• Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 76
  • Last Modified:

Access-List for Multiple VLAN on 3560 Switch

Hi Guys,

I'm trying to work out the rules/logical for creating an access-list that blocks each vlan from each other apart from the default which is the gateway.

So I have the following:

Default Vlan -  192.168.1.0    with the gateway being 192.168.1.1... thereafter

Vlan10 - 192.168.100.0
Vlan20 - 192.168.101.0
Vlan30 - 192.168.102.0

** All Class C

I would like Vlan 10, 20, 30 to be able to see the default, but I want to block them from seeing each other.  At the moment I can ping between vlans.

So as a test, I created an access-list:

access-list 10 deny host 192.168.101.0

and added this to my vlan10 interface:

ip access-group 10 in

My thinking was that this should deny traffic coming in from Vlan20 - 192.168.101.0 but would allow me access to default & Vlan30.  (At this point I have to confess that Cisco IOS is clearly not my bag)

However, it didn't work.  It seemed to blocked everything - couldn't ping to any other vlans.  I tried different combinations with  permit/deny but again I had no joy.   There is obviously a little more to it.  Google came up with lots of info (maybe too much) as my requirements are pretty basic, thought I would ask.

Any help offered would be greatly appreciated

Thanks

IM
0
ianmclachlan
Asked:
ianmclachlan
  • 5
  • 5
1 Solution
 
PredragNetwork EngineerCommented:
access-list 10 deny host 192.168.101.0
Host is problem it will block only traffic from that specific IP address. And you are missing permit any.
By default if not permitted specifically at the end - all traffic that is not permitted in ACL statements will be blocked.
:)
To create one ACL that can be applied to all interfaces

access-list 10 permit x.x.x.x
access-list 10 deny 192.168.0.0 0.0.255.255
access-list 10 permit any

You will not be able to ping default gateway, however only traffic for local VLANs will be blocked.
The first line permit is to allow addresses that should be allowed (in the case you need it - if not it can be removed)

or you can do it as you planned:
access-list 10 deny 192.168.101.0
access-list 10 permit any

interface Vlan 10
ip access-group 10 in

is OK direction to apply ACL.
0
 
ianmclachlanAuthor Commented:
Thanks for your reply.

I didn't seem to work.  I was still able to ping from a system in VLAN10 to VLAN20 (192.168.101.0).  I have attached parts of the IOS for reference.

 Building configuration...

Current configuration : 3650 bytes
!
version 12.2
no service timestamps log datetime msec
no service timestamps debug datetime msec
no service password-encryption
!
hostname xxxxxxx
!
ip dhcp excluded-address 192.168.100.1 192.168.100.100
ip dhcp excluded-address 192.168.101.1 192.168.101.100
ip dhcp excluded-address 192.168.102.1 192.168.102.100
ip dhcp excluded-address 192.168.103.1 192.168.103.100
ip dhcp excluded-address 192.168.104.1 192.168.104.100
ip dhcp excluded-address 192.168.105.1 192.168.105.100
ip dhcp excluded-address 192.168.106.1 192.168.106.100
ip dhcp excluded-address 192.168.1.1 192.168.1.100
ip dhcp excluded-address 192.168.107.1 192.168.107.100
!
ip dhcp pool VLAN10
 network 192.168.100.0 255.255.255.0
 default-router 192.168.1.1
ip dhcp pool VLAN20
 network 192.168.101.0 255.255.255.0
 default-router 192.168.1.1
ip dhcp pool Vlan30
 network 192.168.102.0 255.255.255.0
 default-router 192.168.1.1
ip dhcp pool vlan1
 network 192.168.1.0 255.255.255.0
 default-router 192.168.1.1
ip dhcp pool vlan40
 network 192.168.103.0 255.255.255.0
 default-router 192.168.1.1
ip dhcp pool vlan50
 network 192.168.104.0 255.255.255.0
 default-router 192.168.1.1
ip dhcp pool vlan60
 network 192.168.105.0 255.255.255.0
 default-router 192.168.1.1
ip dhcp pool vlan70
 network 192.168.106.0 255.255.255.0
 default-router 192.168.1.1
ip dhcp pool vlan80
 network 192.168.107.0 255.255.255.0
 default-router 192.168.1.1
!
ip routing
!
spanning-tree mode pvst
!
interface FastEthernet0/1
!
interface FastEthernet0/2
!
interface FastEthernet0/3
!
interface FastEthernet0/4
!
interface FastEthernet0/5
!
interface FastEthernet0/6
!
interface FastEthernet0/7
!
interface FastEthernet0/8
!
interface FastEthernet0/9
 switchport access vlan 80
!
interface FastEthernet0/10
 switchport access vlan 80
!
interface FastEthernet0/11
 switchport access vlan 10
!
interface FastEthernet0/12
 switchport access vlan 10
!
interface FastEthernet0/13
 switchport access vlan 20
!
interface FastEthernet0/14
 switchport access vlan 20
!
interface FastEthernet0/15
 switchport access vlan 30
!
interface FastEthernet0/16
 switchport access vlan 30
!
interface FastEthernet0/17
 switchport access vlan 40
!
interface FastEthernet0/18
 switchport access vlan 40
!
interface FastEthernet0/19
 switchport access vlan 50
!
interface FastEthernet0/20
 switchport access vlan 50
!
interface FastEthernet0/21
 switchport access vlan 60
!
interface FastEthernet0/22
 switchport access vlan 60
!
interface FastEthernet0/23
 switchport access vlan 70
!
interface FastEthernet0/24
 switchport access vlan 70
!
interface GigabitEthernet0/1
!
interface GigabitEthernet0/2
!
interface Vlan1
 ip address 192.168.1.2 255.255.255.0
!
interface Vlan10
 mac-address 00d0.d328.a201
 ip address 192.168.100.2 255.255.255.0
 ip access-group 10 in
!
interface Vlan20
 mac-address 00d0.d328.a202
 ip address 192.168.101.2 255.255.255.0
!
interface Vlan30
 mac-address 00d0.d328.a203
 ip address 192.168.102.2 255.255.255.0
!
interface Vlan40
 mac-address 00d0.d328.a204
 ip address 192.168.103.254 255.255.255.0
!
interface Vlan50
 mac-address 00d0.d328.a205
 ip address 192.168.104.2 255.255.255.0
!
interface Vlan60
 mac-address 00d0.d328.a206
 ip address 192.168.105.2 255.255.255.0
!
interface Vlan70
 mac-address 00d0.d328.a207
 ip address 192.168.106.2 255.255.255.0
!
interface Vlan80
 mac-address 00d0.d328.a208
 ip address 192.168.107.2 255.255.255.0
!
router rip
!
ip classless
!
ip flow-export version 9
!
access-list 10 deny host 192.168.101.0
access-list 10 permit any
!
line con 0
!
line aux 0
!
line vty 0 4
 login
!
end


