Solved

Access-List for Multiple VLAN on 3560 Switch

Posted on 2016-10-29
10
49 Views
Last Modified: 2016-10-29
Hi Guys,

I'm trying to work out the rules/logical for creating an access-list that blocks each vlan from each other apart from the default which is the gateway.

So I have the following:

Default Vlan -  192.168.1.0    with the gateway being 192.168.1.1... thereafter

Vlan10 - 192.168.100.0
Vlan20 - 192.168.101.0
Vlan30 - 192.168.102.0

** All Class C

I would like Vlan 10, 20, 30 to be able to see the default, but I want to block them from seeing each other.  At the moment I can ping between vlans.

So as a test, I created an access-list:

access-list 10 deny host 192.168.101.0

and added this to my vlan10 interface:

ip access-group 10 in

My thinking was that this should deny traffic coming in from Vlan20 - 192.168.101.0 but would allow me access to default & Vlan30.  (At this point I have to confess that Cisco IOS is clearly not my bag)

However, it didn't work.  It seemed to blocked everything - couldn't ping to any other vlans.  I tried different combinations with  permit/deny but again I had no joy.   There is obviously a little more to it.  Google came up with lots of info (maybe too much) as my requirements are pretty basic, thought I would ask.

Any help offered would be greatly appreciated

Thanks

IM
0
Comment
Question by:ianmclachlan
  • 5
  • 5
10 Comments
 
LVL 27

Expert Comment

by:Predrag Jovic
ID: 41865256
access-list 10 deny host 192.168.101.0
Host is problem it will block only traffic from that specific IP address. And you are missing permit any.
By default if not permitted specifically at the end - all traffic that is not permitted in ACL statements will be blocked.
:)
To create one ACL that can be applied to all interfaces

access-list 10 permit x.x.x.x
access-list 10 deny 192.168.0.0 0.0.255.255
access-list 10 permit any

You will not be able to ping default gateway, however only traffic for local VLANs will be blocked.
The first line permit is to allow addresses that should be allowed (in the case you need it - if not it can be removed)

or you can do it as you planned:
access-list 10 deny 192.168.101.0
access-list 10 permit any

interface Vlan 10
ip access-group 10 in

is OK direction to apply ACL.
0
 

Author Comment

by:ianmclachlan
ID: 41865284
Thanks for your reply.

I didn't seem to work.  I was still able to ping from a system in VLAN10 to VLAN20 (192.168.101.0).  I have attached parts of the IOS for reference.

 Building configuration...

Current configuration : 3650 bytes
!
version 12.2
no service timestamps log datetime msec
no service timestamps debug datetime msec
no service password-encryption
!
hostname xxxxxxx
!
ip dhcp excluded-address 192.168.100.1 192.168.100.100
ip dhcp excluded-address 192.168.101.1 192.168.101.100
ip dhcp excluded-address 192.168.102.1 192.168.102.100
ip dhcp excluded-address 192.168.103.1 192.168.103.100
ip dhcp excluded-address 192.168.104.1 192.168.104.100
ip dhcp excluded-address 192.168.105.1 192.168.105.100
ip dhcp excluded-address 192.168.106.1 192.168.106.100
ip dhcp excluded-address 192.168.1.1 192.168.1.100
ip dhcp excluded-address 192.168.107.1 192.168.107.100
!
ip dhcp pool VLAN10
 network 192.168.100.0 255.255.255.0
 default-router 192.168.1.1
ip dhcp pool VLAN20
 network 192.168.101.0 255.255.255.0
 default-router 192.168.1.1
ip dhcp pool Vlan30
 network 192.168.102.0 255.255.255.0
 default-router 192.168.1.1
ip dhcp pool vlan1
 network 192.168.1.0 255.255.255.0
 default-router 192.168.1.1
ip dhcp pool vlan40
 network 192.168.103.0 255.255.255.0
 default-router 192.168.1.1
ip dhcp pool vlan50
 network 192.168.104.0 255.255.255.0
 default-router 192.168.1.1
ip dhcp pool vlan60
 network 192.168.105.0 255.255.255.0
 default-router 192.168.1.1
ip dhcp pool vlan70
 network 192.168.106.0 255.255.255.0
 default-router 192.168.1.1
ip dhcp pool vlan80
 network 192.168.107.0 255.255.255.0
 default-router 192.168.1.1
!
ip routing
!
spanning-tree mode pvst
!
interface FastEthernet0/1
!
interface FastEthernet0/2
!
interface FastEthernet0/3
!
interface FastEthernet0/4
!
interface FastEthernet0/5
!
interface FastEthernet0/6
!
interface FastEthernet0/7
!
interface FastEthernet0/8
!
interface FastEthernet0/9
 switchport access vlan 80
!
interface FastEthernet0/10
 switchport access vlan 80
!
interface FastEthernet0/11
 switchport access vlan 10
!
interface FastEthernet0/12
 switchport access vlan 10
!
interface FastEthernet0/13
 switchport access vlan 20
!
interface FastEthernet0/14
 switchport access vlan 20
!
interface FastEthernet0/15
 switchport access vlan 30
!
interface FastEthernet0/16
 switchport access vlan 30
!
interface FastEthernet0/17
 switchport access vlan 40
!
interface FastEthernet0/18
 switchport access vlan 40
!
interface FastEthernet0/19
 switchport access vlan 50
!
interface FastEthernet0/20
 switchport access vlan 50
!
interface FastEthernet0/21
 switchport access vlan 60
!
interface FastEthernet0/22
 switchport access vlan 60
!
interface FastEthernet0/23
 switchport access vlan 70
!
interface FastEthernet0/24
 switchport access vlan 70
!
interface GigabitEthernet0/1
!
interface GigabitEthernet0/2
!
interface Vlan1
 ip address 192.168.1.2 255.255.255.0
!
interface Vlan10
 mac-address 00d0.d328.a201
 ip address 192.168.100.2 255.255.255.0
 ip access-group 10 in
!
interface Vlan20
 mac-address 00d0.d328.a202
 ip address 192.168.101.2 255.255.255.0
!
interface Vlan30
 mac-address 00d0.d328.a203
 ip address 192.168.102.2 255.255.255.0
!
interface Vlan40
 mac-address 00d0.d328.a204
 ip address 192.168.103.254 255.255.255.0
!
interface Vlan50
 mac-address 00d0.d328.a205
 ip address 192.168.104.2 255.255.255.0
!
interface Vlan60
 mac-address 00d0.d328.a206
 ip address 192.168.105.2 255.255.255.0
!
interface Vlan70
 mac-address 00d0.d328.a207
 ip address 192.168.106.2 255.255.255.0
!
interface Vlan80
 mac-address 00d0.d328.a208
 ip address 192.168.107.2 255.255.255.0
!
router rip
!
ip classless
!
ip flow-export version 9
!
access-list 10 deny host 192.168.101.0
access-list 10 permit any
!
line con 0
!
line aux 0
!
line vty 0 4
 login
!
end


