• Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 962
  • Last Modified:

Why can’t I deny intervlan routing with this ACL

I have a medium size office that I have segmented into many Vlans. I have 3 catalyst 3550 Switches, one of which is L3 routing. I have a Windows 2008 Server that I have configured to do DNS and DHCP for my Vlans.
My problem is that I can’t seem to deny intervlan traffic with ACLs’ and I am wondering if I am not configuring the ACL properly, or if it’s is because the computers are grabbing IP addressed from a  DHCP server is a DMZ.

To lessen the complexity let’s say I have 3 active Vlans, 1 L3 Switch, and no WAN router.

Vlan10 is the DMZ with a DHCP Server for Vlan 20 & 30
Vlan20 are computers that are not allowed to communicate with Vlan 30
Vlan30 are computers that are not allowed to communicate with Vlan 20

--W2K8 CONFIGURATION—
IPv4
      Scope       [159.84.20.0]
      Router      159.84.20.1
      Dns      159.84.10.11
!
      Scope       [159.84.30.0]
      Router      159.84.30.1
      Dns      159.84.10.11


--VLAN CONFIGURATION--
interface Vlan10
 description Servers/Switches/Printers
 ip address 159.84.10.1 255.255.255.0
!
interface Vlan20
 description Sales
 ip address 159.84.20.1 255.255.255.0
 ip helper-address 159.84.10.11                  (W2K8 DHCP/DNS Server)
!
interface Vlan30
 description Ops
 ip address 159.84.30.1 255.255.255.0
 ip helper-address 159.84.10.11                  (W2K8 DHCP/DNS Server)


--ACL that I thought should work--

 
ip access-list standard DENY_VLAN_20 
!
remark THIS WILL DENY TRAFFIC FROM CONFIGURED VLANS TO VLAN 20
!
deny 159.84.30.0 0.0.0.255
!
permit any
!
exit
!
Int vlan 20
!
Ip access-group DENY_VLAN_20 in
!
exit
!
!
!
!
ip access-list standard DENY_VLAN_30 
!
remark THIS WILL DENY TRAFFIC FROM CONFIGURED VLANS TO VLAN 30
!
deny 159.84.20.0 0.0.0.255
!		
permit any
!
exit
!
Int vlan 30
!
Ip access-group DENY_VLAN_30 in
!
exit
!

Open in new window

0
Crs707
Asked:
Crs707
  • 4
  • 4
  • 2
  • +4
3 Solutions
 
rochey2009Commented:
Hi,

standard access-lists permit and deny based on source address.

You need to do this instead.

ip access-list extended DENY_VLAN_20
remark THIS WILL DENY TRAFFIC FROM CONFIGURED VLANS TO VLAN 20
deny ip any 159.84.30.0 0.0.0.255
permit ip any any

int vlan 20
 ip access-group DENY_VLAN_20 in
0
 
Don JohnstonInstructorCommented:
Your ACL is applied in the wrong direction. You need to apply your ACL outbound on the interfaces.

int vlan 20
ip access-group DENY_VLAN_20 out
exit
int vlan 30
ip access-group DENY_VLAN_30 out
exit
0
Concerto Cloud for Software Providers & ISVs

Can Concerto Cloud Services help you focus on evolving your application offerings, while delivering the best cloud experience to your customers? From DevOps to revenue models and customer support, the answer is yes!

Learn how Concerto can help you.

 
Marius GunnerudSenior Systems EngineerCommented:
Agree with donjohnston
0
 
Crs707Author Commented:
Just an FYI - I have been testing this with various configurations, with ICMP, pinging the gateway of the vlan I want to block.

--Even this this DID NOT work--
ip access-list standard DENY_VLAN_20
!
remark THIS WILL DENY TRAFFIC FROM CONFIGURED VLANS TO VLAN 20
!
deny 159.84.30.0 0.0.0.255
!
Int vlan 20
!
Ip access-group DENY_VLAN_20 out
!
Ip access-group DENY_VLAN_20 in
!
exit
!

Open in new window


So I moved into testing extended ACL's
ip access-list extended DENY_VLAN_20
!
remark THIS WILL DENY TRAFFIC FROM CONFIGURED VLANS TO VLAN 20
!
deny ip any 159.84.30.0 0.0.0.255
!
permit ip any any
!
exit

Open in new window


I tried this, with no success:
Ip access-group DENY_VLAN_20 out

Then this with no success:
Ip access-group DENY_VLAN_20 in

Then I tried this WITH SUCCESS:
Ip access-group DENY_VLAN_20 out
!
Ip access-group DENY_VLAN_20 in
!

