Solved

ACL to restrict traffic between 2 VLANs

Posted on 2010-09-03
15
661 Views
Last Modified: 2012-05-10
I have a router with 2 VLANs setup on it.  Currently the 2 VLANs are in full communication with each other.  Below is a section of my current config. I've been through all sorts of different standard ACLs, extended ACLs, etc. and I can't get this figured out.

What I want to setup is:

10.10.10.5 has full communication with 10.10.20.5 and 10.10.20.6
10.10.10.6 has full communication with 10.10.20.5 and 10.10.20.6

10.10.20.5 has full communication with 10.10.10.5 and 10.10.10.6
10.10.20.6 has full communication with 10.10.10.5 and 10.10.10.6

All other communication between the 2 vlans should be blocked off.
Both vlans still need to have access to the internet, and be able to talk to all IP's within themselves.

So my question is, what ACL's do i need to create, and which direction to i need to apply them onto the vlans?

Thank you.


interface Vlan1
 description $xxxxxx Network Block$
 ip address 10.10.10.1 255.255.255.0
 ip nat inside
 ip virtual-reassembly
!
interface Vlan2
 description $xxxxxx Network Block$
 ip address 10.10.20.1 255.255.255.0
 ip nat inside
 ip virtual-reassembly
!
ip forward-protocol nd
ip route 0.0.0.0 0.0.0.0 223.103.5.1
!
!
no ip http server
no ip http secure-server
ip nat inside source list 1 interface FastEthernet0 overload
!
access-list 1 permit 10.10.10.0 0.0.0.255
access-list 1 permit 10.10.20.0 0.0.0.255

Open in new window

0
Comment
Question by:P1ST0LPETE
  • 7
  • 5
  • 2
  • +1
15 Comments
 
LVL 17

Accepted Solution

by:
Kvistofta earned 500 total points
Comment Utility
ip access-l ext vlan1-in
 permit ip host 10.10.10.5 host 10.10.20.5
 permit ip host 10.10.10.5 host 10.10.20.6
 permit ip host 10.10.10.6 host 10.10.20.5
 permit ip host 10.10.10.6 host 10.10.20.6
 deny ip 10.10.10.0 0.0.0.255 10.10.20.0 0.0.0.255
 permit ip any any
!
ip access-l ext vplan2-in
permit ip host 10.10.20.5 host 10.10.10.5
permit ip host 10.10.20.5 host 10.10.10.6
permit ip host 10.10.20.6 host 10.10.10.5
permit ip host 10.10.20.6 host 10.10.10.6
deny ip 10.10.20.0 0.0.0.255 10.10.10.0 0.0.0.255
permit ip any any
!
int vlan1
ip access-group  vlan1-in in
!
int vlan2
ip access-group vlan2-in in


This can be shortened with a few lines by using object-groups.

/Kvistofta
0
 
LVL 17

Expert Comment

by:Kvistofta
Comment Utility
(please ignore typos like "ip access-l ex vplan-2-in" ;) )
0
 
LVL 10

Author Comment

by:P1ST0LPETE
Comment Utility
Ok, my config now looks like the attached config section below.

However, nothing has changed, and I still can ping from any IP on vlan 1 to any IP on vlan 2 and visa versa.
interface Vlan1
 description $xxxxxx Network Block$
 ip address 10.10.10.1 255.255.255.0
 ip access-group 110 in
 ip nat inside
 ip virtual-reassembly
!
interface Vlan2
 description $xxxxxx Network Block$
 ip address 10.10.20.1 255.255.255.0
 ip access-group 120 in
 ip nat inside
 ip virtual-reassembly
!
access-list 1 permit 10.10.10.0 0.0.0.255
access-list 1 permit 10.10.20.0 0.0.0.255
access-list 110 permit ip host 10.10.10.5 host 10.10.20.5
access-list 110 permit ip host 10.10.10.5 host 10.10.20.6
access-list 110 permit ip host 10.10.10.6 host 10.10.20.5
access-list 110 permit ip host 10.10.10.6 host 10.10.20.6
access-list 110 deny   ip 10.10.10.0 0.0.0.255 10.10.20.0 0.0.0.255
access-list 110 permit ip any any
access-list 120 permit ip host 10.10.20.5 host 10.10.10.5
access-list 120 permit ip host 10.10.20.5 host 10.10.10.6
access-list 120 permit ip host 10.10.20.6 host 10.10.10.5
access-list 120 permit ip host 10.10.20.6 host 10.10.10.6
access-list 120 deny   ip 10.10.20.0 0.0.0.255 10.10.10.0 0.0.0.255
access-list 120 permit ip any any
!

