Blocking access from one VLAN to another on a Cisco 4503
I need some help setting up an access list (or routing tables) on a Cisco 4503 with a Sup. IV board. The switch is setup with 24 VLANs and I do not want 23 of the VLANs to be able to communicate with each other, only to the 24th VLAN.
I have included a rough diagram below. Basically I want the 192.168.1.0 network to be able to communicate with the 192.168.0.0 network and the Internet, but not with the 192.168.2-23.0 networks. The same for the rest of the networks. The 192.168.0.0 network needs to be able to communicate with any of the networks.
My first idea was to setup up a deny access list on each Port-Channel (grouping two gig ports to each of the 2950's) for all traffic except for traffict to/from the 192.168.0.0 network, but it was not working.
Can anyone provide an example of what I need to do to make the happen?
Thanks,
Tom
Router to Internet
|
|
Router / Firewall
(192.168.0.254)
|
|
192.168.0.0/24 network
|
|
Cisco 4503 (Sup. IV board running layer 3 routing)
-----------------------
Cisco 2950T - 192.168.1.0/24 ---|||||||||||||||||||||||
Cisco 2950T - 192.168.2.0/24 ----||||||||||||||||||||||
Cisco 2950T - 192.168.3.0/24 -----|||||||||||||||||||||
Cisco 2950T - 192.168.4.0/24 ------||||||||||||||||||||
Cisco 2950T - 192.168.5.0/24 -------|||||||||||||||||||
Cisco 2950T - 192.168.6.0/24 --------||||||||||||||||||
Cisco 2950T - 192.168.7.0/24 ---------|||||||||||||||||
Cisco 2950T - 192.168.8.0/24 ----------||||||||||||||||
Cisco 2950T - 192.168.9.0/24 -----------|||||||||||||||
Cisco 2950T - 192.168.10.0/24 -----------||||||||||||||
Cisco 2950T - 192.168.11.0/24 ------------|||||||||||||
Cisco 2950T - 192.168.12.0/24 -------------||||||||||||
Cisco 2950T - 192.168.13.0/24 --------------|||||||||||
Cisco 2950T - 192.168.14.0/24 ---------------||||||||||
Cisco 2950T - 192.168.15.0/24 ----------------|||||||||
Cisco 2950T - 192.168.16.0/24 -----------------||||||||
Cisco 2950T - 192.168.17.0/24 ------------------|||||||
Cisco 2950T - 192.168.18.0/24 -------------------||||||
Cisco 2950T - 192.168.19.0/24 --------------------|||||
Cisco 2950T - 192.168.20.0/24 ---------------------||||
Cisco 2950T - 192.168.21.0/24 ----------------------|||
Cisco 2950T - 192.168.22.0/24 -----------------------||
Cisco 2950T - 192.168.23.0/24 ------------------------|
I have included a rough diagram below. Basically I want the 192.168.1.0 network to be able to communicate with the 192.168.0.0 network and the Internet, but not with the 192.168.2-23.0 networks. The same for the rest of the networks. The 192.168.0.0 network needs to be able to communicate with any of the networks.
My first idea was to setup up a deny access list on each Port-Channel (grouping two gig ports to each of the 2950's) for all traffic except for traffict to/from the 192.168.0.0 network, but it was not working.
Can anyone provide an example of what I need to do to make the happen?