I'm slightly confused with the outcome, but all in all it works. Though this seems like a lot of extra processor overhead just to block an address range.

0
 
Don JohnstonInstructorCommented:
Please post the complete config (less passwords) for the switch.
0
 
Marius GunnerudSenior Systems EngineerCommented:
What devices are you pinging from? I just put the following into my setup and it worked fine when pinging from the workstations:

ip access-list standard DENY_VLAN_20
!
remark THIS WILL DENY TRAFFIC FROM CONFIGURED VLANS TO VLAN 20
!
deny 159.84.30.0 0.0.0.255
!
Int vlan 20
!
Ip access-group DENY_VLAN_20 out


But this will not work if you are pinging from the switch.
0
 
Crs707Author Commented:
This is the only relevant section of code (currently blocking what I want inefficiently)

 
interface Vlan1
 ip address 159.84.1.10 255.255.255.0
!
interface Vlan10
 description Servers/Switches/Printers
 ip address 159.84.10.1 255.255.255.0
!
interface Vlan20
 description Sales
 ip address 159.84.20.1 255.255.255.0
 ip access-group DENY_VLAN_20 in
 ip access-group DENY_VLAN_20 out
 ip helper-address 159.84.10.11
!
interface Vlan30
 description Ops
 ip address 159.84.30.1 255.255.255.0
 ip access-group DENY_VLAN_30 in
 ip access-group DENY_VLAN_30 out
 ip helper-address 159.84.10.11
!
interface Vlan40
 ip address 159.84.40.1 255.255.255.0
 ip access-group DENY_VLAN_40 in
 ip access-group DENY_VLAN_40 out
 ip helper-address 159.84.10.11
!
interface Vlan50
 ip address 159.84.50.1 255.255.255.0
 ip access-group DENY_VLAN_50 in
 ip access-group DENY_VLAN_50 out
!
interface Vlan60
 ip address 159.84.60.1 255.255.255.0
!
interface Vlan70
 ip address 159.84.70.1 255.255.255.0
 ip access-group DENY_VLAN_70 in
 ip access-group DENY_VLAN_70 out
!
interface Vlan80
 description WiFi
 ip address 159.84.80.1 255.255.255.0
 ip access-group DENY_VLAN_80 in
 ip access-group DENY_VLAN_80 out
 ip helper-address 159.84.10.11
!
!
router eigrp 90
 no auto-summary
 network 159.84.1.10 0.0.0.0
 network 159.84.10.0 0.0.0.255
 network 159.84.20.0 0.0.0.255
 network 159.84.30.0 0.0.0.255
 network 159.84.40.0 0.0.0.255
 network 159.84.50.0 0.0.0.255
 network 159.84.60.0 0.0.0.255
 network 159.84.70.0 0.0.0.255
 network 159.84.0.0
 network 194.190.7.0
!
ip default-gateway 194.190.7.2
ip classless
ip route 0.0.0.0 0.0.0.0 194.190.7.1
ip http server
ip http authentication local
ip http secure-server
!
!
ip access-list standard DENY_TELNET
 permit 194.190.7.1
 remark THIS WILL DENY ALL BUT VLAN10 AND R0 FROM TELNETTING TO S0
 permit 159.84.10.0 0.0.0.255
!
ip access-list extended DENY_VLAN_20
 remark THIS WILL DENY TRAFFIC FROM CONFIGURED VLANS TO VLAN 20
 deny   ip any 159.84.30.0 0.0.0.255
 deny   ip any 159.84.40.0 0.0.0.255
 deny   ip any 159.84.50.0 0.0.0.255
 deny   ip any 159.84.70.0 0.0.0.255
 deny   ip any 159.84.80.0 0.0.0.255
 permit ip any any
ip access-list extended DENY_VLAN_30
 remark THIS WILL DENY TRAFFIC FROM CONFIGURED VLANS TO VLAN 30
 deny   ip any 159.84.20.0 0.0.0.255
 deny   ip any 159.84.40.0 0.0.0.255
 deny   ip any 159.84.50.0 0.0.0.255
 deny   ip any 159.84.70.0 0.0.0.255
 deny   ip any 159.84.80.0 0.0.0.255
 permit ip any any
ip access-list extended DENY_VLAN_40
 remark THIS WILL DENY TRAFFIC FROM CONFIGURED VLANS TO VLAN 40
 deny   ip any 159.84.20.0 0.0.0.255
 deny   ip any 159.84.30.0 0.0.0.255
 deny   ip any 159.84.50.0 0.0.0.255
 deny   ip any 159.84.70.0 0.0.0.255
 deny   ip any 159.84.80.0 0.0.0.255
 permit ip any any
ip access-list extended DENY_VLAN_50
 remark THIS WILL DENY TRAFFIC FROM CONFIGURED VLANS TO VLAN 50
 deny   ip any 159.84.20.0 0.0.0.255
 deny   ip any 159.84.30.0 0.0.0.255
 deny   ip any 159.84.40.0 0.0.0.255
 deny   ip any 159.84.70.0 0.0.0.255
 deny   ip any 159.84.80.0 0.0.0.255
 permit ip any any
ip access-list extended DENY_VLAN_70
 remark THIS WILL DENY TRAFFIC FROM CONFIGURED VLANS TO VLAN 70
 deny   ip any 159.84.20.0 0.0.0.255
 deny   ip any 159.84.30.0 0.0.0.255
 deny   ip any 159.84.40.0 0.0.0.255
 deny   ip any 159.84.50.0 0.0.0.255
 deny   ip any 159.84.80.0 0.0.0.255
 permit ip any any
ip access-list extended DENY_VLAN_80
 remark THIS WILL DENY TRAFFIC FROM CONFIGURED VLANS TO VLAN 80
 deny   ip any 159.84.20.0 0.0.0.255
 deny   ip any 159.84.30.0 0.0.0.255
 deny   ip any 159.84.40.0 0.0.0.255
 deny   ip any 159.84.50.0 0.0.0.255
 deny   ip any 159.84.70.0 0.0.0.255
 permit ip any any
!
logging 159.84.10.12
!
control-plane
!
banner motd ^C
************************************************
  Unauthorized logins are strictly prohibited
         and may be punishable by law
************************************************
^C
!
line con 0
 exec-timeout 30 0
 password 7 
 logging synchronous
 login
line vty 0 4
 access-class DENY_TELNET in
 exec-timeout 20 0
 password 7 
 logging synchronous
 login local
 transport input telnet ssh
line vty 5 15
 no login
!
end

