Vlan Based ACL

faamin011 · ‎01-24-2013

I would like to implement one way ACL on VLAN means VLAN20 should communite to VLAN 10 but VLAN 10 wouldn't be able to initialize connection with VLAN20

ACL which is result oriented for me is

ip access-list extended ACL

permit tcp 10.23.23.0 0.0.0.255 10.50.50.0 0.0.0.255 ack

deny tcp 10.23.23.0 0.0.0.255 10.50.50.0 0.0.0.255 syn

int vlan 10

ip address 10.23.23.1 255.255.255.0

ip access-group ACL in

int vlan 20

ip address 10.50.50.1 255.255.255.0

( Switch 3750x IP Services)

acampbell · ‎01-24-2013

Fahad,

Remember access lists by default contain an implicit deny any any at the end.

May be you need to configure like this

ip access-list extended ACL

permit tcp 10.23.23.0 0.0.0.255 10.50.50.0 0.0.0.255 ack

deny tcp 10.23.23.0 0.0.0.255 10.50.50.0 0.0.0.255 syn

permit ip any any

Regards,
Alex.
Please rate useful posts.

Regards, Alex. Please rate useful posts.

paul driver · ‎01-24-2013

Hello Fahad

Not had time to test this but you could try a vIan access-map:

vlan access-map ONEWAY

match ip address ACL

action forward

vlan filter ONEWAY vlan-list 10

res

Paul

Please don't forget to rate this post if it has been helpful.

Please rate and mark as an accepted solution if you have found any of the information provided useful.
This then could assist others on these forums to find a valuable answer and broadens the community’s global network.

Kind Regards
Paul

faamin011 · ‎01-24-2013

Alex, i don't want to use permit ip any any at end as it will allow all traffic, my ACL is not working, do I need to add more entries other than permit any any. Remember , requirement is on way traffic.

Basically vlan 20 is administrator vlan so it can't be access from any where but it can access all other vlans.

Once ACE finalised i'l apply to all other vlan svi as well.

Paul,

Pls advice the better approach where to apply ACL or vlan map. There are 7 user vlans are working however vlan 20 is administrator vlans and I m in the process to apply ACL security on all user vlans. My first requirement amongst other is mentioned above. Pls help

paul driver · ‎01-25-2013

Hello fared,

I have used these vlan maps in the past, but only to filter traffic between the SAME vlan - As my previous post stated, I had not tested between two different vlans so was not sure if VACL or RACL was the best approach - But on checking on it seems the VACLs are used only to filter traffic between the SAME vlan.

res

Paul

Please don't forget to rate this post if it has been helpful.

Please rate and mark as an accepted solution if you have found any of the information provided useful.
This then could assist others on these forums to find a valuable answer and broadens the community’s global network.

Kind Regards
Paul

cadet alain · ‎01-25-2013

Hi,

Can you test this knowing that ip reachability is a 2-way process and that ACLs are not stateful by nature and that on a switch you can't use reflexive ACLs or any IOS firewall feature. So for UDP you'll surely have to edit the ACL to permit some return traffic and maybe add some ICMP replies and that's why I logged the denied packets, once it is working ok you can remove the log keyword from the last ACE.

int vlan 10

ip access-group ACL in

ip access-list extended ACL

permit tcp any 10.50.50.0 0.0.0.255 any established

permit icmp any 10.50.50.0 0.0.0.255 echo-reply

permit icmp any 10.50.50.0 0.0.0.255 time-exceeded

permit icmp any 10.50.50.0 0.0.0.255 port-unreachable

deny ip any any log

Regards.

Alain

Don't forget to rate helpful posts.

faamin011 · ‎01-25-2013

U means to say block icmp return traffic based on udp, it might work but other than icmp all other ports will also be allowed. Any how if this is confirmed that we can't apply one way traffic by ACL on L3 switch then can't do anything other than placing firewall b/w or router.
But pls confirm once again that one way ACL is not supported on switch and we must use firewall based IOS or router or hardware based firewal. Remember, this will be esclated to higher management.