Thanks,
Tom
Router to Internet
|
|
Router / Firewall
(192.168.0.254)
|
|
192.168.0.0/24 network
|
|
Cisco 4503 (Sup. IV board running layer 3 routing)
-----------------------
Cisco 2950T - 192.168.1.0/24 ---|||||||||||||||||||||||
Cisco 2950T - 192.168.2.0/24 ----||||||||||||||||||||||
Cisco 2950T - 192.168.3.0/24 -----|||||||||||||||||||||
Cisco 2950T - 192.168.4.0/24 ------||||||||||||||||||||
Cisco 2950T - 192.168.5.0/24 -------|||||||||||||||||||
Cisco 2950T - 192.168.6.0/24 --------||||||||||||||||||
Cisco 2950T - 192.168.7.0/24 ---------|||||||||||||||||
Cisco 2950T - 192.168.8.0/24 ----------||||||||||||||||
Cisco 2950T - 192.168.9.0/24 -----------|||||||||||||||
Cisco 2950T - 192.168.10.0/24 -----------||||||||||||||
Cisco 2950T - 192.168.11.0/24 ------------|||||||||||||
Cisco 2950T - 192.168.12.0/24 -------------||||||||||||
Cisco 2950T - 192.168.13.0/24 --------------|||||||||||
Cisco 2950T - 192.168.14.0/24 ---------------||||||||||
Cisco 2950T - 192.168.15.0/24 ----------------|||||||||
Cisco 2950T - 192.168.16.0/24 -----------------||||||||
Cisco 2950T - 192.168.17.0/24 ------------------|||||||
Cisco 2950T - 192.168.18.0/24 -------------------||||||
Cisco 2950T - 192.168.19.0/24 --------------------|||||
Cisco 2950T - 192.168.20.0/24 ---------------------||||
Cisco 2950T - 192.168.21.0/24 ----------------------|||
Cisco 2950T - 192.168.22.0/24 -----------------------||
Cisco 2950T - 192.168.23.0/24 ------------------------|
JFrederick29
The access-lists need to reside on the VLAN interfaces on the 4503, not the individual ports.
Hi,
Create the following access-list:
!
! permit access from 192.168.0.0 /24 network
access-list 100 permit ip 192.168.0.0 0.0.0.255 any
!
! deny access from any other 192.168.0.0/16 network
access-list 100 deny ip 192.168.0.0 0.0.255.255 any
!
! permit access fro any other network
access-list 100 permit any any
!
Then apply this access-list on each VLAN interface as an inbound filter:
!
interface xxxx
ip access-group 100 in
!
regards,
celsmk
Create the following access-list:
!
! permit access from 192.168.0.0 /24 network
access-list 100 permit ip 192.168.0.0 0.0.0.255 any
!
! deny access from any other 192.168.0.0/16 network
access-list 100 deny ip 192.168.0.0 0.0.255.255 any
!
! permit access fro any other network
access-list 100 permit any any
!
Then apply this access-list on each VLAN interface as an inbound filter:
!
interface xxxx
ip access-group 100 in
!
regards,
celsmk
ASKER
Celsmk,
Your suggestion is what I had tried in the past, BUT I did try it again last night and was able to get it to work.
The wierd thing is that at first it did not work again. I was able to ping between networks. I then removed the 'permit any any' line and it blocked as it should, but you were not able to get to the Internet, again as expected. I then re-added the 'permit any any' line and all is working as expected now. It does not make sense to me. It was as if it was ignoring the match on the 'deny' line and continuing down through the access list.
The only difference between what I did and what you suggest is that I applied it as an 'out' on the interface. My understanding is that the 'out' is out of the switch port and 'in' is into the switch port. Is that correct? If I put it on the 'in' it would seem to me that I would have to switch the lines around to be something like 'deny ip any 192.168.0.0 0.0.255.255'. It seems that it would make more sense to put it on the 'in' so that the traffice, conceptually, did not get into the switch, did not bother to get routed and then blocked. Please let me know your thoughts and thank you for the reply.
-Tom
Your suggestion is what I had tried in the past, BUT I did try it again last night and was able to get it to work.
The wierd thing is that at first it did not work again. I was able to ping between networks. I then removed the 'permit any any' line and it blocked as it should, but you were not able to get to the Internet, again as expected. I then re-added the 'permit any any' line and all is working as expected now. It does not make sense to me. It was as if it was ignoring the match on the 'deny' line and continuing down through the access list.
