Using ACLs with Vlans....

Hello All,

I have two vlans, 2 (10.229.24.0) and 8 (10.101.28.0). I'm using a cisco 3560 to do all my layer 3 traffic. Port 2 is Vlan 2 (10.229.24.254) and port 5 is VLan 8 (10.101.30.254) on the switch. What would be the easiest way to use ACLs to prevent Vlan 8 talking to Vlan 2? But I do need a couple of server in Vlan 8 to be able to talk to hosts in Vlan 2. Also,  I would like to be able to control what ports go out of those interfaces. For example, If I only wanted users to have access to http, https for internet and block all other ports.

Thanks in advance for your help.
LVL 1
ejaramilloAsked:
Who is Participating?

Improve company productivity with a Business Account.Sign Up

x
 
Don JohnstonConnect With a Mentor InstructorCommented:
Close. :-)



access-list 101 permit ip 10.101.28.1 0.0.0.0 10.229.24.1 0.0.0.0
access-list 101 deny ip 10.101.28.0 0.0.0.255 10.229.24.0 0.0.0.255
access-list 101 permit ip any any
access-list 102 permit ip 10.229.24.1 0.0.0.0 10.101.28.1 0.0.0.0
access-list 102 deny ip 10.229.24.0 0.0.0.255 10.101.28.0 0.0.0.255
access-list 102 permit ip any any
 
int vlan 2
 ip access-group 101 out
int vlan 8
 ip access-group 102 out

Open in new window

0
 
Don JohnstonInstructorCommented:
> What would be the easiest way to use ACLs to prevent Vlan 8 talking to Vlan 2?

A standard ACL applied to the VLAN interfaces. For example:

access-list 1 deny 10.229.24.0 0.0.0.255
access-list 1 permit any
int VLAN 8
 ip access-list 1 out

>But I do need a couple of server in Vlan 8 to be able to talk to hosts in Vlan 2.

Now you're talking extended ACLs

>Also,  I would like to be able to control what ports go out of those interfaces.

Same as above, extended ACL.
0
 
ejaramilloAuthor Commented:
Can you please give me an example of the extended ACL I would use in this example?
0
Upgrade your Question Security!

Your question, your audience. Choose who sees your identity—and your question—with question security.

 
Don JohnstonInstructorCommented:
access-list 101 permit tcp 10.229.24.254 0.0.0.0 10.101.30.254 0.0.0.0 eq 80
access-list 101 permit tcp 10.229.24.254 0.0.0.0 10.101.30.254 0.0.0.0 eq 443

would only allow http and https traffic from 10.229.24.254 to 10.101.30.254. All other traffic would be denied by the implicit deny any that affects all ACLs.
0
 
ejaramilloAuthor Commented:
Using an extended ACL how would I block all traffic from Vlan 8 to Vlan 2 with the exception of a couple of IP addresses?

Thanks for your help!
0
 
Don JohnstonInstructorCommented:
You don't need an extended ACL for that. You would use a standard ACL to allow the specific IP addresses Everything else would be denied.
0
 
ejaramilloAuthor Commented:
If I use this ACL:

access-list 1 deny 10.229.24.0 0.0.0.255
access-list 1 permit any
int VLAN 8
 ip access-list 1 out

This is blocking all of Vlan 8 from accessing Vlan 2. So how would I allow some IP's to access Vlan 2 using this ACL?

Thanks
0
 
Don JohnstonInstructorCommented:
access-list 1 permit 10.229.24.8 0.0.0.0
access-list 1 permit 10.229.24.12 0.0.0.0
access-list 1 permit 10.229.24.38 0.0.0.0
access-list 1 deny 10.229.24.0 0.0.0.255
access-list 1 permit any

This will allow the .8, 12 and 38 hosts. Deny everything else on the 10.229.24.0 network and allow everything else.
0
 
ejaramilloAuthor Commented:
this would be applies on vlan 8 out?
0
 
Don JohnstonInstructorCommented:
Yes.
0
 
ejaramilloAuthor Commented:

Can I do this to block vlan 8 talking to vlan 2 with only a couple of IP getting through, but also only giving them access to certain ports for internet?


Int Vlan 8 out
access-list 101 permit tcp 10.101.28.0 0.0.0.255 10.229.24.8 0.0.0.0
access-list 101 permit tcp 10.101.28.0 0.0.0.255 10.229.24.9 0.0.0.0
access-list 101 permit tcp 10.101.28.0 0.0.0.255 any eq 80
access-list 101 deny tcp 10.101.28.0 0.0.0.255 10.229.24.0 0.0.0.255
access-list 101 permit any any

Second question:

What would I apply to vlan 8 inbound?