Once I get the logic correct I will be able to create access-lists for the other vlans.  Based on your comments it all looks ok.

IM


One question - if it had worked, why would I not be able to ping the default gateway?  The traffic (ICMP or IP) is not blocked on 192.168.1.0
0
 
ianmclachlanAuthor Commented:
sorry ... ignore that comment ...  HOST is still there
0
Visualize your virtual and backup environments

Create well-organized and polished visualizations of your virtual and backup environments when planning VMware vSphere, Microsoft Hyper-V or Veeam deployments. It helps you to gain better visibility and valuable business insights.

 
PredragNetwork EngineerCommented:
Strange, it should work.

However, typically I would use extended ACL.

access-list 100 deny ip 192.168.100.0 0.0.0.255 192.168.101.0 0.0.0.255
! or    access-list 100 deny ip any 192.168.101.0 0.0.0.255   <-- so any IP address from VLAN can't access .101.0/24 network
access-list 100 permit any any

interface vlan 10
 access-group 100 in

This should work.
0
 
PredragNetwork EngineerCommented:
OK
;)
0
 
ianmclachlanAuthor Commented:
Sorry have changed it properly now:

access-list 10 deny 192.168.101.0 0.0.0.255
access-list 10 permit any

However I can still ping 101??  

Very odd
0
 
PredragNetwork EngineerCommented:
Did you apply it under SVI interface?
0
 
ianmclachlanAuthor Commented:
It worked with the extended ACL.  Really strange it didn't work in standard

Thanks so much. Really appreciated your input.  Of course I will award you full marks.


Thanks again

IM
0
 
ianmclachlanAuthor Commented:
Thanks for the info.
0
 
PredragNetwork EngineerCommented:
With standard try to change direction...

access-list 10 deny host 192.168.101.0
access-list 10 permit any

interface Vlan10
 ip access-group 10 out

I guess that traffic will be blocked after 101.0/24 respond to ping...
Typically if ACL is OK written and it is not working as it suppose to, change direction in which it is applied.
But it is less secure approach, and waste unnecessary some amount of traffic.
I rarely use standard ACL for filtering. :)
0

Featured Post

Identify and Prevent Potential Cyber-threats

Become the white hat who helps safeguard our interconnected world. Transform your career future by earning your MS in Cybersecurity. WGU’s MSCSIA degree program was designed in collaboration with national intelligence organizations and IT industry leaders.

  • 5
  • 5
Tackle projects and never again get stuck behind a technical roadblock.
Join Now