan of 70>

access-list 100 permit ip <ip subnet of vlan 120> < ip subnet vlan of 100>

access-list 100 permit ip <ip subnet of vlan 120> < ip subnet vlan of 70>

access-list 100 deny ip any any

then apply it to vlan 100 and vlan 70 interfaces

HTH

Richard

Masoud Pourshabanian · ‎12-21-2015

Hello,

Richard's answer is completely correct based on your question. I am just adding more info.

With the the configuration above, VLAN 70 and 100 will not have access on the Internet(If they are supposed to be connected)

Just a small change.

access-list 100 permit ip <ip subnet of vlan 10> < ip subnet vlan of 100>

access-list 100 permit ip <ip subnet of vlan 10> < ip subnet vlan of 70>

access-list 100 permit ip <ip subnet of vlan 111> < ip subnet vlan of 100>

access-list 100 permit ip <ip subnet of vlan 111> < ip subnet vlan of 70>

access-list 100 permit ip <ip subnet of vlan 120> < ip subnet vlan of 100>

access-list 100 permit ip <ip subnet of vlan 120> < ip subnet vlan of 70>

access-list 100 deny IP <subnet of other VLAN> < ip subnet vlan of 100>

access-list 100 deny IP <subnet of other VLAN> < ip subnet vlan of 70>

access-list 100 permit ip any any

****

subnet of other VLAN= Supernet of your whole IP addresses scheme, for example 192.168.0.0 255.255.00

**

Int vlan 70

ip access-group 100 out

Int vlan 100

ip access-group 100 out

Or you can have two separate access-lists for each VLAN

access-list 100 permit ip <ip subnet of vlan 10> < ip subnet vlan of 100>

access-list 100 permit ip <ip subnet of vlan 111> < ip subnet vlan of 100>

And so on

......

.......

access-list 170 permit ip <ip subnet of vlan 10> < ip subnet vlan of 70>

access-list 170 permit ip <ip subnet of vlan 111> < ip subnet vlan of 70>

And so on

......

.....

Int vlan 70

ip access-group 170 out

Int vlan 100

ip access-group 100 out

Hope it helps,

Masoud

Richard Bradfield · ‎12-21-2015

Of sourse the last entry in my ACL should be

access-list 100 Deny ip any any

Chris Eliopoulos · ‎12-22-2015

Let me start by thanking you both for your input. I'm having difficulty understanding the configs you supplied. The VLAN Interfaces reside on the 3560G switch. Eventually I will be moving the routing to a 3750G switch.

I'm having a difficult time understanding which lines here allow internet access to both VLANS 100 and 70. Also is there a reason the access-list and access-group is followed by 100 in your examples? (i'm slowly answering these questions myself, 100 - 199 are extended access lists)

VLAN 100 subnet is 10.10.100.0/24

VLAN 70 subnet is 192.168.70.0/24

VLAN 10 subnet is 10.10.10.0/24

VLAN 111 subnet is 10.10.1.0/24

VLAN 120 subnet is 10.10.120.0/24

So from what I understand the Vlan interface should look something like this

************

access-list 100 permit ip 10.10.10.0 10.10.100.0

access-list 100 permit ip 10.10.111.0 10.10.100.0

access-list 100 permit ip 10.10.120.0 10.10.100.0

access-list 100 deny ip 10.10.0.0 255.255.0.0

access-list 100 permit ip any any

access-list 170 permit ip 10.10.10.0 192.168.70.0

access-list 170 permit ip 10.10.111.0 192.168.70.0

access-list 170 permit ip 10.10.120.0 192.168.70.0

access-list 170 deny ip 10.10.0.0 255.255.0.0

access-list 170 permit ip any any

Int Vlan 100

ip address 10.10.100.1 255.255.255.0

ip access-group 100 out

Int Vlan 70

ip address 192.168.70.1 255.255.255.0

ip access-group 70 out

If this is correct?

Masoud Pourshabanian · ‎12-22-2015

Hello,

It is Port ACL. VLAN ACL is something else. You need to change 70 to 170 [above 100].

You need to config access-list in global configuration and assign to the interface.

************

access-list 100 permit ip 10.10.10.0 0.0.0.255 10.10.100.0 0.0.0.255

access-list 100 permit ip 10.10.111.0 0.0.0.255 10.10.100.0 0.0.0.255

access-list 100 permit ip 10.10.120.0 0.0.0.255 10.10.100.0 0.0.0.255

access-list 100 Deny IP 10.0.0.0 0.255.255.255 10.10.100.0 0.0.0.255

access-list 100 permit ip any any [this line is for vlan 100 Internet access]

The bold line is denying your network to access vlan 100

******************

access-list 170 permit ip 10.10.10.0 0.0.0.255 10.10.70.0 0.0.0.255

access-list 170 permit ip 10.10.111.0 0.0.0.255 10.10.70.0 0.0.0.255

access-list 170 permit ip 10.10.120.0 0.0.0.255 10.10.70.0 0.0.0.255

access-list 170 Deny IP 10.0.0.0 0.255.255.255 10.10.70.0 0.0.0.255

access-list 170 permit ip any any [this line is for Internet access]