Open in new window

0
 
LVL 17

Expert Comment

by:Kvistofta
Comment Utility
Strange. Do you get any hits on the access-lists?

show ip access-list 110
show ip access-list 120
0
 
LVL 10

Author Comment

by:P1ST0LPETE
Comment Utility
Copied straight out of PuTTY:


Router#show ip access-list 110
Extended IP access list 110
    10 permit ip host 10.10.10.5 host 10.10.20.5
    20 permit ip host 10.10.10.5 host 10.10.20.6
    30 permit ip host 10.10.10.6 host 10.10.20.5
    40 permit ip host 10.10.10.6 host 10.10.20.6
    50 deny ip 10.10.10.0 0.0.0.255 10.10.20.0 0.0.0.255
    60 permit ip any any (1814 matches)
Router#show ip access-list 120
Extended IP access list 120
    10 permit ip host 10.10.20.5 host 10.10.10.5
    20 permit ip host 10.10.20.5 host 10.10.10.6
    30 permit ip host 10.10.20.6 host 10.10.10.5
    40 permit ip host 10.10.20.6 host 10.10.10.6
    50 deny ip 10.10.20.0 0.0.0.255 10.10.10.0 0.0.0.255
    60 permit ip any any (179 matches)
Router#
0
 

Expert Comment

by:aralaci11
Comment Utility
access-list is absolutely correct , even applying  it only on one vlan will do the job .
 for example 110 on vlan 1
0
 
LVL 10

Author Comment

by:P1ST0LPETE
Comment Utility
My topology currently looks like this. No psychical switch involved.  Switch ports are on the router.
Not sure if any of this helps or not.  Been changing the IP addresses on the PC's to various IP's within the 2 network blocks to test pinging.  So far, full ping access for all IP's between both vlans.


                    ----------------------
                    |    Cisco 1811      |
                    |        Router         |
                    ----------------------
                           |           |
                           |           |
            ========           ========
            |                                          |
            |                                          |
  ----------------                    -----------------
  |        PC        |                    |         PC        |
  |  10.10.10.7 |                    |   10.10.20.5  |
  ----------------                    -----------------
0
6 Surprising Benefits of Threat Intelligence

All sorts of threat intelligence is available on the web. Intelligence you can learn from, and use to anticipate and prepare for future attacks.

 
LVL 17

Expert Comment

by:Kvistofta
Comment Utility
Sorry, I cant see what is wrong here. The acl:s I provided are correct but I cant tell you why all hits goes on the permit ip any any-line.

/Kvistofta
0
 

Expert Comment

by:aralaci11
Comment Utility
can you post

sh int status command output
0
 
LVL 10

Author Comment

by:P1ST0LPETE
Comment Utility
"can you post sh int status command output"

Router#show int status
Port    Name               Status       Vlan       Duplex Speed Type
Fa2                        connected    1          a-full   a-100 10/100BaseTX
Fa3                        notconnect   1            auto    auto 10/100BaseTX
Fa4                        notconnect   1            auto    auto 10/100BaseTX
Fa5                        notconnect   1            auto    auto 10/100BaseTX
Fa6                        notconnect   1            auto    auto 10/100BaseTX
Fa7                        notconnect   1            auto    auto 10/100BaseTX
Fa8                        notconnect   1            auto    auto 10/100BaseTX
Fa9                        connected    2          a-full   a-100 10/100BaseTX
Router#
0
 
LVL 17

Expert Comment

by:Kvistofta
Comment Utility
No vlan interfaces? Are the vlans created? Can you post your full config?