Open in new window


I am pinging from a workstation (W7) to the gateway of the vlan that I am trying to block.

--Workstation--
IPv4 Address            159.84.20.50      (given by the DHCP Server in Vlan 10)
Subnet Mask             255.255.255.0
Default Gateway       159.84.20.1
DNS Servers            159.84.10.11      (given by the DNS Server in Vlan 10)

Pinging to 159.84.30.1 (gateway of vlan 30)
0
 
Don JohnstonInstructorCommented:
If you want to truly test this, you're going to have to ping between hosts on the target networks. Not interfaces on the switch.
0
 
Crs707Author Commented:
Your right...
But is it wrong to theorize, a client CP on vlan 20 shouldn't be able to ping the gateway of vlan 30, else he would be able to see past the gateway to the client CP's aswell?

For now my method works, but still running though possible answer as to why a simplified approach doesn't.

If I come up with anything I will post. I do thank you all for your responses.
0
 
Don JohnstonInstructorCommented:
>But is it wrong to theorize, a client CP on vlan 20 shouldn't be able to ping the gateway of vlan 30

Yes. Traffic originating (such as an ICMP echo reply) will not be blocked by an ACL applied to an interface on that device.

Best bet is to test between actual workstations or servers.
0
 
KuleazeCommented:
Just a suggestion, but why not try denying traffic to the subnet rather than the VLAN - for example:

ip access-list 100
access-list deny ip 159.84.20.0 0.0.0.255 any 159.84.30.0 0.0.0.255

I'm assuming this is a /24 for example purposes only.

Obviously this is not a complete ACL config, but you get my point. Deny traffic to the whole subnet rather than the VLAN.
0
 
fgasimzadeCommented:
When it comes to vlans and ACL direction and source/destination should be like this:


Subnet
159.84.20.0  (IN DIRECTION) -----------------> | Interface VLAN 20 |

So, if you need to deny traffic from VLAN 20 to vlan 30, you can do this:

ip access-list extended deny_vlans

deny ip 159.84.20.0 0.0.0.255 159.84.30.0 0.0.0.255
permit ip any any

interface vlan 20
ip access-group deny_vlans in
 
0
 
Crs707Author Commented:
In the end my original config should work, had I been pinging past the gateway to a machine.  I was pinging from a machine to a vlan gateway.

Still I agree it would be more efficient to block traffic coming out from the Vlan rather than in.

Thankyou all for your comments!
0

Featured Post

Prep for the ITIL® Foundation Certification Exam

December’s Course of the Month is now available! Enroll to learn ITIL® Foundation best practices for delivering IT services effectively and efficiently.

  • 4
  • 4
  • 2
  • +4
Tackle projects and never again get stuck behind a technical roadblock.
Join Now