The bold line is denying your network to access vlan 70

********************

Int Vlan 100

ip address 10.10.100.1 255.255.255.0

ip access-group 100 out

Int Vlan 70

ip address 192.168.70.1 255.255.255.0

ip access-group 170 out

Masoud

Chris Eliopoulos · ‎12-22-2015

The subnet for VLAN 70 is 192.168.70.0/24

I did the following

access-list 170 permit ip 10.10.10.0   0.0.0.255   192.168.70.0 0.0.0.255
access-list 170 permit ip 10.10.111.0   0.0.0.255 192.168.70.0 0.0.0.255
access-list 170 permit ip   10.10.120.0   0.0.0.255 192.168.70.0 0.0.0.255
access-list 170 Deny IP 10.0.0.0 0.255.255.255 192.168.70.0 0.0.0.255
access-list 170 permit ip any any

int Vlan 70

ip access-group 170 out

the interface IP of the 3560G is 10.10.100.1 and I can still access that interface from all VLANs. How do I block access to that? I can still ping all the gateways ex. 192.168.0.1, 10.10.100.1,

Masoud Pourshabanian · ‎12-22-2015

I supposed your other network IPs start with 10.X.X.X

If you have network with different subnet, add it below Deny

access-list 170 Deny IP 10.0.0.0 0.255.255.255 192.168.70.0 0.0.0.255

access-list 170 Deny [other network] 192.168.70.0 0.0.0.255

........

........ so on
access-list 170 permit ip any any change this line to

access-list 170 deny ip any any if vlan 70 is not supposed to connect to internet

Order is important. After adding check the running config to make sure the order is correct.

If you have difficulty in order, remove them all and paste again.

Masoud

Chris Eliopoulos · ‎12-22-2015

Ok, thank you for the information. This is what I have below

Extended IP access list 100
    10 permit ip 10.10.10.0 0.0.0.255 10.10.100.0 0.0.0.255
    20 permit ip 10.10.111.0 0.0.0.255 10.10.100.0 0.0.0.255
    30 permit ip 10.10.120.0 0.0.0.255 10.10.100.0 0.0.0.255
    40 deny ip 10.0.0.0 0.255.255.255 10.10.100.0 0.0.0.255 (917 matches)
    50 permit ip any any
Extended IP access list 170
    10 permit ip 10.10.10.0 0.0.0.255 192.168.70.0 0.0.0.255
    20 permit ip 10.10.111.0 0.0.0.255 192.168.70.0 0.0.0.255
    30 permit ip 10.10.120.0 0.0.0.255 192.168.70.0 0.0.0.255
    40 permit ip host 10.10.171.10 192.168.70.0 0.0.0.255
    50 deny ip 10.0.0.0 0.255.255.255 192.168.70.0 0.0.0.255
    60 permit ip any any

how do I prevent access to the 3960G switch from my other VLANs? they all start with 10.10.x.x

I added the line access-list 100 deny ip any any at the end and I lost complete access to all devices except the 3560G so I removed it.

Masoud Pourshabanian · ‎12-22-2015

Extended IP access list 170
    10 permit ip 10.10.10.0 0.0.0.255 192.168.70.0 0.0.0.255
    20 permit ip 10.10.111.0 0.0.0.255 192.168.70.0 0.0.0.255
    30 permit ip 10.10.120.0 0.0.0.255 192.168.70.0 0.0.0.255
    40 permit ip any 192.168.70.0 0.0.0.255
    50 deny ip 10.0.0.0 0.255.255.255 192.168.70.0 0.0.0.255
    60 permit ip any any

You need to remove the bold line. after you remove it, you need to paste the whole access-lists again.

What do you mean by access to 3960G? you mean SSH or telnet access?

Chris Eliopoulos · ‎12-22-2015

You are correct, I realized I was making a mistake, I wanted to exclude a host and I was entering it wrong, I have since corrected it. I want to prevent Telnet and SSH access to the 3560G switch. It's the current router for the VLANS. I only want VLANS 10, 111, 120 to have telnet access to the switch.

Chris Eliopoulos · ‎12-22-2015

I'm going to put this here in case anyone ever needs to setup ACL telnet security. And let me know if i'm missing anything.

Vlans I want to allow access and their subnets

VLAN10 - 10.10.10.0/24

VLAN111 - 10.10.1.0/24

VLAN120 -.10.10.120.0/24

I added the following Lines to block Telnet access on all VLANS except the ones above.

access-list 1 permit 10.10.10.0 0.0.0.255

access-list 1 permit 10.10.1.0 0.0.0.255

access-list 1 permit 10.10.120.0 0.0.0.255

line vty 0 4

access-class 1 in

line vty 5 15

access-class 1 in

Masoud Pourshabanian · ‎12-22-2015

That is correct. This is for both SSH and telnet.

if you want to exclude one or more hosts use this

access-list 1 deny host 10.10.10.5 ( first line before permit)

access-list 1 deny host 10.10.1.10

so on

access-list 1 permit 10.10.10.0 0.0.0.255

access-list 1 permit 10.10.1.0 0.0.0.255

access-list 1 permit 10.10.120.0 0.0.0.255

line vty 0 4

access-class 1 in

line vty 5 15

access-class 1 in

Hope it helps,

masoud

Masoud Pourshabanian · ‎12-22-2015

Access-list 50 permit 10.10.120.0 0.0.0.255

Access-list 50 permit (more subnet)

And so on

Line vty 0 15 ( or 0 4)

access-class 50 in

Vlan ACL Configuration