Solved

Extended ACL or VLAN ACLs to permit\deny VLAN Traffic?

Posted on 2012-03-19
11
4,500 Views
Last Modified: 2012-03-21
good day everyone,

I have some traffic I need to block on a catalyst 6509 layer 3 switch between two VLANs. I have dealt with standard and extended ACLs before but not to block specific VLANs from accessing each other. The concept of VALCs is new to me, so I need some help with this one... It's simple but it's racking my brain:

Let's say I have VLAN 20 and VLAN 66, I want traffic between these two VLANs to reach each other but drop all aother traffic from the other 15 or so VLANs I have confirgured on this switch, the catch is VLAN 20 is also Outbound traffic that cannot be blocked, for instance it runs internet traffic through there as well. Is there Any way I can accomplish this?

This is what I have tried so far by applying it on the VLAN Interface in the Out and In direction:


Applied to interface VLAN20 -
 
Access-list 150 permit ip 10.66.0.0 0.0.0.255 10.20.0.0 0.0.0.255
access-list 150 Permit ip any any

(allowing the invisible implicit deny at the bottom to block all else)

Applied to interface VLAN66-

Access-list 155 permit ip 10.20.0.0 0.0.0.255 10.66.0.0 0.0.0.255
permit ip any any

(allowing the invisible implicit deny at the bottom to block all else)

I have the ip any any there after my second try, when i applied on the permit ACL 150 & 155 i was blocked from reaching the WWW.

Any help on this would be deeply appreciated, thank you EE

GL137
0
Comment
Question by:GridLock137
  • 7
  • 3
11 Comments
 
LVL 10

Accepted Solution

by:
mat1458 earned 500 total points
ID: 37740810
It sure can be done but without knowing more about your address scheme and the way you access the internet it's more or less wild guessing.

I make a try, assuming that all your internal network are part of 10.0.0.0/8 and that you don't use any proxy for the internet access. Let me know if it looks differently.

access-list 150 permit ip 10.66.0.0 0.0.0.255 10.20.0.0 0.0.0.255
access-list 150 deny ip 10.0.0.0 0.255.255.255 10.0.0.0 0.255.255.255
access-list 150 permit ip any any

access-list 155 permit ip 10.20.0.0 0.0.0.255 10.66.0.0 0.0.0.255
access-list 155 deny ip 10.0.0.0 0.255.255.255 10.0.0.0 0.255.255.255
access-list 155 permit ip any any
0
 
LVL 50

Expert Comment

by:Don Johnston
ID: 37741705
If you want to allow a specific VLAN and all internet to a VLAN, one way would be to deny the specific VLANs and allow all others.

Using the following as the criteria:

VLAN 20 is allowed to talk to VLAN 66 and internet but not other VLANs.
All internal VLAN IP addresses are 10.x.0.0/24 (where "x" is the VLAN number).

access-list 20 permit 10.66.0.0 0.0.0.255   ! allows VLAN 66 traffic
access-list 20 deny 10.0.0.0 0.255.255.255  ! denies all other VLANs
access-list 20 permit any  ! allows all other IP addresses (internet traffic)
!
access-list 66 permit 10.20.0.0 0.0.0.255   ! allows VLAN 20 traffic
access-list 66 deny 10.0.0.0 0.255.255.255  ! denies all other VLANs
access-list 66 permit any  ! allows all other IP addresses (internet traffic)
!
interface vlan 20
 access-group 20 out
interface vlan 66
 access-group 66 out
0
 
LVL 7

Author Comment

by:GridLock137
ID: 37741880
I will give this a shot as son as i get into this office this morning. Will give you a heads uas soon as i do it, thx.
0
PRTG Network Monitor: Intuitive Network Monitoring

Network Monitoring is essential to ensure that computer systems and network devices are running. Use PRTG to monitor LANs, servers, websites, applications and devices, bandwidth, virtual environments, remote systems, IoT, and many more. PRTG is easy to set up & use.

 
LVL 7

Author Comment

by:GridLock137
ID: 37742361
ok so i tried the entries that donjouhnston suggested and i lost internet, once i apply the ip access-group 20 out to vlan 20 interface it kills internet . maybe a slight modification to the statements above?
0
 
LVL 10

Expert Comment

by:mat1458
ID: 37742421
Do you use a proxy for internet? If so what address does it have?
0
 
LVL 7

Author Comment

by:GridLock137
ID: 37742511
ok so i tried the statements by mat1458 and internet is still up but i am still able to ping a server on the 20 vlan with ip address of 10.20.0.2 from my machine on the 23 vlan, with the ip protocol mentioned in the statement shouldn't the pings get blocked since IP encompases all protocols? only communication from vlan 66 should get throught to 20. any ideas?
0
 
LVL 7

Author Comment

by:GridLock137
ID: 37742521
no proxy in the middle. internet is fine with your statements but i am still able to ping through my vlan (23) to vlan 20 which i shouldn't since the deny statement should stop my pings.
0
 
LVL 10

Expert Comment

by:mat1458
ID: 37742575
How did you apply the access lists? On which interfaces are they? Can you remove the access-lists from the interfaces and add the following before reapplying them:

access-list 150 permit ip 10.66.0.0 0.0.0.255 10.20.0.0 0.0.0.255
access-list 150 deny ip 10.0.0.0 0.255.255.255 10.0.0.0 0.255.255.255
access-list 150 deny icmp 10.0.0.0 0.255.255.255 10.0.0.0 0.255.255.255
access-list 150 permit ip any any

access-list 155 permit ip 10.20.0.0 0.0.0.255 10.66.0.0 0.0.0.255
access-list 155 deny ip 10.0.0.0 0.255.255.255 10.0.0.0 0.255.255.255
access-list 155 deny icmp 10.0.0.0 0.255.255.255 10.0.0.0 0.255.255.255
access-list 155 permit ip any any

I am not sure if it helps any but it's worth a try.
0
 
LVL 7

Author Comment

by:GridLock137
ID: 37742614
disregard my last two post, i had a non-existent ACL applied to vlan 20, i applied the correct one and it works, i have internet and to test my pings were blocked.
0
 
LVL 7

Author Comment

by:GridLock137
ID: 37742618
sorry, should've mentioned i have additional testing before i close this question. give me till the end of the day please, i have to make sure traffic between these two vlans is completely isolated. thx
0
 
LVL 7

Author Closing Comment

by:GridLock137
ID: 37750068
Excellent, everything is working. Thank you.

GL137
0

Featured Post

PRTG Network Monitor: Intuitive Network Monitoring

Network Monitoring is essential to ensure that computer systems and network devices are running. Use PRTG to monitor LANs, servers, websites, applications and devices, bandwidth, virtual environments, remote systems, IoT, and many more. PRTG is easy to set up & use.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Suggested Solutions

Title # Comments Views Activity
Network Infrastructure for Branch Office 16 95
How to make my old USB printer wireless? 71 191
Static Route 22 54
Unable to reach an IP located on a Dell switch from an HP switch 18 55
The Cisco RV042 router is a popular small network interfacing device that is often used as an internet gateway. Network administrators need to get at the management interface to make settings, change passwords, etc. This access is generally done usi…
I recently attended Cisco Live! in Las Vegas, a conference that boasted over 28,000 techies in attendance, and a week of hands-on learning hosted by a solid partner with which Concerto goes to market.  Every year, Cisco displays cutting-edge technol…
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…

770 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question