Would it be something like:

access-list 102 permit tcp any 10.101.28.0 0.0.0.255 established
0
 
Don JohnstonInstructorCommented:
Can you tell me what devices need to talk to what? Or what you don't want to work?
0
 
ejaramilloAuthor Commented:
Basically I don't want 10.101.28.0 (Vlan 8) to be able to talk to 10.229.24.0 (Vlan 2) and visa versa if I needed, but I do have a couple of users who are on vlan 2 who need to communicate with a printer which is on Vlan 8. I also have a couple of users who are on Vlan 8 who need to talk to a server on Vlan 2.  Sorry if I'm making this more confussing this it probably is.

Thanks for you help...
0
 
ejaramilloAuthor Commented:
Sorry, one last thing:

I also want to be able to control what ports users can access going out, i.e. http, https, ftp, pop3 etc.
0
 
Don JohnstonInstructorCommented:
This will prevent vlan 8 devices from talking to vlan 2 devices.

access-list 101 deny ip 10.101.28.0 0.0.0.255 10.229.24.0 0.0.0.255
access-list 101 permit ip any any
access-list 102 deny ip 10.229.24.0 0.0.0.255 10.101.28.0 0.0.0.255
access-list 102 permit ip any any

int vlan 2
 ip access-group 101 out
int vlan 8
 ip access-group 102 out
0
 
ejaramilloAuthor Commented:
Given your example, if there was a printer (10.101.28.1) on VLan 8 that a user (10.229.24.1) on Vlan 2  needed to access I would use this ACL:

access-list 101permit ip 10.101.24.1 0.0.0.0 10.229.24.1 0.0.0.0
access-list 101 deny ip 10.101.28.0 0.0.0.255 10.229.24.0 0.0.0.255
access-list 101 permit ip any any
access-list 102 permit ip 10.229.24.1 0.0.0.0 10.101.28.1 0.0.0.0
access-list 102 deny ip 10.229.24.0 0.0.0.255 10.101.28.0 0.0.0.255
access-list 102 permit ip any any

int vlan 2
 ip access-group 101 out
int vlan 8
 ip access-group 102 out
0
 
ejaramilloAuthor Commented:
Thanks for all your help! I was really close. =)

One last thing, sorry I know you want to close this out but what if I also wanted to only have certain port open outbound like http, https, ftp. I don't want them to have access to all ports outbound, ya know.

What do you think?

Thanks again!
0
 
Don JohnstonInstructorCommented:
This would allow 10.101.28.1 to open a web page on 10.229.24.1
And allow 10.229.24.9 to telnet to 10.101.28.6

Keep in mind that stopping the response is a bit overkill. If you stop the request, that's usually more than adequate in a closed network.
access-list 101 permit tcp 10.101.28.1 0.0.0.0 10.229.24.1 0.0.0.0 eq 80
access-list 101 permit tcp 10.101.28.6 0.0.0.0 eq 23 10.229.24.9 0.0.0.0 
access-list 101 deny ip 10.101.28.0 0.0.0.255 10.229.24.0 0.0.0.255
access-list 101 permit ip any any
access-list 102 permit tcp 10.229.24.1 0.0.0.0 eq 80 10.101.28.1 0.0.0.0
access-list 102 permit tcp 10.229.24.9 0.0.0.0 10.101.28.6 0.0.0.0 eq 23
access-list 102 deny ip 10.229.24.0 0.0.0.255 10.101.28.0 0.0.0.255
access-list 102 permit ip any any
 
int vlan 2
 ip access-group 101 out
int vlan 8
 ip access-group 102 out

Open in new window

0
 
ejaramilloAuthor Commented:
Well I'm not really looking to block host to host, but more for outbound to the internet. Let's say I only want to allow my users to go out to the internet and being able to access ftp sites and that's all. I don't want them to be able to go out to the internet to access yahoo messenger which is on a much higher port.. Does that make sense? Do you kind of get what I'm trying to get at?
0
 
Don JohnstonInstructorCommented:
The best way to approach this is to understand how the ACLs work. That way you'll be able to write them to fit your requirements.

access-list 101 <action> <protocol> <source add/mask> eq <source port> <dest add/mask> eq <dest port>

access-list 101 permit tcp 192.168.1.0 0.0.0.255 172.16.1.8 0.0.0.0 eq 80

would allow 192.168.1.0 network to open a web page on the server at 172.16.1.8

Make sense?
0
 
ejaramilloAuthor Commented:
Got it! Thanks for all your help!
0
Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

All Courses

From novice to tech pro — start learning today.