Sent from Cisco Technical Support iPhone App

cadet alain · ‎01-25-2013

Hi,

I just noticed that doing the provided acl will block access to internet from vlan 10 so you'll have to edit the acl accordingly.

Regards

Alain

Don't forget to rate helpful posts.

paul driver · ‎01-25-2013

Fared,

What is it you woud like to filter?

Below is a filter which will allow tcp traffic from vlan 20 to 10 and icmp both ways, in fact if icmp isnt required both ways then you just use VL10in ace on vlan 10
.

ip access-list extended VL20in

permit tcp 10.23.23.0 0.0.0.255 any
permit icmp 10.23.23.0 0.0.0.255 any echo
permit icmp 10.23.23.0 0.0.0.255 any echo-reply - ( remove if you dont wont vlan 10 to ping)
deny ip any any

ip access-list extended VL10in

permit tcp any 10.23.23.0 0.0.0.255 established
permit icmp 10.50.50.0 0.0.0.255 any echo - ( remove if you dont wont vlan 10 to ping)
permit icmp 10.50.50.0 0.0.0.255 any echo-reply
deny ip any any

int vlan 20
ip access-group VL20in in

int vlan 10
ip access-group VL10in in

Please don't forget to rate this post if it has been helpful.

Please rate and mark as an accepted solution if you have found any of the information provided useful.
This then could assist others on these forums to find a valuable answer and broadens the community’s global network.

Kind Regards
Paul

faamin011 · ‎01-25-2013

Don't want to apply any ACL on administrator vlan, above ACL will allow all tcp traffic 2way and icmp one way if remove echo.

Basically my goal is one way traffic to allow all from vlan 20 to vlan10 and deny all traffic from vlan10 to vlan20.

Which is not achievable in above ACLs, pls advice the ACL according my desires

cadet alain · ‎01-25-2013

can you tell me what is the use of one-way traffic if you don't permit return traffic ? it has no sense because why permit a

icmp-echo if the echo-reply is filtered anyway on the other vlan.

Regards

Alain

Don't forget to rate helpful posts.

paul driver · ‎01-25-2013

Fared,

From my testing of these ACL's it seems to work for TCP traffic, I have tested it between vlans for http and telnet, obviously as Cadet Alain stated UDP is connectionless so you will have to be more specific when defining traffic for that protocol.

from my testing cients on vlan 20 can access vlan 10 over TCP 80/443/23 but not the other away around.

res

Paul

Please don't forget to rate this post if it has been helpful.

Please rate and mark as an accepted solution if you have found any of the information provided useful.
This then could assist others on these forums to find a valuable answer and broadens the community’s global network.

Kind Regards
Paul

Elton Babcock · ‎01-25-2013

Have you thought about using the zone based firewall feature?

Sent from Cisco Technical Support iPhone App

faamin011 · ‎01-25-2013

Cadet.

The reason behind this is because we don't want any one to access vlan 20 resources as under vlan 20 there are of around 3 hosts who have critical information present on their system like license softwares info and other. Also these system belongs to system administrator thathsy they need full access to all users. That means we have to develop an ACL which can block all connections initiated from uses vlans like vlan 10.

Pls correct my statement, "to deny return traffic" it is basically to deny all initiated connections from vlan10 towards vlan20.

Advice me the ACL which may helpful. Forget about icmp, it just to ping or not.

Paul, hope this clear, ur ACL will provide limited access for vlan 20 over 80/443/23, as vlan20 should have full access like over all port but vlan10 couldn't be make any connection toward vlan20.

Babcock, can we implement zone base on 3750x switch IOS 12.2(58)se2 which is we are using.

cadet alain · ‎01-26-2013

Hi,

zone based firewall is only available on routers as well as reflexive ACLs( which is an older technology).

you should try the config i proposed and edit it with the return traffic that you'll see denied with the logs.

Regards

Alain

Don't forget to rate helpful posts.