/Kvistofta
0
 
LVL 10

Author Comment

by:P1ST0LPETE
Comment Utility
Router#show int summary

 *: interface is up
 IHQ: pkts in input hold queue     IQD: pkts dropped from input queue
 OHQ: pkts in output hold queue    OQD: pkts dropped from output queue
 RXBS: rx rate (bits/sec)          RXPS: rx rate (pkts/sec)
 TXBS: tx rate (bits/sec)          TXPS: tx rate (pkts/sec)
 TRTL: throttle count

  Interface              IHQ   IQD  OHQ   OQD  RXBS RXPS  TXBS TXPS TRTL
------------------------------------------------------------------------
* FastEthernet0            0     0    0     0  1000    2     0    0    0
  FastEthernet1            0     0    0     0     0    0     0    0    0
* FastEthernet2            0     0    0     0  1000    1     0    0    0
  FastEthernet3            0     0    0     0     0    0     0    0    0
  FastEthernet4            0     0    0     0     0    0     0    0    0
  FastEthernet5            0     0    0     0     0    0     0    0    0
  FastEthernet6            0     0    0     0     0    0     0    0    0
  FastEthernet7            0     0    0     0     0    0     0    0    0
  FastEthernet8            0     0    0     0     0    0     0    0    0
* FastEthernet9            0     0    0     0  1000    1     0    0    0
  Dot11Radio0              0     0    0     0     0    0     0    0    0
  Dot11Radio1              0     0    0     0     0    0     0    0    0
* Vlan1                    0     0    0     0     0    1     0    0    0

  Interface              IHQ   IQD  OHQ   OQD  RXBS RXPS  TXBS TXPS TRTL
------------------------------------------------------------------------
  Async1                   0     0    0     0     0    0     0    0    0
* NVI0                     0     0    0     0     0    0     0    0    0
* Vlan2                    0     0    0     0     0    0     0    0    0

Router#show ip int brief
Interface                  IP-Address      OK? Method Status                Protocol
FastEthernet0              223.103.5.175   YES NVRAM  up                    up
FastEthernet1              unassigned      YES NVRAM  administratively down down
FastEthernet2              unassigned      YES unset  up                    up
FastEthernet3              unassigned      YES unset  up                    down
FastEthernet4              unassigned      YES unset  up                    down
FastEthernet5              unassigned      YES unset  up                    down
FastEthernet6              unassigned      YES unset  up                    down
FastEthernet7              unassigned      YES unset  up                    down
FastEthernet8              unassigned      YES unset  up                    down
FastEthernet9              unassigned      YES unset  up                    up
Dot11Radio0                unassigned      YES NVRAM  administratively down down
Dot11Radio1                unassigned      YES NVRAM  administratively down down
Vlan1                      10.10.10.1      YES NVRAM  up                    up
Async1                     unassigned      YES NVRAM  down                  down
NVI0                       223.103.5.175   YES unset  up                    up
Vlan2                      10.10.20.1      YES NVRAM  up                    up
Router#