The only difference between what I did and what you suggest is that I applied it as an 'out' on the interface. My understanding is that the 'out' is out of the switch port and 'in' is into the switch port. Is that correct? If I put it on the 'in' it would seem to me that I would have to switch the lines around to be something like 'deny ip any 192.168.0.0 0.0.255.255'. It seems that it would make more sense to put it on the 'in' so that the traffice, conceptually, did not get into the switch, did not bother to get routed and then blocked. Please let me know your thoughts and thank you for the reply.
-Tom
TUmhress,
The access-list as I wrote should be applied inbound. Please note:
access-list 100 permit ip 192.168.0.0 0.0.0.255 any
---
destination address
-------------------------
source address
Where did you apply to the ACL? You should have it applied to all VLAN interfaces (NOT on physical interfaces) but the VLAN interface assigned to subnet 192.168.0.0/24 as following:
access-list 100 permit ip 192.168.0.0 0.0.0.255 any
deny access from any other 192.168.0.0/16 network
access-list 100 deny ip 192.168.0.0 0.0.255.255 any
access-list 100 permit ip any any
!
interface VLAN x
ip address 192.168.0.x 255.255.255.0
! no access-group here!
!
interface VLAN a
ip address 192.168.1.x 255.255.255.0
access-group 100 in
!
interface VLAN b
ip address 192.168.2.x 255.255.255.0
access-group 100 in
!
interface VLAN c
ip address 192.168.3.x 255.255.255.0
access-group 100 in
!
....and so on.
The access-list as I wrote should be applied inbound. Please note:
access-list 100 permit ip 192.168.0.0 0.0.0.255 any
---
destination address
-------------------------
source address
Where did you apply to the ACL? You should have it applied to all VLAN interfaces (NOT on physical interfaces) but the VLAN interface assigned to subnet 192.168.0.0/24 as following:
access-list 100 permit ip 192.168.0.0 0.0.0.255 any
deny access from any other 192.168.0.0/16 network
access-list 100 deny ip 192.168.0.0 0.0.255.255 any
access-list 100 permit ip any any
!
interface VLAN x
ip address 192.168.0.x 255.255.255.0
! no access-group here!
!
interface VLAN a
ip address 192.168.1.x 255.255.255.0
access-group 100 in
!
interface VLAN b
ip address 192.168.2.x 255.255.255.0
access-group 100 in
!
interface VLAN c
ip address 192.168.3.x 255.255.255.0
access-group 100 in
!
....and so on.
Sorry, wrong commands in my previous answer. The correct configurations are:
!
access-list 100 permit ip 192.168.0.0 0.0.0.255 any
access-list 100 deny ip 192.168.0.0 0.0.255.255 any
access-list 100 permit ip any any
!
interface VLAN x
ip address 192.168.0.x 255.255.255.0
! no ip access-group here!
!
interface VLAN a
ip address 192.168.1.x 255.255.255.0
ip access-group 100 in
!
interface VLAN b
ip address 192.168.2.x 255.255.255.0
ip access-group 100 in
!
interface VLAN c
ip address 192.168.3.x 255.255.255.0
ip access-group 100 in
!
....and so on.
!
access-list 100 permit ip 192.168.0.0 0.0.0.255 any
access-list 100 deny ip 192.168.0.0 0.0.255.255 any
access-list 100 permit ip any any
!
interface VLAN x
ip address 192.168.0.x 255.255.255.0
! no ip access-group here!
!
interface VLAN a
ip address 192.168.1.x 255.255.255.0
ip access-group 100 in
!
interface VLAN b
ip address 192.168.2.x 255.255.255.0
ip access-group 100 in
!
interface VLAN c
ip address 192.168.3.x 255.255.255.0
ip access-group 100 in
!
....and so on.
ASKER
Celsmk,
I may have mis-spoken when I said that I was using VLANs.
Here is an example of the configuration:
<snip>
port-channel load-balance src-ip
!