Once I get the logic correct I will be able to create access-lists for the other vlans.  Based on your comments it all looks ok.

IM


One question - if it had worked, why would I not be able to ping the default gateway?  The traffic (ICMP or IP) is not blocked on 192.168.1.0
0
 

Author Comment

by:ianmclachlan
ID: 41865287
sorry ... ignore that comment ...  HOST is still there
0
PRTG Network Monitor: Intuitive Network Monitoring

Network Monitoring is essential to ensure that computer systems and network devices are running. Use PRTG to monitor LANs, servers, websites, applications and devices, bandwidth, virtual environments, remote systems, IoT, and many more. PRTG is easy to set up & use.

 
LVL 27

Accepted Solution

by:
Predrag Jovic earned 500 total points
ID: 41865289
Strange, it should work.

However, typically I would use extended ACL.

access-list 100 deny ip 192.168.100.0 0.0.0.255 192.168.101.0 0.0.0.255
! or    access-list 100 deny ip any 192.168.101.0 0.0.0.255   <-- so any IP address from VLAN can't access .101.0/24 network
access-list 100 permit any any

interface vlan 10
 access-group 100 in

This should work.
0
 
LVL 27

Expert Comment

by:Predrag Jovic
ID: 41865295
OK
;)
0
 

Author Comment

by:ianmclachlan
ID: 41865299
Sorry have changed it properly now:

access-list 10 deny 192.168.101.0 0.0.0.255
access-list 10 permit any

However I can still ping 101??  

Very odd
0
 
LVL 27

Expert Comment

by:Predrag Jovic
ID: 41865300
Did you apply it under SVI interface?
0
 

Author Comment

by:ianmclachlan
ID: 41865304
It worked with the extended ACL.  Really strange it didn't work in standard

Thanks so much. Really appreciated your input.  Of course I will award you full marks.


Thanks again

IM
0
 

Author Closing Comment

by:ianmclachlan
ID: 41865306
Thanks for the info.
0
 
LVL 27

Expert Comment

by:Predrag Jovic
ID: 41865309
With standard try to change direction...

access-list 10 deny host 192.168.101.0
access-list 10 permit any

interface Vlan10
 ip access-group 10 out

I guess that traffic will be blocked after 101.0/24 respond to ping...
Typically if ACL is OK written and it is not working as it suppose to, change direction in which it is applied.
But it is less secure approach, and waste unnecessary some amount of traffic.
I rarely use standard ACL for filtering. :)
0

Featured Post

Windows Server 2016: All you need to know

Learn about Hyper-V features that increase functionality and usability of Microsoft Windows Server 2016. Also, throughout this eBook, you’ll find some basic PowerShell examples that will help you leverage the scripts in your environments!

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Getting hacked is no longer a matter or "if you get hacked" — the 2016 cyber threat landscape is now titled "when you get hacked." When it happens — will you be proactive, or reactive?
Most of the applications these days are on Cloud. Cloud is ubiquitous with many service providers in the market. Since it has many benefits such as cost reduction, software updates, remote access, disaster recovery and much more.
As a trusted technology advisor to your customers you are likely getting the daily question of, ‘should I put this in the cloud?’ As customer demands for cloud services increases, companies will see a shift from traditional buying patterns to new…
Both in life and business – not all partnerships are created equal. Spend 30 short minutes with us to learn:   • Key questions to ask when considering a partnership to accelerate your business into the cloud • Pitfalls and mistakes other partners…

777 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question