0
 
LVL 10

Author Comment

by:P1ST0LPETE
Comment Utility
Full Config
!
version 12.4
no service timestamps debug uptime
no service timestamps log uptime
no service password-encryption
!
hostname Router
!
boot-start-marker
boot-end-marker
!
!
no aaa new-model
clock timezone PCTime -5
!
!
!
!
!
!
ip dhcp excluded-address 10.10.10.1
ip dhcp excluded-address 10.10.20.1
!
!
ip cef
ip domain name xxxxxxx.com
ip name-server 68.94.156.1
ip name-server 68.94.157.1
no ipv6 cef
!
multilink bundle-name authenticated
!
!
username xxxxx privilege 15 password 0 xxxxx
archive
 log config
  hidekeys
!
!
!
!
!
interface FastEthernet0
 description $xxxxxx Gateway$
 ip address 223.103.5.175 255.255.255.0
 ip nat outside
 ip virtual-reassembly
 duplex auto
 speed auto
!
interface FastEthernet1
 no ip address
 no ip route-cache cef
 no ip route-cache
 shutdown
 duplex auto
 speed auto
 no cdp enable
!
interface FastEthernet2
!
interface FastEthernet3
!
interface FastEthernet4
!
interface FastEthernet5
!
interface FastEthernet6
!
interface FastEthernet7
!
interface FastEthernet8
!
interface FastEthernet9
 switchport access vlan 2
!
interface Dot11Radio0
 no ip address
 no ip route-cache cef
 no ip route-cache
 shutdown
 speed basic-1.0 basic-2.0 basic-5.5 6.0 9.0 basic-11.0 12.0 18.0 24.0 36.0 48.0 54.0
 station-role root
 no cdp enable
!
interface Dot11Radio1
 no ip address
 no ip route-cache cef
 no ip route-cache
 shutdown
 speed basic-6.0 9.0 basic-12.0 18.0 basic-24.0 36.0 48.0 54.0
 station-role root
 no cdp enable
!
interface Vlan1
 description $xxxxxx Network Block$
 ip address 10.10.10.1 255.255.255.0
 ip access-group 110 in
 ip nat inside
 ip virtual-reassembly
!
interface Vlan2
 description $E-Circuits Network Block$
 ip address 10.10.20.1 255.255.255.0
 ip access-group 120 in
 ip nat inside
 ip virtual-reassembly
!
interface Async1
 no ip address
 encapsulation slip
 no ip route-cache cef
 no ip route-cache
!
ip forward-protocol nd
ip route 0.0.0.0 0.0.0.0 223.103.5.1
!
!
no ip http server
no ip http secure-server
ip nat inside source list 1 interface FastEthernet0 overload
!
access-list 1 permit 10.10.10.0 0.0.0.255
access-list 1 permit 10.10.20.0 0.0.0.255
access-list 110 permit ip host 10.10.10.5 host 10.10.20.5
access-list 110 permit ip host 10.10.10.5 host 10.10.20.6
access-list 110 permit ip host 10.10.10.6 host 10.10.20.5
access-list 110 permit ip host 10.10.10.6 host 10.10.20.6
access-list 110 deny   ip 10.10.10.0 0.0.0.255 10.10.20.0 0.0.0.255
access-list 110 permit ip any any
access-list 120 permit ip host 10.10.20.5 host 10.10.10.5
access-list 120 permit ip host 10.10.20.5 host 10.10.10.6
access-list 120 permit ip host 10.10.20.6 host 10.10.10.5
access-list 120 permit ip host 10.10.20.6 host 10.10.10.6
access-list 120 deny   ip 10.10.20.0 0.0.0.255 10.10.10.0 0.0.0.255
access-list 120 permit ip any any
!
!
!
!
!
!
control-plane
!
banner login ^
---------------------------------------------------------
Only authorized xxxxx Employee's may access this device.
If you are NOT an authorized user, disconnect now!!!
---------------------------------------------------------
 ^
!
line con 0
 login local
line 1
 modem InOut
 stopbits 1
 speed 115200
 flowcontrol hardware
line aux 0
line vty 0 4
 password xxxxxx
 login
!
no process cpu extended
no process cpu autoprofile hog
!
webvpn cef
end

Open in new window

0
 
LVL 2

Expert Comment

by:fs40490
Comment Utility
The only thing that I can think may be causing issues is the fact that you are leveraging the defaul VLAN, VLAN 1...

Can you create say a VLAN 10 and move the VLAN one information to it?  If you can than you would need to put the interface(s) that connects to the 10.10.10.x hosts in VLAN10.
0
 
LVL 10

Author Comment

by:P1ST0LPETE
Comment Utility
Changed things around with the VLANs so that I'm not using the VLAN 1 default (not sure if this mattered or not) and did some further testing today.  I am still able to ping everything, but only the IP addresses specified in the ACLs can perform remote desktop etc.  So I think we are good.  Thanks for all the help guys.
0

Featured Post

Highfive Gives IT Their Time Back

Highfive is so simple that setting up every meeting room takes just minutes and every employee will be able to start or join a call from any room with ease. Never be called into a meeting just to get it started again. This is how video conferencing should work!

Join & Write a Comment

Suggested Solutions

Creating an OSPF network that automatically (dynamically) reroutes network traffic over other connections to prevent network downtime.
If you're not part of the solution, you're part of the problem.   Tips on how to secure IoT devices, even the dumbest ones, so they can't be used as part of a DDoS botnet.  Use PRTG Network Monitor as one of the building blocks, to detect unusual…
Get a first impression of how PRTG looks and learn how it works.   This video is a short introduction to PRTG, as an initial overview or as a quick start for new PRTG users.
In this tutorial you'll learn about bandwidth monitoring with flows and packet sniffing with our network monitoring solution PRTG Network Monitor (https://www.paessler.com/prtg). If you're interested in additional methods for monitoring bandwidt…

744 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

15 Experts available now in Live!

Get 1:1 Help Now