!
interface Port-channel10
ip address 192.168.10.254 255.255.255.0
ip access-group ClsBlock out
ip helper-address 192.168.0.107
!
interface Port-channel11
ip address 192.168.11.254 255.255.255.0
ip access-group ClsBlock out
ip helper-address 192.168.0.107
</snip>
<snip>
interface GigabitEthernet2/19
no switchport
no ip address
channel-group 10 mode active
!
interface GigabitEthernet2/20
no switchport
no ip address
channel-group 10 mode active
!
interface GigabitEthernet2/21
no switchport
no ip address
channel-group 11 mode active
!
interface GigabitEthernet2/22
no switchport
no ip address
channel-group 11 mode active
</snip>
<snip>
ip default-gateway 192.169.0.254
ip classless
no ip forward-protocol udp bootpc
no ip forward-protocol udp tftp
no ip forward-protocol udp domain
no ip forward-protocol udp time
no ip forward-protocol udp netbios-ns
no ip forward-protocol udp netbios-dgm
no ip forward-protocol udp tacacs
ip route 0.0.0.0 0.0.0.0 192.168.0.254
!
!
ip access-list extended ClsBlock
permit ip 192.168.0.0 0.0.0.255 any
deny ip 192.168.0.0 0.0.255.255 any
permit ip any any
</snip>
I do like the idea of blocking on the inbound versus the outbound. Does the above information change anything?
It is working now, but I would like it configured in the most optimal way, so I am open to changes.
Thanks again,
Tom
I may have mis-spoken when I said that I was using VLANs.
Here is an example of the configuration:
<snip>
port-channel load-balance src-ip
!
!
interface Port-channel10
ip address 192.168.10.254 255.255.255.0
ip access-group ClsBlock out
ip helper-address 192.168.0.107
!
interface Port-channel11
ip address 192.168.11.254 255.255.255.0
ip access-group ClsBlock out
ip helper-address 192.168.0.107
</snip>
<snip>
interface GigabitEthernet2/19
no switchport
no ip address
channel-group 10 mode active
!
interface GigabitEthernet2/20
no switchport
no ip address
channel-group 10 mode active
!
interface GigabitEthernet2/21
no switchport
no ip address
channel-group 11 mode active
!
interface GigabitEthernet2/22
no switchport
no ip address
channel-group 11 mode active
</snip>
<snip>
ip default-gateway 192.169.0.254
ip classless
no ip forward-protocol udp bootpc
no ip forward-protocol udp tftp
no ip forward-protocol udp domain
no ip forward-protocol udp time
no ip forward-protocol udp netbios-ns
no ip forward-protocol udp netbios-dgm
no ip forward-protocol udp tacacs
ip route 0.0.0.0 0.0.0.0 192.168.0.254
!
!
ip access-list extended ClsBlock
permit ip 192.168.0.0 0.0.0.255 any
deny ip 192.168.0.0 0.0.255.255 any
permit ip any any
</snip>
I do like the idea of blocking on the inbound versus the outbound. Does the above information change anything?
It is working now, but I would like it configured in the most optimal way, so I am open to changes.
Thanks again,
Tom
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
I thought I had, but I could have just had a stupid typo. I will try this method and post the results, it looks like it would work to me. I may not be albe to get to it until tomorrow.
The points are yours though. Thank you for working through this with me. I think the delay or odd ballness in the appling was throwing me off. As I thought that I understood access list. But, one can always learn more. :)
-Tom
The points are yours though. Thank you for working through this with me. I think the delay or odd ballness in the appling was throwing me off. As I thought that I understood access list. But, one can always learn more. :)
-Tom
Hope it will work ok for you.
Tks a lot!
Celsmk
Tks a lot!
Celsmk
ASKER
Celsmk,
I implemented the suggestion above and all is working well. Thanks again for your assistance.
-Tom
I implemented the suggestion above and all is working well. Thanks again for your assistance.
-Tom