01-24-2013 06:10 AM - edited 03-07-2019 11:17 AM
I would like to implement one way ACL on VLAN means VLAN20 should communite to VLAN 10 but VLAN 10 wouldn't be able to initialize connection with VLAN20
ACL which is result oriented for me is
ip access-list extended ACL
permit tcp 10.23.23.0 0.0.0.255 10.50.50.0 0.0.0.255 ack
deny tcp 10.23.23.0 0.0.0.255 10.50.50.0 0.0.0.255 syn
int vlan 10
ip address 10.23.23.1 255.255.255.0
ip access-group ACL in
int vlan 20
ip address 10.50.50.1 255.255.255.0
( Switch 3750x IP Services)
01-24-2013 07:57 AM
Fahad,
Remember access lists by default contain an implicit deny any any at the end.
May be you need to configure like this
ip access-list extended ACL
permit tcp 10.23.23.0 0.0.0.255 10.50.50.0 0.0.0.255 ack
deny tcp 10.23.23.0 0.0.0.255 10.50.50.0 0.0.0.255 syn
permit ip any any
Regards,
Alex.
Please rate useful posts.
01-24-2013 09:55 AM
Hello Fahad
Not had time to test this but you could try a vIan access-map:
vlan access-map ONEWAY
match ip address ACL
action forward
vlan filter ONEWAY vlan-list 10
res
Paul
Please don't forget to rate this post if it has been helpful.
01-24-2013 07:17 PM
Alex, i don't want to use permit ip any any at end as it will allow all traffic, my ACL is not working, do I need to add more entries other than permit any any. Remember , requirement is on way traffic.
Basically vlan 20 is administrator vlan so it can't be access from any where but it can access all other vlans.
Once ACE finalised i'l apply to all other vlan svi as well.
Paul,
Pls advice the better approach where to apply ACL or vlan map. There are 7 user vlans are working however vlan 20 is administrator vlans and I m in the process to apply ACL security on all user vlans. My first requirement amongst other is mentioned above. Pls help
01-25-2013 01:10 AM
Hello fared,
I have used these vlan maps in the past, but only to filter traffic between the SAME vlan - As my previous post stated, I had not tested between two different vlans so was not sure if VACL or RACL was the best approach - But on checking on it seems the VACLs are used only to filter traffic between the SAME vlan.
res
Paul
Please don't forget to rate this post if it has been helpful.
01-25-2013 02:10 AM
Hi,
Can you test this knowing that ip reachability is a 2-way process and that ACLs are not stateful by nature and that on a switch you can't use reflexive ACLs or any IOS firewall feature. So for UDP you'll surely have to edit the ACL to permit some return traffic and maybe add some ICMP replies and that's why I logged the denied packets, once it is working ok you can remove the log keyword from the last ACE.
int vlan 10
ip access-group ACL in
ip access-list extended ACL
permit tcp any 10.50.50.0 0.0.0.255 any established
permit icmp any 10.50.50.0 0.0.0.255 echo-reply
permit icmp any 10.50.50.0 0.0.0.255 time-exceeded
permit icmp any 10.50.50.0 0.0.0.255 port-unreachable
deny ip any any log
Regards.
Alain
Don't forget to rate helpful posts.
01-25-2013 07:08 AM
U means to say block icmp return traffic based on udp, it might work but other than icmp all other ports will also be allowed. Any how if this is confirmed that we can't apply one way traffic by ACL on L3 switch then can't do anything other than placing firewall b/w or router.
But pls confirm once again that one way ACL is not supported on switch and we must use firewall based IOS or router or hardware based firewal. Remember, this will be esclated to higher management.
Sent from Cisco Technical Support iPhone App
01-25-2013 09:10 AM
Hi,
I just noticed that doing the provided acl will block access to internet from vlan 10 so you'll have to edit the acl accordingly.
Regards
Alain
Don't forget to rate helpful posts.
01-25-2013 08:00 AM
Fared,
What is it you woud like to filter?
Below is a filter which will allow tcp traffic from vlan 20 to 10 and icmp both ways, in fact if icmp isnt required both ways then you just use VL10in ace on vlan 10
.
ip access-list extended VL20in
permit tcp 10.23.23.0 0.0.0.255 any
permit icmp 10.23.23.0 0.0.0.255 any echo
permit icmp 10.23.23.0 0.0.0.255 any echo-reply - ( remove if you dont wont vlan 10 to ping)
deny ip any any
ip access-list extended VL10in
permit tcp any 10.23.23.0 0.0.0.255 established
permit icmp 10.50.50.0 0.0.0.255 any echo - ( remove if you dont wont vlan 10 to ping)
permit icmp 10.50.50.0 0.0.0.255 any echo-reply
deny ip any any
int vlan 20
ip access-group VL20in in
int vlan 10
ip access-group VL10in in
Please don't forget to rate this post if it has been helpful.
01-25-2013 10:44 AM
Don't want to apply any ACL on administrator vlan, above ACL will allow all tcp traffic 2way and icmp one way if remove echo.
Basically my goal is one way traffic to allow all from vlan 20 to vlan10 and deny all traffic from vlan10 to vlan20.
Which is not achievable in above ACLs, pls advice the ACL according my desires
01-25-2013 11:27 AM
can you tell me what is the use of one-way traffic if you don't permit return traffic ? it has no sense because why permit a
icmp-echo if the echo-reply is filtered anyway on the other vlan.
Regards
Alain
Don't forget to rate helpful posts.
01-25-2013 12:41 PM
Fared,
From my testing of these ACL's it seems to work for TCP traffic, I have tested it between vlans for http and telnet, obviously as Cadet Alain stated UDP is connectionless so you will have to be more specific when defining traffic for that protocol.
from my testing cients on vlan 20 can access vlan 10 over TCP 80/443/23 but not the other away around.
res
Paul
Please don't forget to rate this post if it has been helpful.
01-25-2013 07:33 PM
Have you thought about using the zone based firewall feature?
Sent from Cisco Technical Support iPhone App
01-25-2013 08:27 PM
Cadet.
The reason behind this is because we don't want any one to access vlan 20 resources as under vlan 20 there are of around 3 hosts who have critical information present on their system like license softwares info and other. Also these system belongs to system administrator thathsy they need full access to all users. That means we have to develop an ACL which can block all connections initiated from uses vlans like vlan 10.
Pls correct my statement, "to deny return traffic" it is basically to deny all initiated connections from vlan10 towards vlan20.
Advice me the ACL which may helpful. Forget about icmp, it just to ping or not.
Paul, hope this clear, ur ACL will provide limited access for vlan 20 over 80/443/23, as vlan20 should have full access like over all port but vlan10 couldn't be make any connection toward vlan20.
Babcock, can we implement zone base on 3750x switch IOS 12.2(58)se2 which is we are using.
01-26-2013 10:13 AM
Hi,
zone based firewall is only available on routers as well as reflexive ACLs( which is an older technology).
you should try the config i proposed and edit it with the return traffic that you'll see denied with the logs.
Regards
Alain
Don't forget to rate helpful posts.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide