Segrating VLAN traffic using access lists

adamshields
adamshields used Ask the Experts™
on
I have a network 172.16.100.0 that I would like deny from accessing all of the other networks. The device is a Cisco 3700 series.

Currently for VLAN 100, network 100.0 I have the following applied to the incoming sub-interface:

access-list 110 permit ip 172.16.100.0 0.0.0.255 any
access-list 110 deny   ip any any

The problem is my systems on the other networks i.e. 172.16.10.0 can talk to 100.0 still and vice-versa.

Here's an example ACL from one of the other interfaces.

access-list 103 deny   ip 172.16.2.0 0.0.0.255 any
access-list 103 deny   ip 10.0.0.0 0.0.15.255 any
access-list 103 deny   ip 172.16.3.0 0.0.0.255 any
access-list 103 deny   ip host 255.255.255.255 any
access-list 103 deny   ip 127.0.0.0 0.255.255.255 any
access-list 103 permit ip any any

How can I stop 172.16.100.0 from accessing the other networks?
Comment
Watch Question

Do more with

Expert Office
EXPERT OFFICE® is a registered trademark of EXPERTS EXCHANGE®
Don JohnstonInstructor
Top Expert 2015

Commented:
>How can I stop 172.16.100.0 from accessing the other networks?

What other networks?

Your ACL 110 is allowing the 100.0 network access to all other networks.

Remove "access-list 110 permit ip 172.16.100.0 0.0.0.255 any" and leave the deny ip any any and that will stop all access.

Author

Commented:
Okay gotcha, is there a way to allow the other 172.16.X.0 networks to access the 172.16.100.0 network if they initiate the connection?

Or is it a catch 22, in order to stop traffic on 100.X from accessing the other networks they also cannot access it?
shown as example below:
Interface vlan 100
access-group 104 in
end

ip access-list extended 104
permit ip 172.16.x.0 0.0.0.255 172.16.100.0 0.0.0.255
deny ip 10.0.0.0 0.0.15.255 172.16.100.0 0.0.0.255
permit ip any any


change access-list 104 according to your need

permit which all traffic you need and then deny the traffic which you dont need.
at the end permit ip any any will allow unclassified traffic if any


Success in ‘20 With a Profitable Pricing Strategy

Do you wonder if your IT business is truly profitable or if you should raise your prices? Learn how to calculate your overhead burden using our free interactive tool and use it to determine the right price for your IT services. Start calculating Now!

Don JohnstonInstructor
Top Expert 2015

Commented:
> is there a way to allow the other 172.16.X.0 networks to access the 172.16.100.0 network if they initiate the connection?

Do you mean if 172.16.100.0 initiates the connection? If so, that will only work with TCP and certain ICMP echo replies. UDP traffic will have to be allowed.

Otherwise, you'll have to create an ACL that permits the individual networks in question.

access-list 100 permit tcp 172.16.x.0 0.0.0.255 any est
access-list 100 permit icmp 172.16.x.0 0.0.0.255 any echo-reply
access-list 100 permit udp 172.16.x.0 0.0.0.255 any
 
int vlan 100
 ip access-group 100 out

Open in new window

Author

Commented:
Okay back to the original question.

If I just have the deny statement to stop network access then the hosts on the network fail to receive an IP from the dhcp server and are able to get on the internet.

Note the internet access is provided using NAT overload.

Do I have to specify all of the networks that 100.0 can not access. That would seem a bit tedious?
Don JohnstonInstructor
Top Expert 2015

Commented:
>If I just have the deny statement to stop network access then the hosts on the network fail to receive an IP from the dhcp server and are able to get on the internet.

DHCP??? You never said anything about DHCP. And if you don't get an IP address how can you access the internet???

This is impossible to do piecemeal. You really have to provide detailed information as to what is allowed and what is not. Otherwise every solution suggested is going to be blocking some traffic that needs to be allowed.


Author

Commented:
Okay sorry for the confusion.

To keep it simple there are three networks I'm working with:

172.16.100.0, 172.16.2.0, and 172.16.3.0

Networks 2.0 and 3.0 are able to speak to each other and that's fine.

I do not want hosts on 100.0 to be able to access 2.0 or 3.0.

I would like hosts on 2.0 and 3.0 to access hosts on 100.0 if possible but that's not a big deal.

Each network is defined via sub-interfaces each with it's own incoming ACL.

Each network has a DHCP pool assigned to it and that is working just fine.

Internet access is provided via NAT overload and that's also working.

If I put in the "deny any any" statement for 100.0 then of nothing works. Do I need to solely specify which networks 100.0 can't access?
Instructor
Top Expert 2015
Commented:
ACL's are programming. As such, there are many ways to accomplish a specific result... given enough information.

The following will not allow any traffic from the 2.0 and 3.0 onto the 100.0 network.

If can specify what type of traffic (www. email, ftp, etc.) you want to allow between 2.0, 3.0 and 100.0, we can look at ways to allow that.
 

access-list 1 deny 192.168.2.0 0.0.0.255
access-list 1 deny 192.168.3.0 0.0.0.255
access-list 1 permit any
 
int vlan 100
 ip access group 1 out

Open in new window

Author

Commented:
Simple enough. Why are you specifying out instead of in?
Don JohnstonInstructor
Top Expert 2015

Commented:
Because I used a standard ACL which only checks the source address.

So it's denying traffic from 2.0 and 3.0 from going OUT onto the 100.0 network.

Author

Commented:
So if I want to keep 100.0 from going out to 2.0 and 3.0 I should do:

access-list 1 deny 172.16.2.0 0.0.0.255
access-list 1 deny 172.16.3.0 0.0.0.255
access-list 1 permit any
 
int vlan 100
 ip access group 1 out

Sorry for the repetitive question, just want to make sure I understand what's going on.
Don JohnstonInstructor
Top Expert 2015

Commented:
Uh... yeah. Sorry. I mistyped the addresses.

Do more with

Expert Office
Submit tech questions to Ask the Experts™ at any time to receive solutions, advice, and new ideas from leading industry professionals.

Start 7-Day Free Trial